Static Application Security Testing (SAST) [ULTIMATE]

Introduced in GitLab Ultimate 10.3.

NOTE: 4 of the top 6 attacks were application based. Download our whitepaper, "A Seismic Shift in Application Security" to learn how to protect your organization.


If you are using GitLab CI/CD, you can analyze your source code for known vulnerabilities using Static Application Security Testing (SAST).

You can take advantage of SAST by either including the CI job in your existing .gitlab-ci.yml file or by implicitly using Auto SAST that is provided by Auto DevOps.

Going a step further, GitLab can show the vulnerability list right in the merge request widget area.

Use cases

  • Your application is using an external (open source) library, locked to a specific version (e.g., via Gemfile.lock) and the version is known to be vulnerable.
  • Your code has a potentially dangerous attribute in a class, or unsafe code that can lead to unintended code execution.

Supported languages and frameworks

The following languages and frameworks are supported.

Language / framework Scan tool
C/C++ Flawfinder
Python bandit
Ruby on Rails brakeman
Groovy (Gradle & Grail) find-sec-bugs
Java (Maven & Gradle) find-sec-bugs
Scala (sbt) find-sec-bugs
Go Gosec
PHP phpcs-security-audit
.NET Security Code Scan
Node.js NodeJsScan

How it works

First of all, you need to define a job in your .gitlab-ci.yml file that generates the SAST report artifact. For more information on how the SAST job should look like, check the example on Static Application Security Testing with GitLab CI/CD.

GitLab then checks this report, compares the found vulnerabilities between the source and target branches, and shows the information right on the merge request.

SAST Widget

Security report under pipelines

Introduced in GitLab Ultimate 10.6.

Visit any pipeline page which has a sast job and you will be able to see the security report tab with the listed vulnerabilities (if any).

Security Report