GitLab Advanced SAST - Gitlabhq

Tier: Ultimate
Offering: GitLab.com, GitLab Self-Managed, GitLab Dedicated

Introduced in GitLab 17.1 as an experiment for Python.
Support for Go and Java added in 17.2.
Changed from experiment to beta in GitLab 17.2.
Support for JavaScript, TypeScript, and C# added in 17.3.
Generally available in GitLab 17.3.
Support for Java Server Pages (JSP) added in GitLab 17.4.
Support for PHP added in GitLab 18.1.
Support for C/C++ added in GitLab 18.6.

GitLab Advanced SAST is a static application security testing (SAST) analyzer that uses cross-function and cross-file taint analysis to detect complex vulnerabilities with fewer false positives than traditional SAST.

GitLab Advanced SAST is an opt-in feature. When enabled, GitLab Advanced SAST scans all supported language files using its predefined ruleset. The Semgrep analyzer does not scan these files. An automated transition process removes duplicate findings when both analyzers detect the same vulnerability.

<i class="fa-youtube-play" aria-hidden="true"></i> For an overview of GitLab Advanced SAST and how it works, see GitLab Advanced SAST: Accelerating Vulnerability Resolution.

For a product tour, see the GitLab Advanced SAST product tour.

Features

Feature	SAST	Advanced SAST
Depth of Analysis	Limited ability to detect complex vulnerabilities; analysis is limited to a single file, and (with limited exceptions) a single function.	Detects complex vulnerabilities using cross-file, cross-function taint analysis.
Accuracy	More likely to create false-positive results due to limited context.	Creates fewer false-positive results by using cross-file, cross-function taint analysis to focus on truly exploitable vulnerabilities.
Remediation Guidance	Vulnerability findings are identified by line number.	Detailed code flow view shows how the vulnerability flows through the program, allowing for faster remediation.
Works with GitLab Duo Vulnerability Explanation and Vulnerability Resolution	Yes.	Yes.
Language coverage	More expansive.	More limited.

Turn on GitLab Advanced SAST

Follow these steps to turn on GitLab Advanced SAST in your project.

Prerequisites:

The Maintainer or Owner role for the project.
Turn on the standard SAST analyzer. For details, see SAST prerequisites.
For GitLab Self-Managed, use a supported GitLab version:
- Minimum version: GitLab 17.1 or later
- Recommended version: GitLab 17.4 or later (includes code-flow view, vulnerability deduplication, and updated templates)
- Template compatibility:
  - Stable template: GitLab 17.3 or later
  - Latest template: GitLab 17.2 or later
  - Do not mix stable and latest templates in the same project

Turn on GitLab Advanced SAST:

In the top bar, select Search or go to and find your project.
Go to Build > Pipeline editor.
Create or edit your .gitlab-ci.yml file.
Add the appropriate variable to enable Advanced SAST:
- For all supported languages except C/C++: GITLAB_ADVANCED_SAST_ENABLED: 'true'
- For C/C++: GITLAB_ADVANCED_SAST_CPP_ENABLED: 'true'
Select the Validate tab, then select Validate pipeline.

The message Simulation completed successfully confirms the file is valid.
Select the Edit tab.
Complete the fields.
Select the Start a new merge request with these changes checkbox, then select Commit changes.
Complete the fields according to your standard workflow, then select Create merge request.
Review and edit the merge request according to your standard workflow, then select Merge.

At this point, GitLab Advanced SAST is enabled in your pipeline. Supported source code is scanned for vulnerabilities when a pipeline runs. The corresponding job appears in the test stage in your pipeline.

After completing these steps, you can:

Learn more about how to evaluate the vulnerability results.
Review optimization tips.
Plan a rollout to more projects.

Vulnerability results

GitLab Advanced SAST vulnerabilities include detailed information to help you assess and remediate security issues. Each vulnerability shows:

Description: Explains the cause of the vulnerability, its potential impact, and recommended remediation steps.
Status: Indicates whether the vulnerability has been triaged or resolved.
Severity: Categorized into six levels based on impact. Learn more about severity levels.
Location: Shows the filename and line number where the issue was found. Selecting the file path opens the corresponding line in the code view.
Code flow: The path the data takes from the user input (source) to the vulnerable line of code.
Scanner: Identifies which analyzer detected the vulnerability.
Identifiers: A list of references used to classify the vulnerability, such as CWE identifiers, and the IDs of the rules that detected it.

