Static Application Security Testing (SAST) is used to analyze source code or binaries and to detect holes or weak points in security. When automated, this contributes to making your DevOps methodology resemble DevSecOps, where security testing and awareness is part of the DevOps life cycle.

GitLab, in its Ultimate license model, provides automated testing as part of the development of your application.

Currently, the following languages and frameworks are supported:

First, you need GitLab Runner with a Docker-in-Docker executor.

[[runners]]
executor = "docker"
[runners.docker]
privileged = true

Secondly, you need a specific .gitlab-ci.yml in your GitLab project folder to make the actual coupling, as shown in the following snippet:

sast:
 image: docker:stable
 variables:
 DOCKER_DRIVER: overlay2
 allow_failure: true
 services:
 - docker:stable-dind
 script:
 - export SP_VERSION=$(echo "$CI_SERVER_VERSION" | sed 's/^([0-9]*).([0-9]*).*/1-2-stable/')
 - docker run
 --env SAST_CONFIDENCE_LEVEL="${SAST_CONFIDENCE_LEVEL:-3}"
 --volume "$PWD:/code"
 --volume /var/run/docker.sock:/var/run/docker.sock
 "registry.gitlab.com/gitlab-org/security-products/sast:$SP_VERSION" /app/bin/run /code
 artifacts:
 reports:
 sast: gl-sast-report.json

As an example, we downloaded the following code from https://github.com/CSPF-Founder/JavaVulnerableLab into our own project. We added .gitlab-ci.yml to run a scan. When the code was pushed, the workflow started and prepared for the scan:

 [0KRunning with gitlab-runner 11.7.0 (8bb608ff)
 [0;m[0K on Joosts-MBP.fritz.box gGEycKK-
 [0;m[0KUsing Docker executor with image docker:stable ...
 [0;m[0KStarting service docker:stable-dind ...
 [0;m[0KPulling docker image docker:stable-dind ...
 [0;m[0KUsing docker image sha256:5b626cc3459ad077146e8aac1fbe25f7099d71c6765efd6552b9209ca7ea4dc1 for docker:stable-dind ...
 [0;m[0KWaiting for services to be up and running...
 [0;m[0KPulling docker image docker:stable ...
 [0;m[0KUsing docker image sha256:73d492654a095a2f91078b2dfacd0cfe1a1fe25412fac54b4eb2f5a9609ad418 for docker:stable ...
 [0;msection_start:1550847640:prepare_script
 [0KRunning on runner-gGEycKK--project-1-concurrent-0 via Joosts-MBP.fritz.box...
 section_end:1550847642:prepare_script
 [0Ksection_start:1550847642:get_sources

In the next stage, the repository containing the code to be scanned is cloned, shown as follows:

 [0K[32;1mCloning repository...[0;m
 Cloning into '/builds/mastering_gitlab/JavaVulnerableLab'...
 [32;1mChecking out 157b6e94 as master...[0;m
 [32;1mSkipping Git submodules setup[0;m
 section_end:1550847644:get_sources
 [0Ksection_start:1550847644:restore_cache
 [0Ksection_end:1550847646:restore_cache
 [0Ksection_start:1550847646:download_artifacts
 [0Ksection_end:1550847647:download_artifacts
 [0Ksection_start:1550847647:build_script
 [0K[32;1m$ export SP_VERSION=$(echo "$CI_SERVER_VERSION" | sed 's/^([0-9]*).([0-9]*).*/1-2-stable/')[0;m
 [32;1m$ docker run --env SAST_CONFIDENCE_LEVEL="${SAST_CONFIDENCE_LEVEL:-3}" --volume "$PWD:/code" --volume /var/run/docker.sock:/var/run/docker.sock "registry.gitlab.com/gitlab-org/security-products/sast:$SP_VERSION" /app/bin/run /code[0;m

In the next step, the run tries to get a specific Docker image for the scan. It will not find that locally and will instead try to get it from gitlab.org, as follows:

