SAST IDE Integration ADR 001: Provide API-based security scans
SAST IDE Integration ADR 001: Provide API-based security scans
SAST IDE Integration
This page contains information related to upcoming products, features, and functionality.
It is important to note that the information presented is for informational purposes only.
Please do not rely on this information for purchasing or planning purposes.
The development, release, and timing of any products, features, or functionality may be
subject to change or delay and remain at the sole discretion of GitLab Inc.
| Status | Authors | Coach | DRIs | Owning Stage | Created |
|---|---|---|---|---|---|
| ongoing |
erran
jleasure
julianthome
theoretick
|
theoretick
|
connorgilbert
dashaadu
tkopel
kisha.mavryck
|
devops secure | 2024-06-21 |
Summary
Support developers performing API-based Static Analysis Security Testing from their IDE.
Motivation
Goals
What is it trying to achieve?
- Provide SAST results to Ultimate users running any GitLab Editor Extension.
How will we know that this has succeeded?
- Users with the required connectivity receive diagnostics for SAST findings.
What are other less tangible opportunities here?
- Defining how non-SAST security scan results may be presented in the IDE in the future.
- Populate IDE diagnostics from an existing SAST report.
Non-Goals
What is out of scope for this blueprint?
- Defining how offline users will run analyzers locally.
Proposal
Provide both local and API-based security scans against the current IDE workspace.
Pros:
- All platforms where we have GitLab Editor Extensions would support SAST findings.
- Scan service API could be implemented through a local service to consume existing local SAST reports.
- Offline users could use offline scan images or distributions.
Cons:
- We must deploy new infrastructure.
- We must be intentional in showing/hiding this feature based on the user, group, and project configuration.
Decisions
Design and implementation details
Remote scans
sequenceDiagram
actor User
User->>+IntelliJ: Edits a file "hello.rb"
User->>+IntelliJ: Saves "hello.rb"
IntelliJ->>+GitLab Duo for JetBrains: Triggers a security scan based on the current file and workspace
GitLab Duo for JetBrains->>+GitLab API: POST /api/v4/security_scans/sast
note over GitLab Duo for JetBrains,GitLab API: { "path": "hello.rb", "content": "exec(ARGV[0])" }
GitLab API->>+Security Scan Service: POST /v1/sast
Security Scan Service->>-GitLab API: 200 OK
GitLab API->>-GitLab Duo for JetBrains: 200 OK
GitLab Duo for JetBrains->>-IntelliJ: Display Static Analysis findings (Diagnostics)
Alternative Solutions
Do nothing
The current experience for GitLab users in the IDE is that they must run separate Static Analysis tools locally before pushing their code and waiting on their CI/CD pipeline’s security scan results.
Run analyzers locally as offline analyzer
Pros:
- Local data and execution simplifies performance optimization
- A narrower usecase allows for a simpler, more tightly coupled design
Cons:
- We would need to start supporting binary distributions along with a release cycle that limits our ability to distribute rule refinements and bugfixes
- We would need to codesign our binaries especially for Mac OS.
- We would need to provide documentation for installation.
- We would need to provide tooling for installation.
Last modified April 28, 2025: Cleanup and reorg shortcodes (
eef3c341)