SAST vulnerabilities are named according to the primary Common Weakness Enumeration (CWE) identifier for the discovered vulnerability. For more information on SAST coverage, see SAST rules.

View results

Prerequisites:

The Security Manager, Developer, Maintainer, or Owner role for the project.

To view vulnerabilities in your pipeline:

In the top bar, select Search or go to and find your project.
In the left sidebar, select Build > Pipelines.
Select the pipeline.
Select the Security tab.
Either download results, or select a vulnerability to view its details (Ultimate only).

Code flow

Introduced in GitLab 17.3 with several flags. Enabled by default.
Enabled on GitLab Self-Managed and GitLab Dedicated in GitLab 17.7.
Generally available in GitLab 17.7. All feature flags removed.

For specific types of vulnerabilities, GitLab Advanced SAST provides code flow information. A vulnerability's code flow is the path the data takes from the user input (source) to the vulnerable line of code (sink), through all assignments, manipulation, and sanitization. This information helps you understand and evaluate the vulnerability's context, impact, and risk. Code flow information is available for vulnerabilities that are detected by tracing input from a source to a sink, including:

SQL injection
Command injection
Cross-site scripting (XSS)
Path traversal

The code flow information is shown the Code flow tab and includes:

The steps from source to sink.
The relevant files, including code snippets.

Optimization

To optimize GitLab Advanced SAST, use any of the following methods:

Exclude paths
Multi-core scanning
Diff-based scanning
Report unverified vulnerabilities
Incremental scanning

If scans still run longer than expected, see troubleshooting.

Exclude paths

You can exclude paths to optimize performance by focusing on only relevant repository content.

Prerequisites:

The Maintainer or Owner role for the project.

To exclude paths:

List the excluded paths in the SAST_EXCLUDED_PATHS CI/CD variable.

When excluding paths, be selective to avoid hiding vulnerabilities. Common candidates for exclusion include the following:

Database migrations
Unit tests
Dependency directories, such as node_modules/
Build directories

Use multi-core scanning

Multi-core scanning is enabled by default in GitLab Advanced SAST (analyzer version v1.1.10 and later). You can increase the runner size to make more resources available for scanning. For self-managed runners, you must customize the --multi-core flag in the security scanner configuration.

Diff-based scanning

Introduced in GitLab 18.5 with a flag named vulnerability_partial_scans. Disabled by default.
Enabled on GitLab.com, GitLab Self-Managed and GitLab Dedicated in GitLab 18.5.
Generally available in GitLab 18.6. Feature flag vulnerability_partial_scans removed.

Diff-based scanning analyzes only the files modified in a merge request, along with their dependent files. This targeted approach reduces scan times and delivers faster feedback during development.

To ensure complete coverage, a full scan runs on the default branch after the merge request is merged.

Diff-based scanning is supported in both merge request pipelines and branch pipelines, under the following conditions:

Merge request pipelines: Diff-based scanning occurs when GitLab Advanced SAST is configured to run on merge request pipelines.
Branch pipelines: Diff-based scanning occurs when there is exactly one open merge request associated with the branch. If there are none or more than one, the scan falls back to a full scan because it cannot determine which commit the branch should be diffed against.

When diff-based scanning is active:

Only files that were modified or added in the merge request, along with their dependent files, are scanned.
The job log includes the output: Running differential scan. (If inactive, it outputs: Running full scan.)
In the merge request security widget, a dedicated Diff-based tab shows relevant scan findings.
In the pipeline security tab, an alert labeled Partial SAST report indicates that only partial findings are included.

Diff-based scanning has the following known issues:

False negatives and positives: Diff-based scanning may not capture the full call graph in the scanned files, which can lead to missed vulnerabilities (false negatives) or resurfacing of resolved ones (false positives). This trade-off reduces scan times and provides faster feedback during development. For comprehensive coverage, a full scan always runs on the default branch.
C/C++ header file coverage: Diff-based scanning does not fully support C/C++ header files. Vulnerabilities that span both header and source files can be detected, but those located entirely in header files might not be.
Fixed vulnerabilities not reported: To avoid misleading results, fixed vulnerabilities are excluded in diff-based scanning. Because only a subset of files is analyzed, the complete call graph is not available, making it impossible to confirm if a vulnerability has been fixed. A full scan always runs on the default branch after the merge, where fixed vulnerabilities are reported. As a result, any potential gaps from diff-based scanning are mitigated by the full scan that runs automatically on merges to the default branch, ensuring comprehensive coverage. This layered approach balances fast feedback loops during development with thorough security analysis before code reaches production.

