Analyzer development guide · Sec · Development · Help · GitLab (2023)

Analyzers are shipped as Docker images to execute within a CI pipeline context. This guide describes development and testingpractices across analyzers.

Shared modules

There are a number of shared Go modules shared across analyzers for common behavior and interfaces:

  • The command Go package implements a CLI interface.
  • The common project provides miscellaneous shared modules for logging, certificate handling, and directory search capabilities.
  • The report Go package's Report and Finding structs marshal JSON reports.
  • The template project scaffolds new analyzers.

How to use the analyzers

Analyzers are shipped as Docker images. For example, to run theSemgrep Docker image to scan the working directory:

  1. cd into the directory of the source code you want to scan.

  2. Run docker login and provide username pluspersonalor projectaccess token with at least the read_registry scope.

  3. Run the Docker image:

    docker run \ --interactive --tty --rm \ --volume "$PWD":/tmp/app \ --env CI_PROJECT_DIR=/tmp/app \ -w /tmp/app \ /analyzer run
    (Video) Breaking down the GitLab SAST Analyzer's Work
  4. The Docker container generates a report in the mounted project directory with a report filename corresponding to the analyzer category. For example, SAST generates a file named gl-sast-report.json.

Analyzers development

To update the analyzer:

  1. Modify the Go source code.
  2. Build a new Docker image.
  3. Run the analyzer against its test project.
  4. Compare the generated report with what's expected.

Here's how to create a Docker image named analyzer:

docker build -t analyzer .

For example, to test Secret Detection run the following:

wget ./ sd test/fixtures/gl-secret-detection-report.json test/expect/gl-secret-detection-report.json \| patch -Np1 test/expect/gl-secret-detection-report.json && Git commit -m 'Update expectation' test/expect/gl-secret-detection-report.jsonrm

You can also compile the binary for your own environment and run it locallybut analyze and run probably won't worksince the runtime dependencies of the analyzer are missing.

Here's an example based onSpotBugs:

(Video) Salesforce Development with GitLab

go build -o analyzer./analyzer search test/fixtures./analyzer convert test/fixtures/app/spotbugsXml.Xml > ./gl-sast-report.json

Execution criteria

Enabling SAST requires including a pre-defined template to your GitLab CI/CD configuration.

The following independent criteria determine which analyzer needs to be run on a project:

  1. The SAST template uses rules:exists to determine which analyzer will be run based on the presence of certain files. For example, the Brakeman analyzer runs when there are .rb files and a Gemfile.
  2. Each analyzer runs a customizable match interface before it performs the actual analysis. For example: Flawfinder checks for C/C++ files.
  3. For some analyzers that run on generic file extensions, there is a check based on a CI/CD variable. For example: Kubernetes manifests are written in YAML, so Kubesec runs only when SCAN_KUBERNETES_MANIFESTS is set to true.

Step 1 helps prevent wastage of CI/CD minutes that would be spent running analyzers not suitable for the project. However, due to technical limitations, it cannot be used for large projects. Therefore, step 2 acts as final check to ensure a mismatched analyzer is able to exit early.

How to test the analyzers

Video walkthrough of how Dependency Scanning analyzers are using downstream pipeline feature to test analyzers using test projects:

Analyzer development guide · Sec · Development · Help · GitLab (1)

Testing local changes

To test local changes in the shared modules (such as command or report) for an analyzeryou can use thego mod replacedirective to load command with your local changes instead of using the version of command that has beentagged remotely. For example:

go mod edit -replace
(Video) Dev Deletes Entire Production Database, Chaos Ensues

Alternatively you can achieve the same result by manually updating the go.mod file:

module => /path/to/commandrequire ( ... v2.19.0)

Testing local changes in Docker

To use Docker with replace in the go.mod file:

  1. Copy the contents of command into the directory of the analyzer. cp -r /path/to/command path/to/analyzer/command.
  2. Add a copy statement in the analyzer's Dockerfile: COPY command /command.
  3. Update the replace statement to make sure it matches the destination of the COPY statement in the step above:replace => /command

Analyzer scripts

The analyzer-scripts repository contains scripts that can be used to interact with most analyzers. They enable you to build, run, and debug analyzers in a GitLab CI-like environment, and are particularly useful for locally validating changes to an analyzer.

