GitLab Static Application Security Testing Architectures and Integration

Published by TechMarmot Editorail Staff on | Category GitLab CI

Static Application Security Testing, commonly referred to as SAST, represents a critical pillar in the modern DevSecOps pipeline by enabling the identification of vulnerabilities within a project's source code before the application is ever deployed to a production environment. In the GitLab ecosystem, SAST is implemented via a suite of analyzers that scan the codebase for known security flaws, providing developers with immediate feedback during the development lifecycle. These analyzers are integrated directly into the GitLab CI/CD pipeline, transforming security from a final gateway check into a continuous process of discovery and remediation.

The primary function of these analyzers is to search for known vulnerabilities, such as insecure coding patterns or misconfigurations, within the static source code. By leveraging pipeline jobs, GitLab can execute various scanners tailored to specific programming languages and frameworks. This ensures that security flaws are caught at the earliest possible stage, significantly reducing the cost and risk associated with fixing vulnerabilities discovered in later stages of the software development life cycle (SDLC).

The Mechanism of GitLab SAST Analyzers

The implementation of SAST in GitLab is streamlined through the use of CI/CD templates. By adding specific configurations to the .gitlab-ci.yml file, users can instantiate security jobs that automatically execute the required scanners. A standard implementation involves including the SAST template and defining the specific analyzers to be utilized.

For instance, a configuration utilizing the following lines:

yaml include: - template: Security/SAST.gitlab-ci.yml variables: SAST_DEFAULT_ANALYZERS: "eslint,nodejs-scan,phpcs-security-audit"

This configuration triggers three distinct analyzers: eslint, nodejs-scan, and phpcs-security-audit. These analyzers operate within the test stage of the pipeline. Each analyzer functions independently, producing its own JSON report file named gl-sast-report.json. These reports are stored as pipeline artifacts, allowing users to download them through the pipelines interface for detailed auditing.

The JSON reports provide a granular look at the vulnerabilities discovered. A typical report entry, such as one from nodejs-scan, includes the vulnerability ID, category, name, a descriptive message, and a detailed explanation of the flaw. For example, a report might identify a vue_template vulnerability where an unescaped variable in a Vue.js template could lead to Cross Site Scripting (XSS) if untrusted user input is passed to that variable.

Comprehensive Analyzer Taxonomy and Language Support

GitLab SAST is not a monolithic scanner but a collection of specialized tools. The current architecture primarily consists of two main scanner types: GitLab Advanced SAST and Semgrep SAST.

GitLab Advanced SAST serves as the primary scanning tool for most purposes and covers a wide array of languages. Semgrep SAST is specifically utilized for C++ code. The breadth of language support within GitLab Advanced SAST is extensive, including:

  • C# (supported up to and including version 13.0)
  • C/C++
  • Go
  • Java, including Java Server Pages (JSP)
  • JavaScript
  • TypeScript
  • PHP
  • Python
  • Ruby

For Java and Scala projects, the system utilizes SpotBugs with the find-sec-bugs plugin. This combination supports various build tools, including Gradle, Maven, and SBT, as well as their respective wrappers (Gradle wrapper, Maven wrapper) and Grails. However, SpotBugs exhibits limitations when processing Ant-based projects. For Ant-based Java or Scala projects, the GitLab Advanced SAST or Semgrep-based analyzers are the required alternatives.

Beyond application code, the SAST CI/CD template includes an analyzer job capable of scanning Kubernetes manifests and Helm charts. While this job is disabled by default, it can be enabled via the Kubesec analyzer, or users may opt for IaC (Infrastructure as Code) scanning for broader platform support.

Advanced Vulnerability Tracking and Code Flow

For organizations utilizing the Ultimate tier, GitLab provides advanced vulnerability tracking across GitLab.com, GitLab Self-Managed, and GitLab Dedicated offerings. Because source code is volatile and frequently changes, vulnerabilities may shift across different files or move within a single file as developers refactor. GitLab's tracking system links vulnerabilities to specific problematic code fragments, ensuring that the security flaw remains tracked even as the code evolves.

A standout feature of GitLab Advanced SAST is the provision of code flow information. Code flow maps the exact path data takes from the user input, known as the source, to the vulnerable line of code, known as the sink. This path includes all assignments, manipulations, and sanitizations the data undergoes. This deep visibility is available for high-risk vulnerabilities, including:

  • SQL injection
  • Command injection
  • Cross-site scripting (XSS)
  • Path traversal

The code flow information is presented in a dedicated Code flow tab, showcasing the sequential steps from source to sink and providing the relevant code snippets from the affected files. This allows security engineers to evaluate the actual risk and impact of a vulnerability rather than relying on a static alert.

Deployment Policies and the Party Bus Framework

In highly regulated environments, such as those following the Party Bus model, SAST is integrated into a strict merge request (MR) policy to align with ATO (Authorization to Operate) and NIST DevSecOps requirements. As of September 2025, this framework prohibits direct pushes to default branches like main or master. All changes must occur via a merge request.

