Analyzers are shipped as Docker images to execute within a CI pipeline context. This guide describes development and testingpractices across analyzers.
Shared modules
There are a number of shared Go modules shared across analyzers for common behavior and interfaces:
- The
commandGo package implements a CLI interface. - The
commonproject provides miscellaneous shared modules for logging, certificate handling, and directory search capabilities. - The
reportGo package'sReportandFindingstructs marshal JSON reports. - The
templateproject scaffolds new analyzers.
How to use the analyzers
Analyzers are shipped as Docker images. For example, to run theSemgrep Docker image to scan the working directory:
cdinto the directory of the source code you want to scan.Run
docker login registry.gitlab.comand provide username pluspersonalor projectaccess token with at least theread_registryscope.Run the Docker image:
docker run \ --interactive --tty --rm \ --volume "$PWD":/tmp/app \ --env CI_PROJECT_DIR=/tmp/app \ -w /tmp/app \ registry.gitlab.com/gitlab-org/security-products/analyzers/semgrep:latest /analyzer run(Video) Breaking down the GitLab SAST Analyzer's WorkThe Docker container generates a report in the mounted project directory with a report filename corresponding to the analyzer category. For example, SAST generates a file named
gl-sast-report.json.
Analyzers development
To update the analyzer:
- Modify the Go source code.
- Build a new Docker image.
- Run the analyzer against its test project.
- Compare the generated report with what's expected.
Here's how to create a Docker image named analyzer:
docker build -t analyzer .For example, to test Secret Detection run the following:
wget https://gitlab.com/gitlab-org/security-products/ci-templates/-/raw/master/scripts/compare_reports.shsh ./compare_reports.sh sd test/fixtures/gl-secret-detection-report.json test/expect/gl-secret-detection-report.json \| patch -Np1 test/expect/gl-secret-detection-report.json && Git commit -m 'Update expectation' test/expect/gl-secret-detection-report.jsonrm compare_reports.shYou can also compile the binary for your own environment and run it locallybut analyze and run probably won't worksince the runtime dependencies of the analyzer are missing.
Here's an example based onSpotBugs:
go build -o analyzer./analyzer search test/fixtures./analyzer convert test/fixtures/app/spotbugsXml.Xml > ./gl-sast-report.jsonExecution criteria
Enabling SAST requires including a pre-defined template to your GitLab CI/CD configuration.
The following independent criteria determine which analyzer needs to be run on a project:
- The SAST template uses rules:exists to determine which analyzer will be run based on the presence of certain files. For example, the Brakeman analyzer runs when there are
.rbfiles and aGemfile. - Each analyzer runs a customizable match interface before it performs the actual analysis. For example: Flawfinder checks for C/C++ files.
- For some analyzers that run on generic file extensions, there is a check based on a CI/CD variable. For example: Kubernetes manifests are written in YAML, so Kubesec runs only when SCAN_KUBERNETES_MANIFESTS is set to true.
Step 1 helps prevent wastage of CI/CD minutes that would be spent running analyzers not suitable for the project. However, due to technical limitations, it cannot be used for large projects. Therefore, step 2 acts as final check to ensure a mismatched analyzer is able to exit early.
How to test the analyzers
Video walkthrough of how Dependency Scanning analyzers are using downstream pipeline feature to test analyzers using test projects:
Testing local changes
To test local changes in the shared modules (such as command or report) for an analyzeryou can use thego mod replacedirective to load command with your local changes instead of using the version of command that has beentagged remotely. For example:
go mod edit -replace gitlab.com/gitlab-org/security-products/analyzers/command/v3=/local/path/to/commandAlternatively you can achieve the same result by manually updating the go.mod file:
module gitlab.com/gitlab-org/security-products/analyzers/awesome-analyzer/v2replace gitlab.com/gitlab-org/security-products/analyzers/command/v3 => /path/to/commandrequire ( ... gitlab.com/gitlab-org/security-products/analyzers/command/v3 v2.19.0)Testing local changes in Docker
To use Docker with replace in the go.mod file:
- Copy the contents of
commandinto the directory of the analyzer.cp -r /path/to/command path/to/analyzer/command. - Add a copy statement in the analyzer's
Dockerfile:COPY command /command. - Update the
replacestatement to make sure it matches the destination of theCOPYstatement in the step above:replace gitlab.com/gitlab-org/security-products/analyzers/command/v3 => /command
Analyzer scripts
The analyzer-scripts repository contains scripts that can be used to interact with most analyzers. They enable you to build, run, and debug analyzers in a GitLab CI-like environment, and are particularly useful for locally validating changes to an analyzer.
