Security/Application Security Pipeline

Purpose
This document provides guidance on how to implement security into the CI/CD pipeline, leveraging both GitLab's integrated tools and custom tools provided and developed by the Security Team.

Static Application Security Testing (SAST)
GitLab CI/CD allows to use Static Application Security Testing (SAST) to check your source code for known vulnerabilities. If the pipeline is associated with a merge request, the SAST analysis is compared with the results of the target branch’s analysis (if available). The results of that comparison are shown in the merge request. If the pipeline is running from the default branch, the results of the SAST analysis are available under Menu > Project > CI/CD > Pipelines.

Use Cases

 * Your code has a potentially dangerous attribute in a class, or unsafe code that can lead to unintended code execution.

Multi-project support
GitLab's integrated SAST tools can scan repositories that contain multiple projects.

The following analyzers have multi-project support:


 * Bandit
 * ESLint
 * Gosec
 * Kubesec
 * NodeJsScan
 * MobSF
 * PMD
 * Security Code Scan
 * Semgrep
 * SpotBugs
 * Sobelow