The following page may contain information related to upcoming products, features and functionality. It is important to note that the information presented is for informational purposes only, so please do not rely on the information for purchasing or planning purposes. Just like with all projects, the items mentioned on the page are subject to change or delay, and the development, release, and timing of any products, features or functionality remain at the sole discretion of GitLab Inc.
Name | Overall status | One-month plan | Three-month plan |
---|---|---|---|
Add new code-flow UI to explain Advanced SAST results Tracking issue/epic |
In progress | Continue implementation in pipeline report/MR | See one-month plan |
Advanced SAST engine maintenance, testing, and stability improvements Tracking issue/epic |
Planned for the majority of 17.5 for SAST:Core team | Identify and implement improvements | See one-month plan |
Real-time SAST scanning in the IDE Tracking issue/epic |
Targeting 17.6 (November 2024) for Experiment release. (Not a committed date.) | Ship all components and test end-to-end | Deliver Experiment release |
Resolve OKR-tagged customer bugs (internal link) Tracking issue/epic |
Targeting OKR-related bugs by 17.5 | Complete defined scope | See one-month plan |
Document rule information and CWE coverage Tracking issue/epic |
Assessing implementation options | Develop technical plan | Ship documentation |
Enable Advanced SAST for PHP Tracking issue/epic |
In progress. ETA TBD. | Finalize engine support, migrate/implement rules | See one-month plan |
Enable Advanced SAST for Ruby Tracking issue/epic |
In progress. Implementing rules. ETA TBD. | Finalize engine support, migrate/implement rules | See one-month plan |
Implement Advanced SAST for C/C++ Tracking issue/epic |
See one-month plan | ||
Incremental pipeline-based scans (skip unmodified code) Tracking issue/epic |
Currently blocked by database decomposition | See one-month plan | |
Enable Advanced SAST for additional languages Tracking issue/epic |
See one-month plan | ||
Reshape SAST customization; allow org-specific Advanced SAST Tracking issue/epic |
Defining requirements/goals | See one-month plan | |
Enable Advanced SAST by default Tracking issue/epic |
Likely to occur in GitLab 18.0 due to breaking-change requirements. | See one-month plan |
Name | Status/progress |
---|---|
Analyze onboarding and day-to-day workflows for real-time IDE scanning Tracking issue/epic |
Paused until further development is completed. Will include analyzing how IDE, monolith, and Cloud Connector interact for end-users. |
We believe that the world is safer when everyone can contribute to software security. Our customers, and those they serve, are better protected when developers and security professionals can fix potential security risks earlier.
The earliest possible time to catch a security issue is when the code is first written. GitLab sees code very early in the software development lifecycle, since we store production code and also support customer workflows (like merge requests) for pre-production development. So, our group is uniquely positioned to integrate static analysis everywhere as part of a comprehensive DevSecOps platform. We can do what others can't by making security omnipresent, and by supporting collaboration right in the tools that development teams are already using to do their jobs.
Building on those fundamental beliefs, the Static Analysis group's business purpose is to build value for GitLab and our customers…
We are responsible for ensuring that customers can use GitLab Ultimate to:
Our responsibility is for the full customer experience—not just security analyzers or specific software systems we maintain. At times this may mean:
We will do what it takes to deliver these customer results—our customers use the entire product to do their jobs, so it's important that we collaborate effectively with other groups to deliver end-to-end results.
This page is designed to clarify competing priorities between feature categories and provide a high-level summary of the problems the Static Analysis group plans to tackle.
It includes "headline" items that we're planning to work on, and ranks them across the feature categories that Static Analysis maintains.
However, it doesn't:
Stage | Secure |
Content Last Reviewed | 2024-09-10 |