gitlab 集成的一些SAST安全扫描工具
企业内部使用gitlab 作为源代码管理的越来越多了,同时目前gitlab 不少企业特性也开源的社区免费版了,以下是支持的SAST 清单可以参考
参考清单
| Language (package managers) / framework | Scan tool | Introduced in GitLab Version |
|---|---|---|
| .NET Core | Security Code Scan | 11.0 |
| .NET Framework | Security Code Scan | 13.0 |
| Apex (Salesforce) | PMD | 12.1 |
| C | Semgrep | 14.2 |
| C/C++ | Flawfinder | 10.7 |
| Elixir (Phoenix) | Sobelow | 11.1 |
| Go | Gosec | 10.7 |
| Go | Semgrep | 14.4 |
| Groovy (Ant, Gradle, Maven, and SBT) | SpotBugs with the find-sec-bugs plugin | 11.3 (Gradle) & 11.9 (Ant, Maven, SBT) |
| Helm Charts | Kubesec | 13.1 |
| Java (any build system) | Semgrep | 14.10 |
| Java (Ant, Gradle, Maven, and SBT) | SpotBugs with the find-sec-bugs plugin | 10.6 (Maven), 10.8 (Gradle) & 11.9 (Ant, SBT) |
| Java (Android) | MobSF (beta) | 13.5 |
| JavaScript | ESLint security plugin | 11.8 |
| JavaScript | Semgrep | 13.10 |
| Kotlin (Android) | MobSF (beta) | 13.5 |
| Kotlin (General) | SpotBugs with the find-sec-bugs plugin | 13.11 |
| Kubernetes manifests | Kubesec | 12.6 |
| Node.js | NodeJsScan | 11.1 |
| Objective-C (iOS) | MobSF (beta) | 13.5 |
| PHP | phpcs-security-audit | 10.8 |
| Python (pip) | bandit | 10.3 |
| Python | Semgrep | 13.9 |
| React | ESLint react plugin | 12.5 |
| React | Semgrep | 13.10 |
| Ruby | brakeman | 13.9 |
| Ruby on Rails | brakeman | 10.3 |
| Scala (Ant, Gradle, Maven, and SBT) | SpotBugs with the find-sec-bugs plugin | 11.0 (SBT) & 11.9 (Ant, Gradle, Maven) |
| Swift (iOS) | MobSF (beta) | 13.5 |
| TypeScript | ESLint security plugin | 11.9, merged with ESLint in 13.2 |
| TypeScript | Semgrep | 13.10 |
说明
以上尽管是gitlab 直接使用的,但是基本都是基于开源的,我们也可以应用到自己的项目中