For more information, refer to the project README.
Versioning and release process
Analyzers are independent projects that follow their own versioning. Patch version bumps tend to correspond to a Minor version bump of the underlying tools (i.e. bandit), allowing us greater flexibility in reserving Minor bumps for more significant changes to our scanners. In case of breaking changes imposed by the wrapped scanner, creating a new analyzer on a separate repository must be considered.
The analyzers are released as Docker images following this scheme:
- each push to the
masterbranch will override theedgeimage tag - each push to any
awesome-featurebranch will generate a matchingawesome-featureimage tag - each Git tag will generate the corresponding
Major.Minor.Patchimage tag. A manual job allows to override the correspondingMajorand thelatestimage tags to point to thisMajor.Minor.Patch.
To release a new analyzer Docker image, there are two different options:
- Manual release process
- Automatic release process
Manual release process
- Ensure that the
CHANGELOG.mdentry for the new analyzer is correct. - Ensure that the release source (typically the
masterormainbranch) has a passing pipeline. - Create a new release for the analyzer project by selecting the Deployments menu on the left-hand side of the project window, then selecting the Releases sub-menu.
- Select New release to open the New Release page.
- In the Tag name drop down, enter the same version used in the
CHANGELOG.md, for examplev2.4.2, and select the option to create the tag (Create tag v2.4.2here). - In the Release title text box enter the same version used above, for example
v2.4.2. - In the
Release notestext box, copy and paste the notes from the corresponding version in theCHANGELOG.md. - Leave all other settings as the default values.
- Select Create release.
- In the Tag name drop down, enter the same version used in the
After following the above process and creating a new release, a new Git tag is created with the Tag name provided above. This triggers a new pipeline with the given tag version and a new analyzer Docker image is built.
If the analyzer uses the analyzer.yml template, then the pipeline triggered as part of the New release process above automatically tags and deploys a new version of the analyzer Docker image.
If the analyzer does not use the analyzer.yml template, you'll need to manually tag and deploy a new version of the analyzer Docker image:
- Select the CI/CD menu on the left-hand side of the project window, then select the Pipelines sub-menu.
- A new pipeline should currently be running with the same tag used previously, for example
v2.4.2. - After the pipeline has completed, it will be in a
blockedstate. - Select the
Manual jobplay button on the right hand side of the window and selecttag versionto tag and deploy a new version of the analyzer Docker image.
Use your best judgment to decide when to create a Git tag, which will then trigger the release job. If youcan't decide, then ask for other's input.
Automatic release process
The following must be performed before the automatic release process can be used:
- Configure
CREATE_GIT_TAG: trueas a CI/CD environment variable. - Check the
Variablesin the CI/CD project settings. Unless the project already inherits theGITLAB_TOKENenvironment variable from the project group, create a project access token withcomplete read/write access to the APIand configureGITLAB_TOKENas a CI/CD environment variable which refers to this token.
After the above steps have been completed, the automatic release process executes as follows:
- A project maintainer merges an MR into the default branch.
- The default pipeline is triggered, and the
upsert git tagjob is executed.- If the most recent version in the
CHANGELOG.mdmatches one of the Git tags, the job is a no-op. - Else, this job automatically creates a new release and Git tag using the releases API. The version and message is obtained from the most recent entry in the
CHANGELOG.mdfile for the project.
- If the most recent version in the
- A pipeline is automatically triggered for the new Git tag. This pipeline releases the
latest,major,minorandpatchDocker images of the analyzer.
Steps to perform after releasing an analyzer
After a new version of the analyzer Docker image has been tagged and deployed, please test it with the corresponding test project.
Announce the release on the relevant group Slack channel. Example message:
(Video) What Is GitLab Workflow | GitLab Flow | GitLab Tutorial For Beginners | Part IIIFYI I've just released
ANALYZER_NAMEANALYZER_VERSION.LINK_TO_RELEASE
Never delete a Git tag that has been pushed as there is a goodchance that the tag will be used and/or cached by the Go package registry.
FAQs
Which of the following SAST analyzers are supported in GitLab? ›
SAST supports the following official analyzers: bandit (Bandit) brakeman (Brakeman) eslint (ESLint (JavaScript and React))
What is the meaning of SAST in GitLab? ›Static Application Security Testing (SAST) | GitLab.
Is GitLab a CI CD tool? ›GitLab has CI/CD built right in, no plugins required.
