SAST Deprecation: Analyzer consolidation and CI/CD template changes

Notice

🆕 Changes to the default CI/CD template have been released in GitLab %15.4.

⚠ If you are facing an immediate problem as a result of this change, see the Workaround below. Please contact GitLab Support if you are a customer seeking time-sensitive assistance.

🆕 Early access to Semgrep-based scanning was made available in 15.0. We added documentation, including considerations for why you might want to activate Semgrep-based scanning early, in %15.0. We expanded instructions for previewing CI/CD template changes in %15.3.

Please comment on this issue if you have questions or feedback.

Deprecation Summary

GitLab SAST uses various analyzers to scan code for vulnerabilities.

We are reducing the number of analyzers used in GitLab SAST as part of our long-term strategy to deliver a better and more consistent user experience. Streamlining the set of analyzers will also enable faster iteration, better results, and greater efficiency (including a reduction in CI runner usage in most cases).

In GitLab %15.4, GitLab SAST will no longer use the following analyzers by default:

• ESLint (JavaScript, TypeScript, React)
• Gosec (Go)
• Bandit (Python)

These analyzers will be removed from the GitLab-managed SAST CI/CD template and replaced with the Semgrep-based analyzer.

Because they have been deprecated since %14.8, they may no longer receive routine updates, except for security issues. We will not delete container images previously published for these analyzers; any such change would be announced as a deprecation, removal, or breaking change announcement.

We will also remove Java from the scope of the SpotBugs analyzer and replace it with the Semgrep-based analyzer. This change will make it simpler to scan Java code; compilation will no longer be required. This change will be reflected in the automatic language detection portion of the GitLab-managed SAST CI/CD template. Note that the SpotBugs-based analyzer will continue to cover Groovy, Kotlin, and Scala.

If you've already dismissed a vulnerability finding from one of the deprecated analyzers, the replacement attempts to respect your previous dismissal. The system behavior depends on:

• whether you’ve excluded the Semgrep-based analyzer from running in the past.
• which analyzer first discovered the vulnerabilities shown in the project’s Vulnerability Report.

See Vulnerability translation documentation for further details.

If you applied customizations to any of the affected analyzers or if you disabled the Semgrep-based analyzer, you must take action as detailed below.

Actions Required

You only need to take action if:

1. You applied customizations to one of the affected analyzers, such as setting a variable like SAST_EXCLUDED_ANALYZERS specifically on a job like eslint-sast, and that customization still applies to Semgrep.
   • You should migrate any option that is still needed to the semgrep-sast job.
   • Note that the semgrep-sast job itself handles multiple languages. Some of your previous customizations, especially those related to build or compilation processes, may no longer be neccessary or may not apply to all languages covered by the Semgrep analyzer.
2. You customized a built-in rule from one of the affected analyzers and still need the customization in Semgrep.
   • You should update the customization to refer to the rule's new identifier in this case.
3. You have explicitly disabled the Semgrep-based analyzer.
   • You should re-enable the Semgrep-based analyzer in this case.
4. You use the GitLab-managed CI/CD template and your pipeline configuration explicitly depends on a job name like bandit-sast or spotbugs-sast.
   • You should change your pipeline to refer to semgrep-sast or otherwise update it, depending on your use case.

Workaround

If you are experiencing a pipeline failure or invalid pipeline YAML, you can temporarily revert to an older version of the CI/CD template. Use a version before 15.4. As of this writing, the most recent 15.3 release is v15.3.3-ee.

For details, see the new documentation topic Troubleshooting pipeline errors related to changes in the GitLab-managed CI/CD template.

Affected Topology

All deployment types (~SaaS and self-managed) are affected.

Affected Tier

All tiers (GitLab Free, GitLab Premium, GitLab Ultimate) are affected.

Checklist

• mention your stage's stable counterparts on this issue. For example, Customer Support, Customer Success (Technical Account Manager), Product Marketing Manager.

  • To see who the stable counterparts are for a product team visit product categories
    • If there is no stable counterpart listed for Sales/CS please mention @timtams
    • If there is no stable counterpart listed for Support please mention @gitlab-com/support/managers
    • If there is no stable counterpart listed for Marketing please mention @cfoster3

• mention your GPM so that they are aware of planned deprecations. The goal is to have reviews happen at least two releases before the final removal of the feature or introduction of a breaking change.

• Customer Success stable counterparts: @bmiller1, @brianwald, @chloe

• Support stable counterpart: @greg

• Marketing stable counterpart: @cblake2000

• Director, Product Management: @hbenson

Note: Required and optional reviewers were already @-mentioned on the Deprecation MR (!80472 (merged)).

Deprecation Milestone

%14.8

Planned Removal Milestone

%15.4

Links

• Update Security Code Scan analyzer default vers... (#350935 - closed)
• Migrate Java SAST coverage from SpotBugs to Sem... (#352666 - closed)

Deprecation Announcement:

• Documentation: https://docs.gitlab.com/ee/update/deprecations#sast-analyzer-consolidation-and-cicd-template-changes
• MR: Deprecation: SAST analyzers and language coverage (!80472 - merged)

Documentation topic: Transition to Semgrep-based scanning