sast.md 3.18 KB
Newer Older
1
# Static Application Security Testing with GitLab CI/CD
2 3

NOTE: **Note:**
4
In order to use this tool, a [GitLab Ultimate][ee] license
5 6 7 8 9 10
is needed.

This example shows how to run
[Static Application Security Testing (SAST)](https://en.wikipedia.org/wiki/Static_program_analysis)
on your project's source code by using GitLab CI/CD.

11
First, you need GitLab Runner with [docker-in-docker executor](https://docs.gitlab.com/ee/ci/docker/using_docker_build.html#use-docker-in-docker-executor).
12
You can then add a new job to `.gitlab-ci.yml`, called `sast`:
13 14

```yaml
15 16 17
before_script:
  - *functions

18
sast:
19 20 21 22 23 24
  image: docker:latest
  variables:
    DOCKER_DRIVER: overlay2
  allow_failure: true
  services:
    - docker:dind
25
  script:
26 27
    - setup_docker
    - sast
28 29
  artifacts:
    paths: [gl-sast-report.json]
30

31 32
.functions: &functions |
  # Variables and functions
33 34 35 36 37 38 39 40 41 42 43 44 45 46 47

  function setup_docker() {
    if ! docker info &>/dev/null; then
      if [ -z "$DOCKER_HOST" -a "$KUBERNETES_PORT" ]; then
        export DOCKER_HOST='tcp://localhost:2375'
      fi
    fi
  }

  function sast() {
    case "$CI_SERVER_VERSION" in
      *-ee)
        # Extract "MAJOR.MINOR" from CI_SERVER_VERSION and generate "MAJOR-MINOR-stable"
        SAST_VERSION=$(echo "$CI_SERVER_VERSION" | sed 's/^\([0-9]*\)\.\([0-9]*\).*/\1-\2-stable/')

48 49 50
        docker run --env SAST_CONFIDENCE_LEVEL="${SAST_CONFIDENCE_LEVEL:-3}" \
                   --env SAST_DISABLE_REMOTE_CHECKS="${SAST_DISABLE_REMOTE_CHECKS:-false}" \
                   --volume "$PWD:/code" \
51 52 53 54
                   --volume /var/run/docker.sock:/var/run/docker.sock \
                   "registry.gitlab.com/gitlab-org/security-products/sast:$SAST_VERSION" /app/bin/run /code
        ;;
      *)
55
        echo "GitLab Enterprise Edition is required"
56 57 58
        ;;
    esac
  }
59 60 61
```

The above example will create a `sast` job in your CI pipeline and will allow
62 63 64
you to download and analyze the report artifact in JSON format. Check the
[Auto-DevOps template](https://gitlab.com/gitlab-org/gitlab-ci-yml/blob/master/Auto-DevOps.gitlab-ci.yml)
for a full reference.
65 66 67 68 69 70 71 72 73

The results are sorted by the priority of the vulnerability:

1. High
1. Medium
1. Low
1. Unknown
1. Everything else

74 75 76 77 78 79 80
Behind the scenes, the [GitLab SAST Docker image](https://gitlab.com/gitlab-org/security-products/sast)
is used to detect the languages/frameworks and in turn runs the matching scan tools.

Some security scanners require to send a list of project dependencies to GitLab
central servers to check for vulnerabilities. To learn more about this or to
disable it, check the [GitLab SAST tool documentation](https://gitlab.com/gitlab-org/security-products/sast#remote-checks).

81
TIP: **Tip:**
82
Starting with [GitLab Ultimate][ee] 10.3, this information will
83 84 85 86 87 88 89
be automatically extracted and shown right in the merge request widget. To do
so, the CI job must be named `sast` and the artifact path must be
`gl-sast-report.json`.
[Learn more on application security testing results shown in merge requests](../../user/project/merge_requests/sast.md).

## Supported languages and frameworks

90
See [the full list of supported languages and frameworks](../../user/project/merge_requests/sast.md#supported-languages-and-frameworks).
91

92
[ee]: https://about.gitlab.com/products/