 Unable to find image 'registry.gitlab.com/gitlab-org/security-products/sast:11-7-stable' locally
 11-7-stable: Pulling from gitlab-org/security-products/sast
 3f0edbe59eaa: Pulling fs layer
 3f0edbe59eaa: Download complete
 3f0edbe59eaa: Pull complete
 Digest: sha256:d31cbb2bfd200b60543ef99fa03638c2335a52597e0966b7347f896dbe4e78e7
 Status: Downloaded newer image for registry.gitlab.com/gitlab-org/security-products/sast:11-7-stable

After successfully downloading the image, it will start the scan, as follows:

 2019/02/22 15:00:52 Copy project directory to containers
 2019/02/22 15:00:52 [bandit] Detect project using plugin
 2019/02/22 15:00:52 [bandit] Project not compatible
 2019/02/22 15:00:52 [brakeman] Detect project using plugin
 2019/02/22 15:00:52 [brakeman] Project not compatible
 2019/02/22 15:00:52 [gosec] Detect project using plugin
 2019/02/22 15:00:52 [gosec] Project not compatible
 2019/02/22 15:00:52 [find-sec-bugs] Detect project using plugin
 2019/02/22 15:00:52 [find-sec-bugs] Project is compatible
 2019/02/22 15:00:52 [find-sec-bugs] Starting analyzer...

After 10 minutes, the results should be as follows:

 Downloaded from central: https://repo.maven.apache.org/maven2/com/google/collections/google-collections/1.0/google-collections-1.0.jar (640 kB at 882 kB/s)
 [INFO] Changes detected - recompiling the module!
 [WARNING] File encoding has not been set, using platform encoding UTF-8, i.e. build is platform dependent!
 [INFO] Compiling 15 source files to /tmp/app/target/classes
 [INFO] ------------------------------------------------------------------------
 [INFO] BUILD SUCCESS
 [INFO] ------------------------------------------------------------------------
 [INFO] Total time: 11.988 s
 [INFO] Finished at: 2019-02-22T15:24:25Z
 [INFO] ------------------------------------------------------------------------

The scan will report on which plugin or module can be use (in other words, it checks project compatibility), as follows:

 Warnings generated: 49
 2019/02/22 15:24:33 [find-sec-bugs-gradle] Detect project using plugin
 2019/02/22 15:24:33 [find-sec-bugs-gradle] Project not compatible
 2019/02/22 15:24:33 [find-sec-bugs-sbt] Detect project using plugin
 2019/02/22 15:24:33 [find-sec-bugs-sbt] Project not compatible
 2019/02/22 15:24:33 [find-sec-bugs-groovy] Detect project using plugin
 2019/02/22 15:24:33 [find-sec-bugs-groovy] Project not compatible
 2019/02/22 15:24:33 [flawfinder] Detect project using plugin
 2019/02/22 15:24:33 [flawfinder] Project not compatible
 2019/02/22 15:24:33 [phpcs-security-audit] Detect project using plugin
 2019/02/22 15:24:33 [phpcs-security-audit] Project not compatible
 2019/02/22 15:24:33 [security-code-scan] Detect project using plugin
 2019/02/22 15:24:33 [security-code-scan] Project not compatible
 2019/02/22 15:24:33 [nodejs-scan] Detect project using plugin
 2019/02/22 15:24:33 [nodejs-scan] Project not compatible

You should now see a report of the findings, as in the following example (which is not entirely complete):

+--------------------------------------------------------------------------------------+
 | Severity | Tool | Location |
 +--------------------------------------------------------------------------------------+
 | High | Find Security Bugs | src/main/java/org/cysecurity/cspf/jvl/controller/LoginValidator.java:64 |
 | |
 | HTTP cookie formed from untrusted input |
 +--------------------------------------------------------------------------------------+
 | High | Find Security Bugs | src/main/java/org/cysecurity/cspf/jvl/controller/AddPage.java:45 |
 | |
 | Relative path traversal in servlet |
 +--------------------------------------------------------------------------------------+

As you can see in the following snippet, a lot of security issues were discovered:

 Uploading artifacts...
 gl-sast-report.json: found 1 matching files
 Uploading artifacts to coordinator... ok id=4 responseStatus=201 Created token=Sy_pRf1e
 Job succeeded

The scan finally finishes by uploading the report.

Essentially, SAST tries to analyze your code and applies plugins based on which code could be scanned. It will look for security hazards in your code. The scan is done in a special container delivered by GitLab. After scanning, a report is available.