GitLab SAST and Java 11

If built-in Static Application Security Testing functionality does not support the programming language requirements you have, you can customize the SAST analyzer docker images.

This guide shows you how to use SAST with OpenJDK 11 or later.

What is SAST?

Static Application Security Testing (SAST) provides you information if

  • your application is vulnerable by using an external library in a specific version which is known to be vulnerable or
  • your code has a potentially dangerous attribute in a class, or unsafe code that can lead to unintended code execution.

How get SAST reports generated?

According to the GitLab documentation you can take advantage of SAST by either:

  1. including the CI job below in your existing .gitlab-ci.yml file or by
  2. implicitly using Auto SAST that is provided by Auto DevOps.

As I want to show you how to customize this behaviour, we will focus on the first approach and add the job to an existing .gitlab-ci.yml file.

Limited language and framework support

Having the need to build Gradle based Java 11 projects, I ran into 2 major issues:

  1. Developers were relying on Gradle in a specific version. GitLab’s SAST images ship an older version of gradle within the image and it’s impossible to match the developers required version. Gradle wrapper ./gradlew should be used instead.

  2. GitLab’s SAST images support Java 8 with FindBugs. For Java 11 and later FindBugs is no longer working. The successor of FindBugs is SpotBugs which should be used in future.

    Language Version Framework Scan tool
    Java 8 Maven, Gradle find-sec-bugs

Using a custom analyzer image

I’ve forked the / security-products / analyzers / find-sec-bugs-gradle project and started to work on the two issues listed above.

Language Version Framework Scan tool Analyzer image
Java 8 Maven, Gradle find-sec-bugs GitLab’s default image
10 Maven, Gradle Wrapper spotbugs

The customized SAST job in detail

Below is an example of a Java 11 customized SAST job which uses default GitLab SAST docker image but a different analyzer image.

Environment variable Function
SAST_ANALYZER_IMAGES Comma separated list of custom Docker images. Default Docker images are still enabled. In the job below this is used to inject custom Docker images.
SAST_ANALYZER_IMAGE_PREFIX Override the name of the Docker registry providing the default images (proxy).
SAST_ANALYZER_IMAGE_TAG Override the Docker tag of the default images.
SAST_DEFAULT_ANALYZERS Override the names of default Docker images.
SAST_DEFAULT_ANALYZERS_ENABLED DEPRECATED: Disable default images. Removed in SAST 1.9

Read more about [customizing analyzers](./docs/

More configurable settings are listed in the GitLab SAST docker image README file in the repository.

# ...

  image: docker:stable
  stage: verify
    DOCKER_DRIVER: overlay2
    - docker:stable-dind
    - export SP_VERSION=$(echo "$CI_SERVER_VERSION" | sed 's/^\([0-9]*\)\.\([0-9]*\).*/\1-\2-stable/')
                 --env SAST_DEFAULT_ANALYZERS=""
                 --env SAST_ANALYZER_IMAGES=""
                 --volume "$PWD:/code"
                 --volume /var/run/docker.sock:/var/run/docker.sock
                 "$SP_VERSION" /app/bin/run /code
      sast: gl-sast-report.json

# ...


comments powered by Disqus