For more information, refer to the project README.

Versioning and release process

Analyzers are independent projects that follow their own versioning. Patch version bumps tend to correspond to a Minor version bump of the underlying tools (i.e. bandit), allowing us greater flexibility in reserving Minor bumps for more significant changes to our scanners. In case of breaking changes imposed by the wrapped scanner, creating a new analyzer on a separate repository must be considered.

The analyzers are released as Docker images following this scheme:

  • each push to the master branch will override the edge image tag
  • each push to any awesome-feature branch will generate a matching awesome-feature image tag
  • each Git tag will generate the corresponding Major.Minor.Patch image tag. A manual job allows to override the corresponding Major and the latest image tags to point to this Major.Minor.Patch.

To release a new analyzer Docker image, there are two different options:

(Video) Agile Management - GitLab-Jira Development Panel Integration

  • Manual release process
  • Automatic release process

Manual release process

  1. Ensure that the entry for the new analyzer is correct.
  2. Ensure that the release source (typically the master or main branch) has a passing pipeline.
  3. Create a new release for the analyzer project by selecting the Deployments menu on the left-hand side of the project window, then selecting the Releases sub-menu.
  4. Select New release to open the New Release page.
    1. In the Tag name drop down, enter the same version used in the, for example v2.4.2, and select the option to create the tag (Create tag v2.4.2 here).
    2. In the Release title text box enter the same version used above, for example v2.4.2.
    3. In the Release notes text box, copy and paste the notes from the corresponding version in the
    4. Leave all other settings as the default values.
    5. Select Create release.

After following the above process and creating a new release, a new Git tag is created with the Tag name provided above. This triggers a new pipeline with the given tag version and a new analyzer Docker image is built.

If the analyzer uses the analyzer.yml template, then the pipeline triggered as part of the New release process above automatically tags and deploys a new version of the analyzer Docker image.

If the analyzer does not use the analyzer.yml template, you'll need to manually tag and deploy a new version of the analyzer Docker image:

  1. Select the CI/CD menu on the left-hand side of the project window, then select the Pipelines sub-menu.
  2. A new pipeline should currently be running with the same tag used previously, for example v2.4.2.
  3. After the pipeline has completed, it will be in a blocked state.
  4. Select the Manual job play button on the right hand side of the window and select tag version to tag and deploy a new version of the analyzer Docker image.

Use your best judgment to decide when to create a Git tag, which will then trigger the release job. If youcan't decide, then ask for other's input.

Automatic release process

The following must be performed before the automatic release process can be used:

  1. Configure CREATE_GIT_TAG: true as a CI/CD environment variable.
  2. Check the Variables in the CI/CD project settings. Unless the project already inherits the GITLAB_TOKEN environment variable from the project group, create a project access token with complete read/write access to the API and configure GITLAB_TOKEN as a CI/CD environment variable which refers to this token.

After the above steps have been completed, the automatic release process executes as follows:

  1. A project maintainer merges an MR into the default branch.
  2. The default pipeline is triggered, and the upsert git tag job is executed.
    • If the most recent version in the matches one of the Git tags, the job is a no-op.
    • Else, this job automatically creates a new release and Git tag using the releases API. The version and message is obtained from the most recent entry in the file for the project.
  3. A pipeline is automatically triggered for the new Git tag. This pipeline releases the latest, major, minor and patch Docker images of the analyzer.

Steps to perform after releasing an analyzer

  1. After a new version of the analyzer Docker image has been tagged and deployed, please test it with the corresponding test project.

  2. Announce the release on the relevant group Slack channel. Example message:

    (Video) What Is GitLab Workflow | GitLab Flow | GitLab Tutorial For Beginners | Part III


Never delete a Git tag that has been pushed as there is a goodchance that the tag will be used and/or cached by the Go package registry.


