The following page may contain information related to upcoming products, features and functionality. It is important to note that the information presented is for informational purposes only, so please do not rely on the information for purchasing or planning purposes. Just like with all projects, the items mentioned on the page are subject to change or delay, and the development, release, and timing of any products, features or functionality remain at the sole discretion of GitLab Inc.
| Name | Overall status | One-month plan | Three-month plan |
|---|---|---|---|
| Add new code-flow UI to explain Advanced SAST results Tracking issue/epic |
Shipped in the vuln report, MR widget, and pipeline security report. | Complete implementation in MR changes view, address UX issues. (Development work is being handled by the Security Platform Management group.) | |
| Complete functional testing and analysis for Vulnerability Resolution Tracking issue/epic |
In progress; substantially complete. | Continue data analysis. | Move on to additional feature improvements, as listed below |
| Real-time SAST scanning in the IDE: initial release Tracking issue/epic |
Expecting 17.6 (November 2024) for Experiment release on GitLab.com. | Deliver Experiment release | Move on to post-initial-release improvements, as listed below |
| Provide guidance on how to evaluate GitLab SAST Tracking issue/epic |
Initial guide shipped | Implement further edits to the evaluation guide | Publish benchmark/example project guide, based on analysis project listed below |
| Restructure and update Advanced SAST docs now that the feature is GA Tracking issue/epic |
In progress | Complete most issues in this epic | Complete entire epic |
| Advanced SAST engine maintenance, testing, and stability improvements Tracking issue/epic |
Planned for the majority of 17.5/17.6 for SAST:Core team | Implement improvements | |
| Analyze Advanced SAST performance against standard benchmarks Tracking issue/epic |
Analysis and rule updates in progress | Continue analysis and rule updates | Complete work; use results to update documentation |
| Implement the next level of documentation for rule/CWE coverage Tracking issue/epic |
Assessing implementation options | Interview internal users and develop technical plan | Ship documentation |
| Enable Advanced SAST for PHP Tracking issue/epic |
In progress. ETA TBD. | Finalize engine support, migrate/implement rules | |
| Implement Advanced SAST for C/C++ Tracking issue/epic |
|||
| Expand coverage for Vulnerability Resolution to more CWE types Tracking issue/epic |
Create a plan. Implement changes so new feature iterations can be tested. | Begin experiments based on this plan | |
| Expand real-time SAST in the IDE Tracking issue/epic |
Will beging after the initial Experiment release | Respond to feedback and next steps after the initial Experiment release | Work toward self-managed support; improve user-perceived latency |
| Incremental pipeline-based scans (skip unmodified code) Tracking issue/epic |
Currently blocked by database decomposition | ||
| Enable Advanced SAST for additional languages Tracking issue/epic |
Waiting for other languages, as listed above. See epic for language priority order. | ||
| Reshape SAST customization; allow org-specific Advanced SAST Tracking issue/epic |
Analyzing customer use cases to develop requirements | ||
| Enable Advanced SAST by default Tracking issue/epic |
Likely to occur in GitLab 18.0 due to breaking-change requirements. | ||
| Make SAST results easier to understand and triage Tracking issue/epic |
Coordinating with Security Risk Management stage for scheduling |
| Name | Status/progress |
|---|---|
| Analyze onboarding and day-to-day workflows for real-time IDE scanning Tracking issue/epic |
Paused until further development is completed. Will include analyzing how IDE, monolith, and Cloud Connector interact for end-users. |
We believe that the world is safer when everyone can contribute to software security. Our customers, and those they serve, are better protected when developers and security professionals can fix potential security risks earlier.
The earliest possible time to catch a security issue is when the code is first written. GitLab sees code very early in the software development lifecycle, since we store production code and also support customer workflows (like merge requests) for pre-production development. So, our group is uniquely positioned to integrate static analysis everywhere as part of a comprehensive DevSecOps platform. We can do what others can't by making security omnipresent, and by supporting collaboration right in the tools that development teams are already using to do their jobs.
Building on those fundamental beliefs, the Static Analysis group's business purpose is to build value for GitLab and our customers…
We are responsible for ensuring that customers can use GitLab Ultimate to:
Our responsibility is for the full customer experience—not just security analyzers or specific software systems we maintain. At times this may mean:
We will do what it takes to deliver these customer results—our customers use the entire product to do their jobs, so it's important that we collaborate effectively with other groups to deliver end-to-end results.
This page is designed to clarify competing priorities between feature categories and provide a high-level summary of the problems the Static Analysis group plans to tackle.
It includes "headline" items that we're planning to work on, and ranks them across the feature categories that Static Analysis maintains.
However, it doesn't:
| Stage | Secure |
| Content Last Reviewed | 2024-10-30 |