Turn on diff-based scanning

You can turn on diff-based scanning to optimize performance by focusing on only the changes in the merge request.

Prerequisites:

The Maintainer or Owner role for the project.

To turn on diff-based scanning in merge request pipelines:

Set the ADVANCED_SAST_PARTIAL_SCAN CI/CD variable to differential in the project's .gitlab-ci.yml file.

Dependent files

To avoid missing cross-file vulnerabilities beyond the modified files, diff-based scanning includes their immediate dependents. This reduces false negatives while maintaining fast scans, though it may produce imprecise results in deeper dependency chains.

The following files are included in the scan:

Modified files (files changed or added in the merge request)
Dependent files (files that import the modified files)

This design helps detect cross-file data flows, such as tainted data moving from a modified function to a caller that imports it.

Files imported by modified files are not scanned because they typically do not impact the behavior or data flow of the modified code.

For example, consider a merge request that modifies file B:

If file A imports file B, files A and B are scanned.
If file B imports file C, only file B is scanned.

Report unverified vulnerabilities

Status: Beta

Introduced in GitLab 18.11 as a beta.

GitLab Advanced SAST uses taint analysis to trace data flows from untrusted sources to vulnerable sinks. By default, the analyzer only reports a vulnerability when it can trace a complete path, which prioritizes accuracy over coverage. To detect more potential data flows, you can enable unverified vulnerabilities. This feature reports findings even when a complete data flow path cannot be established, which increases coverage but may also increase the number of false positives.

When you enable unverified vulnerability reporting, the analyzer also reports findings where a partial taint flow was detected but could not be fully verified from source to sink. These near-miss findings help you identify and proactively fix risky code before it becomes exploitable. Unverified findings are only reported for rules with a security severity of Medium or higher.

Unverified findings are clearly distinguished from fully verified vulnerabilities in the following ways:

In the pipeline Security tab, the vulnerability description begins with an (Unverified) prefix.
In the Vulnerability report, unverified findings are similarly prefixed.
In the Code flow view, unverified vulnerabilities have no source node. The first node in the flow is a Trace Entry Point, indicating where the partial trace begins.

Turn on unverified vulnerability reporting

To include unverified findings in scan results, set the REPORT_UNVERIFIED_VULNS CI/CD variable to a truthy value in your .gitlab-ci.yml file:

yaml

gitlab-advanced-sast:
  variables:
    REPORT_UNVERIFIED_VULNS: "true"

[!warning] Enabling unverified vulnerability reporting can significantly increase the number of findings generated by the analyzer. These findings are stored in the vulnerability database and may impact vulnerability management workflows, including triage effort and reporting.

Incremental scanning

Introduced in GitLab 18.11.

Incremental scanning caches taint signature analysis results between pipeline runs. On subsequent scans, unchanged code reuses cached signatures instead of being reanalyzed, while changed or new code is fully analyzed. This reduces scan times on large codebases where most files don't change between commits.

Incremental scanning works like this:

First scan (cold run): The analyzer performs a full analysis and creates a cache of taint signatures. The cache is stored as a CI artifact (ts-cache.sqlite.gz).
Subsequent scans (warm runs): The analyzer searches previous commits for a successful pipeline containing a cache artifact. If found, the cache is fetched and unchanged results are reused. After the scan completes, the updated cache is stored as a new artifact.

Cache invalidation

The cache is invalidated to ensure accuracy while maximizing reuse:

Partial invalidation: only affected entries are recomputed, the rest of the cache is reused:

New or changed files: When a file is added, modified, deleted, or renamed, its cached signatures are invalidated and recomputed on the next scan.
New or changed rules: When detection rules are added or modified, only those specific rules are recomputed against the codebase.

Full invalidation: the entire cache is rebuilt:

Engine changes: When engine-level changes make the existing cache incompatible, a new cache is generated automatically from a full scan.