Which of the following SAST analyzers are supported in GitLab? ›

SAST supports the following official analyzers: bandit (Bandit) brakeman (Brakeman) eslint (ESLint (JavaScript and React))

What is the meaning of SAST in GitLab? ›

Static Application Security Testing (SAST) | GitLab.

Is GitLab a CI CD tool? ›

GitLab has CI/CD built right in, no plugins required.

Why should I use GitLab? ›

The main benefit of using GitLab is that it allows all the team members to collaborate in every phase of the project. GitLab offers tracking from planning to creation to help developers automate the entire DevOps lifecycle and achieve the best possible results.

Which tool is best for SAST? ›

The 10 Best Static Application Security Testing Tools Summary
1GitHub Makes it easy to record and rewind changes made to code repositories.
2Dynatrace Providing deep observability with intelligent automation
3DeepSource Static code analysis made easy with minimal configuration and code health solutions
7 more rows
Jan 17, 2023

What is the difference between SAST and DAST? ›

The main difference between DAST and SAST lies in how each performs the security testing. SAST scans the application code at rest to discover faulty code posing a security threat, while DAST tests the running application and has no access to its source code.

What are the key steps to run SAST effectively? ›

Key Steps to Run SAST
  1. Tool Finalization. While there are various SAST tools available, choose one that can perform the code reviews efficiently. ...
  2. Scanning Infrastructure Creation and Tool Deployment. ...
  3. Tool Customization. ...
  4. Prioritization and Onboard Application. ...
  5. Analysis of Scan Results.

What can SAST detect? ›

SAST tools automatically identify critical vulnerabilities—such as buffer overflows, SQL injection, cross-site scripting, and others—with high confidence. Thus, integrating static analysis into the SDLC can yield dramatic results in the overall quality of the code developed.

What is the difference between GitLab and GitLab CI? ›

GitLab CI (Continuous Integration) service is a part of GitLab that build and test the software whenever developer pushes code to application. GitLab CD (Continuous Deployment) is a software service that places the changes of every code in the production which results in every day deployment of production.

Is GitLab same as Jenkins? ›

Both Jenkins and Gitlab are designed to serve different requirements. While Jenkins boasts of a large plugin shelf, Gitlab is a comprehensive DevOps tool. While multiple plugins do your job efficiently, integration and management of these plugins might become a challenge when the project scales up.

Is GitLab better than Jenkins? ›

Gitlab has self-monitoring features that make overall programming easy in deployment and maintenance. Jenkins has a self-monitoring feature but not like Gitlab; through Jenkins, you can schedule a job, but you need to write the script for that through SCM. Jenkins is hosted internally.

What are the disadvantages of GitLab? ›

There are some disadvantages of GitLab that includes the following:
  • It becomes problematic when you upgrade the process of GitLab.
  • GitLab does not have as large a community as GitHub has.
  • It lacks some features that are enterprise-level.
  • As GitLab is not much popular, therefore it contains a lot of bugs.
Jun 15, 2022

Is GitLab owned by Microsoft? ›

Does Microsoft Own GitLab Too? No, Microsoft doesn't own GitLab—only GitHub. GitLab is a private company with minority stakes held by several VC investors and VC investment funds.

What is the difference between Git and GitLab? ›

Git is a free and open source distributed version control system designed to handle everything from small to very large projects with speed and efficiency; GitLab: Open source self-hosted Git management software. GitLab offers git repository management, code reviews, issue tracking, activity feeds and wikis.