The policy enforces GitLab SAST at the MR stage. While SAST is not a binary pass/fail job, the MR policy acts as a gatekeeper based on the following criteria:

  • New Vulnerabilities: Merges are blocked if any new Medium, High, or Critical vulnerabilities are detected. Developers must either remediate these flaws or obtain a whitelist exception.
  • Existing Vulnerabilities: During initial adoption phases, merges may be blocked if the default branch contains any existing vulnerabilities. This is a temporary measure to force the remediation of legacy issues.

Technical Configuration and Infrastructure Optimization

The deployment of SAST analyzers can be customized to fit various infrastructure requirements, including offline or air-gapped environments.

Docker Registry and Image Management

By default, GitLab pulls analyzer images from its own registry. However, users with the Maintainer or Owner role can configure a custom Docker registry using the SECURE_ANALYZERS_PREFIX CI/CD variable. This instructs the pipeline to pull images from a specified registry instead of the default.

In offline environments, the GitLab Runner pull_policy can be set to if-not-present to utilize locally available images. Conversely, in online environments, the policy should remain as always to ensure the latest scanner versions are utilized. To establish a local registry, the following images must be imported from registry.gitlab.com:

  • registry.gitlab.com/security-products/gitlab-advanced-sast:2
  • registry.gitlab.com/security-products/kubesec:6
  • registry.gitlab.com/security-products/pmd-apex:6
  • registry.gitlab.com/security-products/semgrep:6
  • registry.gitlab.com/security-products/sobelow:6
  • registry.gitlab.com/security-products/spotbugs:5

FIPS Compliance and Security Hardening

For environments requiring FIPS 140-validated cryptographic modules, GitLab provides specific image versions based on the Red Hat UBI base image. To enable FIPS compliance, users can set the SAST_IMAGE_SUFFIX variable to -fips or add the -fips extension to the image name.

Example FIPS configuration:

yaml variables: SAST_IMAGE_SUFFIX: '-fips' include: - template: Jobs/SAST.gitlab-ci.yml

FIPS-compliant images are limited to the GitLab Advanced SAST and Semgrep-based analyzers. When using these images in a runner with a non-root user, the run_as_user attribute under runners.kubernetes.pod_security_context must be updated to use the ID 1000, which corresponds to the gitlab user created by the image.

Vulnerability Management and Translation

As GitLab evolves its security toolset, it often transitions from older analyzers to newer ones, such as the shift toward Semgrep. When this occurs, the system attempts to translate existing vulnerabilities to the new analyzer.

Vulnerabilities are combined into a single record, but failures in translation can occur if:
- A Semgrep-based rule identifies the vulnerability at a different location or in a different manner than the previous analyzer.
- SAST analyzers were previously disabled, preventing the recording of necessary identifiers.

In cases where a match fails, the original vulnerability is marked as "no longer detected" in the report, and a new vulnerability is created based on the Semgrep finding. To maintain historical records, the Vulnerability Management system leaves comments on automatically resolved vulnerabilities. If a rule is ever re-enabled, the previous findings are reopened for triage.

Operational Guide: Viewing and Extracting Results

Accessing SAST results requires specific permissions. Users must hold the Security Manager, Developer, Maintainer, or Owner role.

The process for reviewing vulnerabilities within a pipeline is as follows:

  1. Use the Search function or navigate to the project home.
  2. Select Build > Pipelines from the left sidebar.
  3. Choose the specific pipeline execution.
  4. Select the Security tab.
  5. Depending on the tier, users can either download the results or select a specific vulnerability to view its full details (detailed view is an Ultimate-only feature).

For those requiring the raw data, the Developer, Maintainer, or Owner roles can download the JSON reports produced by each analyzer as job artifacts.

Summary of Technical Specifications

Feature Detail
Primary Analyzers GitLab Advanced SAST, Semgrep SAST
FIPS Base Image Red Hat UBI
Default Base Image Alpine
Required Role for Results Security Manager, Developer, Maintainer, Owner
FIPS User ID 1000
Report Format JSON (gl-sast-report.json)
Critical Gate Logic Block on Medium, High, Critical (Party Bus Policy)

Conclusion

The integration of SAST within GitLab transforms the security posture of an organization from reactive to proactive. By utilizing a diverse set of analyzers—ranging from the broad coverage of GitLab Advanced SAST to the specialized C++ capabilities of Semgrep—developers can identify critical flaws like XSS and SQL injection through detailed code flow analysis. The system's flexibility is further evidenced by its support for FIPS compliance and the ability to operate within air-gapped environments via custom Docker registries.

Ultimately, the effectiveness of GitLab SAST lies in its placement within the merge request workflow. By enforcing a policy where new vulnerabilities block the path to production, organizations ensure that security is not an afterthought but a prerequisite for deployment. The transition from legacy analyzers to Semgrep, coupled with the persistence of vulnerability tracking, provides a robust framework for maintaining a clean and secure codebase across the entire software development lifecycle.

Sources

  1. Secure your project with the GitLab SAST analyzers
  2. SonarQube GitLab SAST - Party Bus
  3. GitLab SAST Analyzers Documentation
  4. GitLab SAST Overview
  5. GitLab Advanced SAST Documentation

Related Posts