Why should I use GitLab? ›The main benefit of using GitLab is that it allows all the team members to collaborate in every phase of the project. GitLab offers tracking from planning to creation to help developers automate the entire DevOps lifecycle and achieve the best possible results.
Which tool is best for SAST? ›| Tool | |
|---|---|
| 1 | GitHub Makes it easy to record and rewind changes made to code repositories. |
| 2 | Dynatrace Providing deep observability with intelligent automation |
| 3 | DeepSource Static code analysis made easy with minimal configuration and code health solutions |
The main difference between DAST and SAST lies in how each performs the security testing. SAST scans the application code at rest to discover faulty code posing a security threat, while DAST tests the running application and has no access to its source code.
What are the key steps to run SAST effectively? ›- Tool Finalization. While there are various SAST tools available, choose one that can perform the code reviews efficiently. ...
- Scanning Infrastructure Creation and Tool Deployment. ...
- Tool Customization. ...
- Prioritization and Onboard Application. ...
- Analysis of Scan Results.
SAST tools automatically identify critical vulnerabilities—such as buffer overflows, SQL injection, cross-site scripting, and others—with high confidence. Thus, integrating static analysis into the SDLC can yield dramatic results in the overall quality of the code developed.
What is the difference between GitLab and GitLab CI? ›GitLab CI (Continuous Integration) service is a part of GitLab that build and test the software whenever developer pushes code to application. GitLab CD (Continuous Deployment) is a software service that places the changes of every code in the production which results in every day deployment of production.
Is GitLab same as Jenkins? ›Both Jenkins and Gitlab are designed to serve different requirements. While Jenkins boasts of a large plugin shelf, Gitlab is a comprehensive DevOps tool. While multiple plugins do your job efficiently, integration and management of these plugins might become a challenge when the project scales up.
Is GitLab better than Jenkins? ›
Gitlab has self-monitoring features that make overall programming easy in deployment and maintenance. Jenkins has a self-monitoring feature but not like Gitlab; through Jenkins, you can schedule a job, but you need to write the script for that through SCM. Jenkins is hosted internally.
What are the disadvantages of GitLab? ›- It becomes problematic when you upgrade the process of GitLab.
- GitLab does not have as large a community as GitHub has.
- It lacks some features that are enterprise-level.
- As GitLab is not much popular, therefore it contains a lot of bugs.
Does Microsoft Own GitLab Too? No, Microsoft doesn't own GitLab—only GitHub. GitLab is a private company with minority stakes held by several VC investors and VC investment funds.
What is the difference between Git and GitLab? ›Git is a free and open source distributed version control system designed to handle everything from small to very large projects with speed and efficiency; GitLab: Open source self-hosted Git management software. GitLab offers git repository management, code reviews, issue tracking, activity feeds and wikis.
How do you analyze source code? ›- Write the Code. Your first step is to write the code.
- Run a Static Code Analyzer. Next, run a static code analyzer over your code. ...
- Review the Results. The static code analyzer will identify code that doesn't comply with the coding rules. ...
- Fix What Needs to Be Fixed. ...
- Move On to Testing.
- SonarQube. SonarQube sample debugging error message. ...
- Checkmarx SAST. Checkmarx SAST projects scan. ...
- Synopsys Coverity. Synopsys Coverity sample dashboard. ...
- Micro Focus Fortify Static Code Analyzer. Fortify Static Code Analyzer in action. ...
- Veracode Static Analysis. ...
- Snyk Code.
Embold is an example static analysis tool which claims to be an intelligent software analytics platform. The tool can automatically prioritize issues with code and give a clear visualization of it. The tool will also verify the correctness and accuracy of design patterns used in the code.
What is SAST in Devops? ›Overview. Static Application Security Testing (SAST) is a frequently used Application Security (AppSec) tool, which scans an application's source, binary, or byte code. A white-box testing tool, it identifies the root cause of vulnerabilities and helps remediate the underlying security flaws.
What are the most common SAST vulnerabilities? ›SAST scans can be designed to identify some of the most common security vulnerabilities out there, such as SQL injection, input validation, stack buffer overflows, and more.
What are common SAST vulnerabilities? ›Static application security testing (SAST) is a white-box testing method that examines the source code to find software vulnerabilities, flaws, and weaknesses. These vulnerabilities include SQL injection attacks, cross-site scripting, buffer overflows, and others listed in the OWASP Top 10 security risks.