Turn on incremental scanning

Prerequisites:

The Maintainer or Owner role for the project.

To turn on incremental scanning:

Set the GITLAB_ADV_SAST_INCR_SCAN CI/CD variable to true in the project's .gitlab-ci.yml file:
yaml
```
gitlab-advanced-sast:
  variables:
    GITLAB_ADV_SAST_INCR_SCAN: "true"
```

Configure cache retention

The SAST CI/CD template stores the cache artifact with a default expiry of 3 days. The GITLAB_ADV_SAST_INCR_SCAN_SEARCH_PERIOD variable controls how far back the analyzer searches for a cache artifact (default: 3 days).

These two values should be aligned. The search period should not exceed the artifact expiry, or the analyzer may search for artifacts that have already expired.

To customize both values, override the artifacts:expire_in and set the search period variable:

yaml

gitlab-advanced-sast:
  variables:
    GITLAB_ADV_SAST_INCR_SCAN: "true"
    GITLAB_ADV_SAST_INCR_SCAN_SEARCH_PERIOD: "7 days"
  artifacts:
    paths:
      - gl-sast-report.json
      - ts-cache.sqlite.gz
    expire_in: 7 days

The search period supports a number followed by d, day, or days (for example, 7 days, 14d).

Configure custom job name

The analyzer uses the CI/CD job name to identify which job's artifacts contain the cache. If you rename the gitlab-advanced-sast job, set GITLAB_ADV_SAST_INCR_SCAN_CUSTOM_JOB_NAME to the custom name so the cache lookup finds the correct job:

yaml

my-custom-sast-job:
  variables:
    GITLAB_ADV_SAST_INCR_SCAN: "true"
    GITLAB_ADV_SAST_INCR_SCAN_CUSTOM_JOB_NAME: "my-custom-sast-job"

Cache size limits

The cache is stored as a compressed CI/CD artifact. Artifact size limits apply:

GitLab.com: 1 GB maximum artifact size.
GitLab Self-Managed: 100 MB default maximum artifact size. An administrator can adjust this limit in CI/CD settings.

Roll out

After you are confident in GitLab Advanced SAST results for one project, extend it to additional projects and groups. You should create a shared CI/CD configuration that includes GitLab Advanced SAST and enforce it across the desired groups and projects.

For more details, see Security configuration.

Vulnerability detection criteria

GitLab Advanced SAST uses cross-file, cross-function scanning with taint analysis to trace the flow of user input into the program. This ensures that injection vulnerabilities, such as SQL injection and cross-site scripting (XSS), are detected even when they span multiple functions and files.

The analyzer only reports taint-based vulnerabilities when there is a verifiable flow that brings untrusted user input from a source to a point where untrusted data could cause security vulnerabilities. This approach minimizes noise compared to other products that may report vulnerabilities with less validation.

Detection emphasizes input that crosses trust boundaries, like values sourced from HTTP requests, but excludes command-line arguments, environment variables, or other inputs typically provided by the user operating the program.

For details of which types of vulnerabilities GitLab Advanced SAST detects, see GitLab Advanced SAST CWE coverage.

Transitioning from Semgrep to GitLab Advanced SAST

When you migrate from Semgrep to GitLab Advanced SAST, an automated transition process deduplicates vulnerabilities. This process links previously detected Semgrep vulnerabilities with corresponding GitLab Advanced SAST findings, replacing them when a match is found.

After enabling Advanced SAST scanning in the default branch when a scan runs and detects vulnerabilities, it checks whether any of them should replace existing Semgrep vulnerabilities based on the following conditions.

Conditions for deduplication

Matching Identifier:
- At least one of the GitLab Advanced SAST vulnerability's identifiers (excluding CWE and OWASP) must match the primary identifier of an existing Semgrep vulnerability.
- The primary identifier is the first identifier in the vulnerability's identifiers array in the SAST report.
- For example, if a GitLab Advanced SAST vulnerability has identifiers including bandit.B506 and a Semgrep vulnerability's primary identifier is also bandit.B506, this condition is met.
Matching Location:
- The vulnerabilities must be associated with the same location in the code. This is determined using one of the following fields in a vulnerability in the SAST report:
  - Tracking field (if present)
  - Location field (if the Tracking field is absent)

Vulnerability changes

When the conditions are met, the existing Semgrep vulnerability is converted into a GitLab Advanced SAST vulnerability. This updated vulnerability appears in the Vulnerability Report with the following changes:

The scanner type updates from Semgrep to GitLab Advanced SAST.
Any additional identifiers present in the GitLab Advanced SAST vulnerability are added to the existing vulnerability.
All other details of the vulnerability remain unchanged.

