GitLab Advanced SAST is now generally available

We’re excited to announce that our Advanced Static Application Security Testing (SAST) scanner is now generally available for all GitLab Ultimate customers.

Advanced SAST is a new scanner powered by the technology we acquired from Oxeye earlier this year. It uses a proprietary detection engine with rules informed by in-house security research to identify exploitable vulnerabilities in first-party code. It delivers more accurate results so developers and security teams don’t have to sort through the noise of false-positive results.

Unlike other stand-alone security scanners, Advanced SAST is natively built into the GitLab DevSecOps platform, providing a developer experience free from the overhead that comes with integrating multiple point solutions. Using taint analysis, relevant context is surfaced to help developers remediate vulnerabilities within their existing workflow to maximize development velocity and application security.

This new scanner will work alongside our existing platform capabilities so developers and application security (AppSec) teams have the most comprehensive set of tools to ship more secure software, faster.

Applications are being developed faster but remain vulnerable

The pace of application development continues to accelerate, but remains a common attack vector for threat actors. Our recent Global DevSecOps Report found that 66% of companies are releasing software twice as fast — or faster — than in previous years, as businesses strive to deliver more value to their customers than competitors.

However, speed introduces risk. Last year alone, 80% of the top data breaches stemmed from attacks at the application layer.

These two data points paint a clear picture: Application security tools must be built into existing developer workflows so businesses can stay competitive and secure.

What are SAST and Advanced SAST?

SAST is a widely adopted method for improving application security by scanning first-party source code to identify vulnerabilities, such as SQL injections or cross-site scripting, before they reach production. Unlike its dynamic counterpart, DAST, SAST scans code without executing it and is performed early in the software development lifecycle (SDLC). This proactive approach integrates security into the development process from the outset, significantly lowering the risk of future breaches.

Check out this step-by-step tutorial to put Advanced SAST to work in your environment.

Fewer false positives with contextual remediation

The integration of Oxeye’s technology into our platform means we’re able to provide a SAST solution AppSec teams can trust, built into the same GitLab platform developers love. Here’s how we’re able to do that and what it means for our customers:

Less time triaging vulnerabilities and more time launching features

• Our proprietary detection engine uses cross-function, cross-file taint analysis with rules informed by in-house security research to surface truly exploitable vulnerabilities and improve scan accuracy — that means lower false-positive rates.

Faster remediation with richer context

• Advanced SAST helps developers remediate security vulnerabilities by providing important context such as threat details and the path a vulnerability takes through a program. And, it’s integrated with GitLab Duo Enterprise AI to help developers understand and resolve vulnerabilities faster. AppSec teams can also scale their expertise by integrating third-party security training right into the GitLab platform.

Security built into developer workflows

• Integrated into the SDLC is not the same as built into the SDLC. Advanced SAST is a native component of our platform, ensuring security is incorporated within existing developer workflows. With a unified solution to manage the entire SDLC, developers can identify, prioritize, and remediate vulnerabilities without disrupting their flow.

Here is an example of the findings of an Advanced SAST scan:

What to know about the Advanced SAST rollout

If you’re already using GitLab SAST, we want to ensure you have the chance to coordinate the rollout of Advanced SAST.

Here are key points:

• Advanced SAST scanning is available in GitLab 17.3 or newer, but it’s disabled by default so you can choose when to make the switch. You can enable Advanced SAST for the languages it supports across projects, groups, or your entire instance.
• GitLab 17.4 includes helpful features that make it easier to switch to Advanced SAST, including a new vulnerability code flow view and automatic translation from existing vulnerability records.
• We plan to enable Advanced SAST by default in a future release, no later than GitLab 18.0. We’ll announce the final timeline and details soon.

For the latest updates on how to upgrade to Advanced SAST, check the Advanced SAST documentation. We also have a walkthrough in the video below:

What’s next for SAST

Looking ahead, we’re already working on new features and improvements to help teams write more secure software together, faster. We’re particularly focused on:

• Upgrading more languages to Advanced SAST, like PHP, Ruby, C, and C++, so more teams can benefit from more accurate vulnerability findings and cross-file, cross-function scanning.
• Real-time SAST scanning in the IDE, so developers can write more secure code as they’re programming – before they even commit or push.
• Incremental scanning, analyzing only modified code so developers can quickly identify vulnerabilities without waiting on full-repository scans.

If you’re an existing GitLab Ultimate customer and would like to learn more about how Advanced SAST can help improve your application security program, visit our Advanced SAST documentation where we cover implementation requirements, use cases, and more.

Disclaimer: This blog contains information related to upcoming products, features, and functionality. It is important to note that the information in this blog post is for informational purposes only. Please do not rely on this information for purchasing or planning purposes. As with all projects, the items mentioned in this blog and linked pages are subject to change or delay. The development, release, and timing of any products, features, or functionality remain at the sole discretion of GitLab.