How do you analyze source code? ›

How Static Code Analysis Works
  1. Write the Code. Your first step is to write the code.
  2. Run a Static Code Analyzer. Next, run a static code analyzer over your code. ...
  3. Review the Results. The static code analyzer will identify code that doesn't comply with the coding rules. ...
  4. Fix What Needs to Be Fixed. ...
  5. Move On to Testing.
Nov 28, 2018

Which is best SAST tool used for C and C++? ›

The Best Static Code Analysis Tools
  1. SonarQube. SonarQube sample debugging error message. ...
  2. Checkmarx SAST. Checkmarx SAST projects scan. ...
  3. Synopsys Coverity. Synopsys Coverity sample dashboard. ...
  4. Micro Focus Fortify Static Code Analyzer. Fortify Static Code Analyzer in action. ...
  5. Veracode Static Analysis. ...
  6. Snyk Code.
Jan 17, 2023

Which tool is used for static code analysis? ›

Embold is an example static analysis tool which claims to be an intelligent software analytics platform. The tool can automatically prioritize issues with code and give a clear visualization of it. The tool will also verify the correctness and accuracy of design patterns used in the code.

What is SAST in Devops? ›

Overview. Static Application Security Testing (SAST) is a frequently used Application Security (AppSec) tool, which scans an application's source, binary, or byte code. A white-box testing tool, it identifies the root cause of vulnerabilities and helps remediate the underlying security flaws.

What are the most common SAST vulnerabilities? ›

SAST scans can be designed to identify some of the most common security vulnerabilities out there, such as SQL injection, input validation, stack buffer overflows, and more.

What are common SAST vulnerabilities? ›

Static application security testing (SAST) is a white-box testing method that examines the source code to find software vulnerabilities, flaws, and weaknesses. These vulnerabilities include SQL injection attacks, cross-site scripting, buffer overflows, and others listed in the OWASP Top 10 security risks.

What tools are used for SAST and DAST? ›

Dynamic security testing (DAST) uses the opposite approach of SAST. Whereas SAST tools rely on white-box testing, DAST uses a black-box approach that assumes testers have no knowledge of the inner workings of the software being tested, and have to use the available inputs and outputs.

Is sonar a SAST tool? ›

OpenSCAP is one such project and SonarQube is another. Such a code scan is part of what is called Static Application Security Testing (SAST). SonarQube is a leading open source automatic code review tool to detect bugs, vulnerabilities and code “smells” in your code.

What are the four steps to vulnerability analysis? ›

Vulnerability assessment: Security scanning process. The security scanning process consists of four steps: testing, analysis, assessment and remediation.

Is static code analysis same as SAST? ›

Static code analysis, also known as Static Application Security Testing (SAST), is a vulnerability scanning methodology designed to work on source code rather than a compiled executable.

What is SAST in cyber security? ›

Static Application Security Testing (SAST) or static code analysis detects application vulnerabilities by scanning the source code, byte code, or binaries of an application.

What do SAST tools analyze to uncover vulnerabilities? ›

Source code analysis tools, also known as Static Application Security Testing (SAST) Tools, can help analyze source code or compiled versions of code to help find security flaws. SAST tools can be added into your IDE. Such tools can help you detect issues during software development.

What is the success criteria for SAST tool? ›

To be effective, a SAST solution should make its data and findings broadly accessible to other systems. Ideally, a SAST solution should have a broad set of pre-baked integrations with CI/CD tools, version control and code repositories, and other AppSec, DevOps, or DevEx tools.

Is it possible to identify security vulnerabilities with static code analyzers? ›

Therefore, static code analysis tools do not detect all vulnerabilities in source code (i.e., false negatives) and are prone to report findings which upon closer examination turn out not to be security vulnerabilities (i.e., false positives).

Why GitLab is better than Jira? ›

GitLab's most notable competitive advantage over Jira is in Team Planning. GitLab offers robust team planning capabilities that allow work to be linked directly to the DevOps lifecycle. Keeping teams in a single application offers operational and financial advantages.

Why do people use GitLab instead of GitHub? ›

GitLab's main appeal is how well it operates as a DevOps platform. Because GitLab has continuous integration and continuous development and a DevOps workflow built into the platform, it is really easy for developers to get started because the tools you need are all available right within GitLab itself.

