doc/user/application_security/sast/analyzers.md
{{< details >}}
{{< /details >}}
{{< history >}}
{{< /history >}}
Static application security testing (SAST) uses analyzers to detect vulnerabilities in source code. Each analyzer is a wrapper around a scanner, a third-party code analysis tool.
The analyzers are published as Docker images that SAST uses to launch dedicated containers for each analysis. We recommend a minimum of 4 GB RAM to ensure consistent performance of the analyzers.
SAST default images are maintained by GitLab, but you can also integrate your own custom image.
For each scanner, an analyzer:
SAST supports the following official analyzers:
gitlab-advanced-sast, providing cross-file and cross-function taint analysis and improved detection accuracy. Ultimate only.kubesec, based on Kubesec. Off by default; see Enabling KubeSec analyzer.pmd-apex, based on PMD with rules for the Apex language.semgrep, based on the Semgrep OSS engine with GitLab-managed rules.sobelow, based on Sobelow.spotbugs, based on SpotBugs with the Find Sec Bugs plugin (Ant, Gradle and wrapper, Grails, Maven and wrapper, SBT).Official analyzers are released as container images, separate from the GitLab platform. Each analyzer version is compatible with a limited set of GitLab versions.
When an analyzer version will no longer be supported in a future GitLab version, this change is announced in advance. For example, see the announcement for GitLab 17.0.
The supported major version for each official analyzer is reflected in its job definition in the SAST CI/CD template. To see the analyzer version supported in a previous GitLab version, select a historical version of the SAST template file, such as v16.11.0-ee for GitLab 16.11.0.
The following GitLab analyzers have reached End of Support status and do not receive updates. They were replaced by the Semgrep-based analyzer with GitLab-managed rules.
After you upgrade to GitLab 17.3.1 or later, a one-time data migration automatically resolves findings from the analyzers that reached End of Support. This includes all of the analyzers listed below except for SpotBugs, because SpotBugs still scans Groovy code. The migration only resolves vulnerabilities that you haven't confirmed or dismissed, and it doesn't affect vulnerabilities that were automatically translated to Semgrep-based scanning. For details, see issue 444926.
| Analyzer | Languages scanned | End Of Support GitLab version |
|---|---|---|
| Bandit | Python | 15.4 |
| Brakeman | Ruby, including Ruby on Rails | 17.0 |
| ESLint with React and Security plugins | JavaScript and TypeScript, including React | 15.4 |
| Flawfinder | C, C++ | 17.0 |
| gosec | Go | 15.4 |
| MobSF | Java and Kotlin, for Android applications only; Objective-C, for iOS applications only | 17.0 |
| NodeJsScan | JavaScript (Node.js only) | 17.0 |
| phpcs-security-audit | PHP | 17.0 |
| Security Code Scan | .NET (including C#, Visual Basic) | 16.0 |
| SpotBugs | Java only<sup>1</sup> | 15.4 |
| SpotBugs | Kotlin and Scala only<sup>1</sup> | 17.0 |
Footnotes:
For an analyzer to be considered generally available, it is expected to minimally support the following features:
{{< details >}}
{{< /details >}}
Post analyzers enrich the report output by an analyzer. A post analyzer doesn't modify report content directly. Instead, it enhances the results with additional properties, including:
In addition to the GitLab Advanced SAST analyzer, GitLab also provides a Semgrep-based analyzer that covers multiple languages. GitLab maintains the analyzer and writes detection rules for it. These rules replace language-specific analyzers that were used in previous releases.
The Vulnerability Management system automatically moves vulnerabilities from the old analyzer to a new Semgrep-based finding when possible. For translation to the GitLab Advanced SAST analyzer, refer to the GitLab Advanced SAST documentation.
When this happens, the system combines the vulnerabilities from each analyzer into a single record.
But, vulnerabilities may not match up if:
This can interfere with automatic translation by preventing necessary identifiers from being recorded for each vulnerability.
If a vulnerability doesn't match:
Use CI/CD variables
in your .gitlab-ci.yml file to customize the behavior of your analyzers.
You can use a custom Docker registry, instead of the GitLab registry, to host the analyzers' images.
Prerequisites:
[!note] This variable affects all Secure analyzers, not just the analyzers for SAST.
To have GitLab download the analyzers' images from a custom Docker registry, define the prefix with
the SECURE_ANALYZERS_PREFIX CI/CD variable.
For example, the following instructs SAST to pull my-docker-registry/gitlab-images/semgrep instead
of registry.gitlab.com/security-products/semgrep:
include:
- template: Jobs/SAST.gitlab-ci.yml
variables:
SECURE_ANALYZERS_PREFIX: my-docker-registry/gitlab-images
You can disable all default SAST analyzers, leaving only custom analyzers enabled.
Prerequisites:
To disable all default analyzers, set the CI/CD variable SAST_DISABLED to "true" in your
.gitlab-ci.yml file.
Example:
include:
- template: Jobs/SAST.gitlab-ci.yml
variables:
SAST_DISABLED: "true"
Analyzers are run automatically according to the source code languages detected. However, you can disable select analyzers.
Prerequisites:
To disable select analyzers, set the CI/CD variable SAST_EXCLUDED_ANALYZERS to a comma-delimited
string listing the analyzers that you want to prevent running.
For example, to disable the spotbugs analyzer:
include:
- template: Jobs/SAST.gitlab-ci.yml
variables:
SAST_EXCLUDED_ANALYZERS: "spotbugs"
You can provide your own analyzers by defining jobs in your CI/CD configuration. For
consistency with the default analyzers, you should add the suffix -sast to your custom
SAST jobs.
This example shows how to add a scanning job that's based on the Docker image
my-docker-registry/analyzers/csharp. It runs the script /analyzer run and outputs a SAST report
gl-sast-report.json.
Define the following in your .gitlab-ci.yml file:
csharp-sast:
image:
name: "my-docker-registry/analyzers/csharp"
script:
- /analyzer run
artifacts:
reports:
sast: gl-sast-report.json