The following page may contain information related to upcoming products, features and functionality. It is important to note that the information presented is for informational purposes only, so please do not rely on the information for purchasing or planning purposes. Just like with all projects, the items mentioned on the page are subject to change or delay, and the development, release, and timing of any products, features or functionality remain at the sole discretion of GitLab Inc.
Stage | Secure |
Maturity | Complete |
Content Last Reviewed | 2024-01-26 |
This direction page describes GitLab's plans for the SAST category, which checks source code to find possible security vulnerabilities.
This page is maintained by the Product Manager for Static Analysis, Connor Gilbert.
Everyone can contribute to where GitLab SAST goes next, and we'd love to hear from you. The best ways to participate in the conversation are to:
gitlab-org/gitlab
issue tracker.@gitlab-bot label ~"group::static analysis" ~"Category:SAST"
so your issue lands in our triage workflow.GitLab SAST runs on merge requests and the default branch of your software projects so you can continuously monitor and improve the security of the code you write. SAST jobs run in your CI/CD pipelines alongside existing builds, tests, and deployments, so it's easy for developers to interact with.
While SAST uses sophisticated techniques, we want it to be simple to understand and use day-to-day, especially by developers who may not have specific security expertise. So, when you enable GitLab SAST, it automatically detects the programming languages used in your project and runs the right security analyzers.
We want to give everyone the tools they need to write high-quality code, so basic SAST scans are available in every GitLab tier. However, organizations that use GitLab SAST in their security programs should use Ultimate. Only GitLab Ultimate includes:
We want to help developers write better code and worry less about common security mistakes. SAST should help prevent security vulnerabilities by helping developers easily identify common security issues as code is being contributed and mitigate proactively. SAST should integrate seamlessly into a developer’s workflow because security tools that are actively used are effective.
The importance of these goals is validated by GitLab's DevSecOps Landscape Survey, which consistently finds that:
GitLab Static Analysis and Vulnerability Research teams are collaborating to address important opportunities to improve the customer experience with SAST.
We're prioritizing these themes for feature delivery:
We're prioritizing these themes for future design and discovery efforts, following recent feature releases:
In the next 3 months, we are planning to work on:
We are currently working on:
.0
) GitLab release.Our recent work includes:
Check older release posts for our previous work in this area.
We understand the value of many potential improvements to GitLab SAST, but aren't currently planning to work on the following initiatives:
SAST helps developers identify weaknesses and security issues early in the software development lifecycle, soon after code is written.
SAST does:
SAST doesn't: