![]() However, SpotBugs has limitations when used against Ant-based projects. It can also be used with variants like theĪnd the Maven wrapper. The SpotBugs-based analyzer supports Gradle, Maven, and SBT.Use the Semgrep-based scanner if you need. The analyzer runs in a Linux container and does not have access to Windows-specific libraries or features. NET (all versions, C# only) Semgrep with GitLab-managed rules 15.4 Apex (Salesforce) PMD 12.1 C Semgrep with GitLab-managed rules 14.2 C/C++ Flawfinder 10.7 Elixir (Phoenix) Sobelow 11.1 Go 3 Gosec 10.7 Go Semgrep with GitLab-managed rules 14.4 Groovy 2 SpotBugs with the find-sec-bugs plugin 11.3 (Gradle) & 11.9 (Maven, SBT) Helm Charts Kubesec 13.1 Java (any build system) Semgrep with GitLab-managed rules 14.10 Java 2, 3 SpotBugs with the find-sec-bugs plugin 10.6 (Maven), 10.8 (Gradle) & 11.9 (SBT) Java (Android) MobSF (beta) 13.5 JavaScript 3 ESLint security plugin 11.8 JavaScript Semgrep with GitLab-managed rules 13.10 Kotlin (Android) MobSF (beta) 13.5 Kotlin (General) 2 SpotBugs with the find-sec-bugs plugin 13.11 Kubernetes manifests Kubesec 12.6 Node.js NodeJsScan 11.1 Objective-C (iOS) MobSF (beta) 13.5 PHP phpcs-security-audit 10.8 Python 3 bandit 10.3 Python Semgrep with GitLab-managed rules 13.9 React 3 ESLint react plugin 12.5 React Semgrep with GitLab-managed rules 13.10 Ruby brakeman 13.9 Ruby on Rails brakeman 10.3 Scala 2 SpotBugs with the find-sec-bugs plugin 11.0 (SBT) & 11.9 (Gradle, Maven) Swift (iOS) MobSF (beta) 13.5 TypeScript 3 ESLint security plugin 11.9, merged with ESLint in 13.2 TypeScript Semgrep with GitLab-managed rules 13.10 Language / framework Analyzer used for scanning Minimum supported GitLab version. Once you enable SAST, the right set of analyzers runs automatically even if your project uses more than one language.įor more information about our plans for language support in SAST, see the category direction page. GitLab SAST supports scanning a variety of programming languages and frameworks. See troubleshooting information for details. If you use your own runners, make sure the Docker version installed If you’re using the shared runners on, this is enabled by default. To run SAST jobs, by default, you need GitLab Runner with the gitlab-ci.yml file, the test stage is required. SAST runs in the test stage, which is available by default. Your application is vulnerable to cross-site scripting (XSS) attacks that canīe leveraged to unauthorized access to session data.That can lead to unintended code execution. Your code has a potentially dangerous attribute in a class, or unsafe code.Job finishes but the DAST job fails, the security dashboard does not show SAST results. If any job fails to finishįor any reason, the security dashboard does not show SAST scanner output. The results are sorted by the priority of the vulnerability:Ī pipeline consists of multiple jobs, including SAST and DAST scanning. With GitLab Ultimate, SAST results are also processed so you can:įor more details, see the Summary of features per tier. The analyzers output JSON-formatted reports as job artifacts. You can run SAST analyzers inĪny GitLab tier. Testing (SAST) to check your source code for known vulnerabilities. If you’re using GitLab CI/CD, you can use Static Application Security The whitepaper “A Seismic Shift in Application Security”Įxplains how 4 of the top 6 attacks were application based. MobSF job fails with error message Reading from ist Static Application Security Testing (SAST).Workaround 3: Upgrade to GitLab 13.x and use the defaults.Workaround 2: Disable Docker-in-Docker for SAST and Dependency Scanning (GitLab 12.3 and later).Workaround 1: Pin analyzer versions (GitLab 12.1 and earlier).SAST job fails with message strconv.ParseUint: parsing "0.0": invalid syntax.Semgrep slowness, unexpected results, or other errors.SpotBugs Error: Project couldn't be built.SpotBugs UTF-8 unmappable character errors.Error: sast is used for configuration only, and its script should not be executed.Getting warning message gl-sast-report.json: no matching files.Error response from daemon: error processing tar file: docker-tar: relocation error.exec /bin/sh: exec format error message in job log.Pipeline errors related to changes in the GitLab-managed CI/CD template. ![]()
0 Comments
Leave a Reply. |