What tools are used for SAST and DAST? ›
Dynamic security testing (DAST) uses the opposite approach of SAST. Whereas SAST tools rely on white-box testing, DAST uses a black-box approach that assumes testers have no knowledge of the inner workings of the software being tested, and have to use the available inputs and outputs.
Is sonar a SAST tool? ›OpenSCAP is one such project and SonarQube is another. Such a code scan is part of what is called Static Application Security Testing (SAST). SonarQube is a leading open source automatic code review tool to detect bugs, vulnerabilities and code “smells” in your code.
What are the four steps to vulnerability analysis? ›Vulnerability assessment: Security scanning process. The security scanning process consists of four steps: testing, analysis, assessment and remediation.
Is static code analysis same as SAST? ›Static code analysis, also known as Static Application Security Testing (SAST), is a vulnerability scanning methodology designed to work on source code rather than a compiled executable.
What is SAST in cyber security? ›Static Application Security Testing (SAST) or static code analysis detects application vulnerabilities by scanning the source code, byte code, or binaries of an application.
What do SAST tools analyze to uncover vulnerabilities? ›Source code analysis tools, also known as Static Application Security Testing (SAST) Tools, can help analyze source code or compiled versions of code to help find security flaws. SAST tools can be added into your IDE. Such tools can help you detect issues during software development.
What is the success criteria for SAST tool? ›To be effective, a SAST solution should make its data and findings broadly accessible to other systems. Ideally, a SAST solution should have a broad set of pre-baked integrations with CI/CD tools, version control and code repositories, and other AppSec, DevOps, or DevEx tools.
Is it possible to identify security vulnerabilities with static code analyzers? ›Therefore, static code analysis tools do not detect all vulnerabilities in source code (i.e., false negatives) and are prone to report findings which upon closer examination turn out not to be security vulnerabilities (i.e., false positives).
Why GitLab is better than Jira? ›GitLab's most notable competitive advantage over Jira is in Team Planning. GitLab offers robust team planning capabilities that allow work to be linked directly to the DevOps lifecycle. Keeping teams in a single application offers operational and financial advantages.
Why do people use GitLab instead of GitHub? ›GitLab's main appeal is how well it operates as a DevOps platform. Because GitLab has continuous integration and continuous development and a DevOps workflow built into the platform, it is really easy for developers to get started because the tools you need are all available right within GitLab itself.
Why do companies use GitLab instead of GitHub? ›
GitLab is a repository that only lets its team of web developers collaborate on codes. GitHub doesn't allow locating a repository inside an organization in the free plan. GitLab allows its users to locate a repository inside an organization while using the free plan.
Is GitLab a DevOps tool? ›GitLab is a single application with all the functionality of a DevSecOps Platform, allowing organizations to deliver software faster, while strengthening security and compliance, thereby maximizing the return on software development.
Is GitLab similar to Azure DevOps? ›Conclusion. After a deeper analysis, Azure DevOps is similar to GitLab and is less expensive. For that reason it also offers more significant functionality than Azure DevOps, like project schemes, secret management, AWS support, IDE in the browser and Google Cloud server support tools.
Is GitLab a build tool? ›GitLab CI, like many other CI products, aims to help software engineers, team leads, and DevOps engineers in many different ways. It aims to provide build automation, test automation, pipeline config management, artifact storage, and pipeline security in a single set of features.
Why is Jenkins outdated? ›Jenkins again is an old tool and was not designed for the new container age technologies. Jenkins also does not get well with a microservices kind of architecture. In general Jenkins as a tool still holds value for following use-cases: You are using an on-premise solution.
Is GitLab better than Azure DevOps? ›Azure DevOps Services has 121 reviews and a rating of 4.43 / 5 stars vs GitLab which has 965 reviews and a rating of 4.61 / 5 stars. Compare the similarities and differences between software options with real user reviews focused on features, ease of use, customer service, and value for money.
What type of tool is GitLab? ›GitLab: The end-to-end DevOps Platform
GitLab's One DevOps Platform gives IT teams a single application that covers the entire software lifecycle, giving everyone an overview of projects as they progress from planning to deployment, monitoring, and documentation.
Most of GitLab functionality is and will be available for free in our Free tier. Our paid tiers include features that are more relevant for managers, directors, and executives. We promise all major features in our scope are available in Free too.
Do companies use GitLab? ›We have data on 48,362 companies that use GitLab. The companies using GitLab are most often found in United States and in the Information Technology and Services industry. GitLab is most often used by companies with 50-200 employees and 1M-10M dollars in revenue.
Why is pipeline failing in GitLab? ›A team's build environment or servers could have problems, causing a failed pipeline. That's a key reason why GitLab believes ephemeral builds are important, Brendan says. Ephemeral builds are reproducible meaning they're going to not be impacted because the server went down.
Is GitLab a Russian company? ›
GitLab was founded by Kharkiv developer Dmytro Zaporozhets and initially developed as a company in Ukraine.
Is GitLab a Chinese company? ›About GitLab China
The company was founded in 2021 and is based in Hubei, China.
2011: Start of GitLab
GitLab's co-founder Dmitriy Zaporozhets needed a great tool to collaborate with his team. He wanted something efficient and enjoyable so he could focus on his work, not the tools. He created GitLab from his house in Ukraine.
| Owner | GitLab Inc. |
| Founder(s) | Dmytro Zaporozhets Sytse "Sid" Sijbrandij |
| Key people | Sytse "Sid" Sijbrandij (President, Chairman & CEO) Brian G. Robins (CFO) Michael McBride (CRO) Robin Schulman (CLO & Corporate Secretary) Wendy Barnes (CPO) Ashley Kramer (CMO & CSO) Jack Andrews (VP, Investor Relations) |
| Industry | Software |
GitLab primarily makes money from offering self-managed (on-premise) and SaaS subscriptions. GitLab also makes money from professional services, including consulting and training.
Is GitLab private or internal? ›GitLab Groups and Project Visibility
GitLab Groups and Projects can have the following level of visibility: Private - (Default) Only members who are given access can view these repositories. Internal - Any logged-in user can see/search for the repository, and has read-only access.
The Static Analysis group at GitLab is charged with developing the following solutions for customer software repositories: Static Application Security Testing (SAST) Secret Detection. Code Quality.
What is Checkmarx in GitLab? ›The Checkmarx–GitLab integration allows development, security, operations, QA, and product teams to work concurrently in all stages of the DevOps process. Just configure the Checkmarx integration, and then automatically scan, review orchestrated results, and remediate bugs, all in the GitLab UI.
Does Checkmarx support SAST? ›Checkmarx SAST is compatible with virtually every mainstream IDE, source code management (SCM) platform, CI server, and so on.
How do I choose a good static code analyzer? ›- Programming Languages Support.
- Code Review Performance.
- Standards Compliance Checking.
- Ease of Use – Rule Writing, defining code policies.
- Offerings – Free/Open Source vs.
Which one is better static code analysis or dynamic code analysis? ›
Teams should focus dynamic code analysis first on the area where static analysis is likely to be ineffective, such as component performance, application performance, application logic, security validation and crossing component boundaries.
Is Checkmarx better than SonarQube? ›"Checkmarx is comparatively costlier than other products, which is why some of the customers feel reluctant to go for it, though performance-wise, Checkmarx can compete with other products." "SonarQube price is a little bit higher than Kiuwan's. Kiuwan also gives a little bit of flexibility in terms of pricing."
What is the difference between SonarQube and Checkmarx? ›SonarQube looks at several areas, including the code coverage percentage of unit tests of the code, duplication percentages, and also code quality issues found through static analysis of the code. CheckMarx, on the other hand, just analyzes the flow of the code and the inputs and outputs.
Why Checkmarx is used? ›Checkmarx CxSAST is a highly accurate and flexible Static Code Analysis Tool that allows organizations to automatically scan un-compiled / un-built code and identify hundreds of security vulnerabilities in the most prevalent coding languages.
Is Checkmarx static or dynamic? ›CHECKMARX DAST: DYNAMICALLY SCAN WEB APPLICATIONS TO FIND RUNTIME VULNERABILITIES.
Is Checkmarx a DevOps tool? ›Checkmarx's code scanner enhances the introduction of security to the DevOps methodology. It will scan code before it has been compiled so that security analysis is supported right from the start of the development lifecycles.
Is Checkmarx a SAST or DAST tool? ›Checkmarx One offers a full suite of AST solutions to protect every part of your modern applications: Static Application Security Testing (SAST)
Does Checkmarx support C++? ›Glossary: C++ Static Code Analysis
For development houses just introducing C++ or for those looking to improve their testing platform, then Checkmarx's static code analysis application may be the way forward.
Static application security testing (SAST), or static analysis, is a testing methodology that analyzes source code to find security vulnerabilities that make your organization's applications susceptible to attack. SAST scans an application before the code is compiled. It's also known as white box testing.