# GitLab SAST - Semgrep Analyzer

## Overview

### What is GitLab SAST?

GitLab Static Application Security Testing (SAST) is an integrated security feature that automatically scans your source code for potential security vulnerabilities as part of your CI/CD pipeline.

### GitLab's Built-in Semgrep Scanner

GitLab SAST includes Semgrep as one of its primary static analysis engines. When you enable GitLab SAST, the Semgrep analyzer automatically:

1. Scans your codebase for security vulnerabilities
2. Generates detailed findings
3. Integrates results into GitLab's security dashboard

## Mobb Integration with GitLab SAST (Semgrep)

Mobb enhances GitLab SAST by providing **automated vulnerability fixing** capabilities. While GitLab SAST identifies security issues, Mobb goes further by:

* **Automatically generating fixes** for Semgrep-detected vulnerabilities
* **Providing contextual explanations** for each fix
* **Maintaining code functionality** while addressing security concerns

### How the Integration Works

1. **GitLab SAST runs Semgrep** and generates a SARIF report
2. **Mobb analyzes the SARIF findings** and generates appropriate fixes
3. **Fix Report URL** will be provided in the Gitlab runner console log
4. **Developers review and create Merge Requests** on the security enhancements from Mobb UI

## Sample GitLab CI/CD Configuration

Below is a complete `.gitlab-ci.yml` configuration that integrates GitLab SAST (Semgrep) with Mobb's automated fixing capabilities:

```yaml
include:
  - template: Security/SAST.gitlab-ci.yml

image:
  name: node:20

stages:
  - test          # required because the SAST template defaults to 'test'
  - sast-scan     # keep this even if you removed 'sast-scan-job'
  - mobb-autofixer

workflow:
  rules:
    - if: '$CI_PIPELINE_SOURCE == "merge_request_event"'
    - if: '$CI_PIPELINE_SOURCE == "web"'

# Disable the default 'sast' job from the template (optional but common)
sast:
  stage: test
  rules:
    - when: never

# Run Semgrep (GitLab SAST analyzer) and publish SARIF for Mobb
semgrep-sast:
  extends: .sast-analyzer
  stage: sast-scan
  artifacts:
    when: always
    expire_in: 1 week
    paths:
      - semgrep.sarif
      - '**/semgrep.sarif'

mobb-autofixer-job:
  stage: mobb-autofixer
  tags: [saas-linux-medium-amd64]
  needs:
    - job: semgrep-sast
      artifacts: true
  script:
    - ls -la
    - 'test -f semgrep.sarif || { echo "semgrep.sarif not found"; ls -R; exit 1; }'
    - >
      npx mobbdev@latest analyze
      -f semgrep.sarif
      -r "$CI_PROJECT_URL"
      --ref "$CI_COMMIT_REF_NAME"
      --mobb-project-name "GitLab-Fix-Reports"
      --api-key "$MOBB_API_TOKEN"
      --ci
  when: always
```

### Configuration Breakdown

#### Pipeline Structure

* **test stage**: Required by GitLab SAST template
* **sast-scan stage**: Runs Semgrep analysis
* **mobb-autofixer stage**: Processes findings and applies fixes

#### Workflow Rules

The pipeline triggers on:

* Merge request events
* Manual web triggers

#### Semgrep SAST Job

* **Extends**: Uses GitLab's built-in SAST analyzer
* **Artifacts**: Preserves SARIF reports for Mobb processing
* **Output**: Generates `semgrep.sarif` file

{% hint style="warning" %}
**Critical SARIF Export Configuration**

By default, GitLab's Semgrep SAST analyzer does **not** export SARIF files - it only publishes results to GitLab's security dashboard. However, Mobb requires SARIF format for vulnerability analysis and fix generation.

This is why our configuration explicitly extends the `.sast-analyzer` and adds the `artifacts` section to:

1. **Force SARIF generation**: Ensure Semgrep outputs findings in SARIF format
2. **Preserve artifacts**: Store the SARIF file for downstream consumption by Mobb
3. **Enable integration**: Make vulnerability data available in the format Mobb expects

Without this configuration, the Mobb integration would fail because there would be no SARIF file to analyze.
{% endhint %}

#### Mobb Autofixer Job

* **Dependencies**: Waits for SARIF artifacts from Semgrep
* **Validation**: Checks for SARIF file existence
* **Execution**: Runs Mobb analysis and auto-fixing

### Required Environment Variables

Set these variables in your GitLab project settings:

| Variable         | Description                                                                                                                           |
| ---------------- | ------------------------------------------------------------------------------------------------------------------------------------- |
| `MOBB_API_TOKEN` | Your Mobb API token for authentication ([How to create API tokens](https://docs.mobb.ai/mobb-user-docs/administration/access-tokens)) |

### Mobb CLI Parameters Explained

| Parameter                                  | Description                        |
| ------------------------------------------ | ---------------------------------- |
| `-f semgrep.sarif`                         | Input SARIF file from GitLab SAST  |
| `-r "$CI_PROJECT_URL"`                     | Repository URL for context         |
| `--ref "$CI_COMMIT_REF_NAME"`              | Branch/ref being analyzed          |
| `--mobb-project-name "GitLab-Fix-Reports"` | Project identifier in Mobb         |
| `--api-key "$MOBB_API_TOKEN"`              | Authentication token               |
| `--ci`                                     | CI/CD mode for optimized execution |