Why do companies use GitLab instead of GitHub? ›

GitLab is a repository that only lets its team of web developers collaborate on codes. GitHub doesn't allow locating a repository inside an organization in the free plan. GitLab allows its users to locate a repository inside an organization while using the free plan.

Is GitLab a DevOps tool? ›

GitLab is a single application with all the functionality of a DevSecOps Platform, allowing organizations to deliver software faster, while strengthening security and compliance, thereby maximizing the return on software development.

Is GitLab similar to Azure DevOps? ›

Conclusion. After a deeper analysis, Azure DevOps is similar to GitLab and is less expensive. For that reason it also offers more significant functionality than Azure DevOps, like project schemes, secret management, AWS support, IDE in the browser and Google Cloud server support tools.

Is GitLab a build tool? ›

GitLab CI, like many other CI products, aims to help software engineers, team leads, and DevOps engineers in many different ways. It aims to provide build automation, test automation, pipeline config management, artifact storage, and pipeline security in a single set of features.

Why is Jenkins outdated? ›

Jenkins again is an old tool and was not designed for the new container age technologies. Jenkins also does not get well with a microservices kind of architecture. In general Jenkins as a tool still holds value for following use-cases: You are using an on-premise solution.

Is GitLab better than Azure DevOps? ›

Azure DevOps Services has 121 reviews and a rating of 4.43 / 5 stars vs GitLab which has 965 reviews and a rating of 4.61 / 5 stars. Compare the similarities and differences between software options with real user reviews focused on features, ease of use, customer service, and value for money.

What type of tool is GitLab? ›

GitLab: The end-to-end DevOps Platform

GitLab's One DevOps Platform gives IT teams a single application that covers the entire software lifecycle, giving everyone an overview of projects as they progress from planning to deployment, monitoring, and documentation.

Is GitLab no longer free? ›

Most of GitLab functionality is and will be available for free in our Free tier. Our paid tiers include features that are more relevant for managers, directors, and executives. We promise all major features in our scope are available in Free too.

Do companies use GitLab? ›

We have data on 48,362 companies that use GitLab. The companies using GitLab are most often found in United States and in the Information Technology and Services industry. GitLab is most often used by companies with 50-200 employees and 1M-10M dollars in revenue.

Why is pipeline failing in GitLab? ›

A team's build environment or servers could have problems, causing a failed pipeline. That's a key reason why GitLab believes ephemeral builds are important, Brendan says. Ephemeral builds are reproducible meaning they're going to not be impacted because the server went down.

Is GitLab a Russian company? ›

GitLab was founded by Kharkiv developer Dmytro Zaporozhets and initially developed as a company in Ukraine.

Is GitLab a Chinese company? ›

About GitLab China

The company was founded in 2021 and is based in Hubei, China.

Is GitLab a Ukrainian company? ›

2011: Start of GitLab

GitLab's co-founder Dmitriy Zaporozhets needed a great tool to collaborate with his team. He wanted something efficient and enjoyable so he could focus on his work, not the tools. He created GitLab from his house in Ukraine.

Who is GitLab owned by? ›

OwnerGitLab Inc.
Founder(s)Dmytro Zaporozhets Sytse "Sid" Sijbrandij
Key peopleSytse "Sid" Sijbrandij (President, Chairman & CEO) Brian G. Robins (CFO) Michael McBride (CRO) Robin Schulman (CLO & Corporate Secretary) Wendy Barnes (CPO) Ashley Kramer (CMO & CSO) Jack Andrews (VP, Investor Relations)
19 more rows

How does GitLab make money? ›

GitLab primarily makes money from offering self-managed (on-premise) and SaaS subscriptions. GitLab also makes money from professional services, including consulting and training.

Is GitLab private or internal? ›

GitLab Groups and Project Visibility

GitLab Groups and Projects can have the following level of visibility: Private - (Default) Only members who are given access can view these repositories. Internal - Any logged-in user can see/search for the repository, and has read-only access.

Does GitLab have static code analysis? ›

The Static Analysis group at GitLab is charged with developing the following solutions for customer software repositories: Static Application Security Testing (SAST) Secret Detection. Code Quality.