Resolve duplicate vulnerabilities

In some cases, Semgrep vulnerabilities may still appear as duplicates if the deduplication conditions are not met. To resolve this in the Vulnerability Report:

Filter vulnerabilities by Advanced SAST scanner and export the results in CSV format.
Filter vulnerabilities by Semgrep scanner. These are likely the vulnerabilities that were not deduplicated.
For each Semgrep vulnerability, check if it has a corresponding match in the exported Advanced SAST results.
If a duplicate exists, resolve the Semgrep vulnerability appropriately.

Code coverage

By default, GitLab Advanced SAST analyzes all source code in the supported languages. If diff-based scanning is enabled, only the changes in a merge request are scanned.

You can disable default GitLab Advanced SAST rules or edit their metadata. For details, see customize rulesets.

Supported languages

C# version support increased from 10.0 to 13.0 in GitLab 18.6.

GitLab Advanced SAST supports the following languages:

C# (up to and including 13.0)
C/C++
Go
Java, including Java Server Pages (JSP)
JavaScript, TypeScript
PHP
Python
Ruby

GitLab Advanced SAST CPP requires additional configuration (such as a compilation database) to be used with GitLab Advanced SAST. For details, see C/C++ configuration. GitLab Advanced SAST CPP does not exclude Semgrep for C/C++ projects; both analyzers run in parallel with different rule sets.

PHP known issues

When analyzing PHP code, GitLab Advanced SAST has the following known issues:

Dynamic file inclusion: Dynamic file inclusion statements (include, include_once, require, require_once) using variables for file paths are not supported in this release. Only static file inclusion paths are supported for cross-file analysis. See issue 527341.
Case sensitivity: PHP's case-insensitive nature for function names, class names, and method names is not fully supported in cross-file analysis. See issue 526528.

Configuration

You can adjust GitLab Advanced SAST behavior using the following variables:

CI/CD variable	Default	Description
`GITLAB_ADVANCED_SAST_ENABLED`	`false`	Enable GitLab Advanced SAST scanning for all supported languages except C and C++.
`GITLAB_ADVANCED_SAST_CPP_ENABLED`	`false`	Enable GitLab Advanced SAST scanning specifically for C and C++ projects.
`ADVANCED_SAST_PARTIAL_SCAN`	`false`	Enable GitLab Advanced SAST diff-scanning mode by setting to `differential`.
`GITLAB_ADVANCED_SAST_RULE_TIMEOUT`	`30`	Timeout in seconds per rule per file. When exceeded, that analysis is skipped.
`REPORT_UNVERIFIED_VULNS`	`false`	Include unverified findings in scan results. Set to `true`, `1`, or `True` to enable.
`GITLAB_ADV_SAST_INCR_SCAN`	`false`	Enable incremental scanning to cache taint signatures between pipeline runs.
`GITLAB_ADV_SAST_INCR_SCAN_SEARCH_PERIOD`	`3 days`	How far back to search for a cached taint signature artifact. Supported format: number followed by `d`, `day`, or `days` (for example, `7 days`). Should not exceed the artifact expiry period.
`GITLAB_ADV_SAST_INCR_SCAN_CUSTOM_JOB_NAME`	`gitlab-advanced-sast`	Custom job name for cache artifact lookup. Set this if you renamed the `gitlab-advanced-sast` job.

GitLab Advanced SAST scanning is disabled by default. To explicitly disable it when enabled at a higher level (for example, for a group), set GITLAB_ADVANCED_SAST_ENABLED (or GITLAB_ADVANCED_SAST_CPP_ENABLED for C/C++ projects) to false.

Request source code of LGPL-licensed components in GitLab Advanced SAST

To request information about the source code of LGPL-licensed components in GitLab Advanced SAST, contact GitLab Support.

To ensure a quick response, include the GitLab Advanced SAST analyzer version in your request.

Because this feature is only available at the Ultimate tier, you must be associated with an organization with that level of support entitlement.