GitLab SAST supports scanning the following languages and frameworks. The available scanning options depend on the GitLab tier: In Ultimate, GitLab Advanced SAST provides more accurate results.

Infrastructure as Code (IaC) scanning runs in your CI/CD pipeline, checking your infrastructure definition files for known vulnerabilities. Identify vulnerabilities before they’re committed to the default branch to proactively address the risk to your application.

Build security into your development process with GitLab security scanning capabilities. Identify and address vulnerabilities early in your development lifecycle, before they reach production environments.

Scan your project’s repository and test your application’s behavior for vulnerabilities: Repository scanning can detect vulnerabilities in your project’s repository. Coverage includes your application’s source code, also the libraries and container images it’s dependent on.

GitLab offers both Container Scanning and Dependency Scanning to ensure coverage for all these dependency types. To cover as much of your risk area as possible, we encourage you to use all the security scanners.

GitLab offers both Dependency Scanning and Container Scanning to ensure coverage for all of these dependency types. To cover as much of your risk area as possible, we encourage you to use all of our security scanners.

New vulnerabilities may arise when Continuous Vulnerability Scanning triggers scans on all projects that contain components with supported package types. Vulnerabilities created by Continuous Vulnerability Scanning use GitLab SBoM Vulnerability Scanner as the scanner name.

For example, you can run a code linter to scan your code along with a language linter to scan your documentation, or you can use a standalone tool along with CodeClimate-based scanning. Code Quality combines all of the reports so you see all of them when you view results .

Code Quality includes a built-in CI/CD template, Code-Quality.gitlab-ci.yaml. This template runs a scan based on the open source CodeClimate scanning engine. The CodeClimate engine runs: Basic maintainability checks for a set of supported languages. A configurable set of plugins, which wrap open source scanners, to analyze your source code.

Integrating a security scanner into GitLab consists of providing end users with a CI/CD job definition they can add to their CI/CD configuration files to scan their GitLab projects. This job should then output its results in a GitLab-specified format.