What is Checkmarx in GitLab? ›

The Checkmarx–GitLab integration allows development, security, operations, QA, and product teams to work concurrently in all stages of the DevOps process. Just configure the Checkmarx integration, and then automatically scan, review orchestrated results, and remediate bugs, all in the GitLab UI.

Does Checkmarx support SAST? ›

Checkmarx SAST is compatible with virtually every mainstream IDE, source code management (SCM) platform, CI server, and so on.

How do I choose a good static code analyzer? ›

The following criteria will help you better in deciding what is the best static code analysis tool for your use case.
  1. Programming Languages Support.
  2. Code Review Performance.
  3. Standards Compliance Checking.
  4. Ease of Use – Rule Writing, defining code policies.
  5. Offerings – Free/Open Source vs.
Apr 25, 2023

Which one is better static code analysis or dynamic code analysis? ›

Teams should focus dynamic code analysis first on the area where static analysis is likely to be ineffective, such as component performance, application performance, application logic, security validation and crossing component boundaries.

Is Checkmarx better than SonarQube? ›

"Checkmarx is comparatively costlier than other products, which is why some of the customers feel reluctant to go for it, though performance-wise, Checkmarx can compete with other products." "SonarQube price is a little bit higher than Kiuwan's. Kiuwan also gives a little bit of flexibility in terms of pricing."

What is the difference between SonarQube and Checkmarx? ›

SonarQube looks at several areas, including the code coverage percentage of unit tests of the code, duplication percentages, and also code quality issues found through static analysis of the code. CheckMarx, on the other hand, just analyzes the flow of the code and the inputs and outputs.

Why Checkmarx is used? ›

Checkmarx CxSAST is a highly accurate and flexible Static Code Analysis Tool that allows organizations to automatically scan un-compiled / un-built code and identify hundreds of security vulnerabilities in the most prevalent coding languages.

Is Checkmarx static or dynamic? ›


Is Checkmarx a DevOps tool? ›

Checkmarx's code scanner enhances the introduction of security to the DevOps methodology. It will scan code before it has been compiled so that security analysis is supported right from the start of the development lifecycles.

Is Checkmarx a SAST or DAST tool? ›

Checkmarx One offers a full suite of AST solutions to protect every part of your modern applications: Static Application Security Testing (SAST)

Does Checkmarx support C++? ›

Glossary: C++ Static Code Analysis

For development houses just introducing C++ or for those looking to improve their testing platform, then Checkmarx's static code analysis application may be the way forward.

What is SAST in coding? ›

Static application security testing (SAST), or static analysis, is a testing methodology that analyzes source code to find security vulnerabilities that make your organization's applications susceptible to attack. SAST scans an application before the code is compiled. It's also known as white box testing.


1. Seven ways GitLab Premium will accelerate your development
2. Learn GitLab in 3 Hours | GitLab Complete Tutorial For Beginners
3. DevSecOps with Gitlab
4. Gitlab Explained: What is Gitlab and Why Use It?
(People In Tech)
5. GitLab Release Management
(Black Diamond Learning)
6. DevSecOps & GitLab's Security Solutions
Top Articles
Latest Posts
Article information

Author: Rev. Porsche Oberbrunner

Last Updated: 10/03/2023

Views: 6144

Rating: 4.2 / 5 (53 voted)

Reviews: 92% of readers found this page helpful

Author information

Name: Rev. Porsche Oberbrunner

Birthday: 1994-06-25

Address: Suite 153 582 Lubowitz Walks, Port Alfredoborough, IN 72879-2838

Phone: +128413562823324

Job: IT Strategist

Hobby: Video gaming, Basketball, Web surfing, Book restoration, Jogging, Shooting, Fishing

Introduction: My name is Rev. Porsche Oberbrunner, I am a zany, graceful, talented, witty, determined, shiny, enchanting person who loves writing and wants to share my knowledge and understanding with you.