Start NowBlogsWatch NowContact Us

GitLab SAST - Semgrep Analyzer

Overview

What is GitLab SAST?

GitLab Static Application Security Testing (SAST) is an integrated security feature that automatically scans your source code for potential security vulnerabilities as part of your CI/CD pipeline.

GitLab's Built-in Semgrep Scanner

GitLab SAST includes Semgrep as one of its primary static analysis engines. When you enable GitLab SAST, the Semgrep analyzer automatically:

  1. Scans your codebase for security vulnerabilities

  2. Generates detailed findings

  3. Integrates results into GitLab's security dashboard

Mobb Integration with GitLab SAST (Semgrep)

Mobb enhances GitLab SAST by providing automated vulnerability fixing capabilities. While GitLab SAST identifies security issues, Mobb goes further by:

  • Automatically generating fixes for Semgrep-detected vulnerabilities

  • Providing contextual explanations for each fix

  • Maintaining code functionality while addressing security concerns

How the Integration Works

  1. GitLab SAST runs Semgrep and generates a SARIF report

  2. Mobb analyzes the SARIF findings and generates appropriate fixes

  3. Fix Report URL will be provided in the Gitlab runner console log

  4. Developers review and create Merge Requests on the security enhancements from Mobb UI

Sample GitLab CI/CD Configuration

Below is a complete .gitlab-ci.yml configuration that integrates GitLab SAST (Semgrep) with Mobb's automated fixing capabilities:

include:
  - template: Security/SAST.gitlab-ci.yml

image:
  name: node:20

stages:
  - test          # required because the SAST template defaults to 'test'
  - sast-scan     # keep this even if you removed 'sast-scan-job'
  - mobb-autofixer

workflow:
  rules:
    - if: '$CI_PIPELINE_SOURCE == "merge_request_event"'
    - if: '$CI_PIPELINE_SOURCE == "web"'

# Disable the default 'sast' job from the template (optional but common)
sast:
  stage: test
  rules:
    - when: never

# Run Semgrep (GitLab SAST analyzer) and publish SARIF for Mobb
semgrep-sast:
  extends: .sast-analyzer
  stage: sast-scan
  artifacts:
    when: always
    expire_in: 1 week
    paths:
      - semgrep.sarif
      - '**/semgrep.sarif'

mobb-autofixer-job:
  stage: mobb-autofixer
  tags: [saas-linux-medium-amd64]
  needs:
    - job: semgrep-sast
      artifacts: true
  script:
    - ls -la
    - 'test -f semgrep.sarif || { echo "semgrep.sarif not found"; ls -R; exit 1; }'
    - >
      npx mobbdev@latest analyze
      -f semgrep.sarif
      -r "$CI_PROJECT_URL"
      --ref "$CI_COMMIT_REF_NAME"
      --mobb-project-name "GitLab-Fix-Reports"
      --api-key "$MOBB_API_TOKEN"
      --ci
  when: always

Configuration Breakdown

Pipeline Structure

  • test stage: Required by GitLab SAST template

  • sast-scan stage: Runs Semgrep analysis

  • mobb-autofixer stage: Processes findings and applies fixes

Workflow Rules

The pipeline triggers on:

  • Merge request events

  • Manual web triggers

Semgrep SAST Job

  • Extends: Uses GitLab's built-in SAST analyzer

  • Artifacts: Preserves SARIF reports for Mobb processing

  • Output: Generates semgrep.sarif file

Critical SARIF Export Configuration

By default, GitLab's Semgrep SAST analyzer does not export SARIF files - it only publishes results to GitLab's security dashboard. However, Mobb requires SARIF format for vulnerability analysis and fix generation.

This is why our configuration explicitly extends the .sast-analyzer and adds the artifacts section to:

  1. Force SARIF generation: Ensure Semgrep outputs findings in SARIF format

  2. Preserve artifacts: Store the SARIF file for downstream consumption by Mobb

  3. Enable integration: Make vulnerability data available in the format Mobb expects

Without this configuration, the Mobb integration would fail because there would be no SARIF file to analyze.

Mobb Autofixer Job

  • Dependencies: Waits for SARIF artifacts from Semgrep

  • Validation: Checks for SARIF file existence

  • Execution: Runs Mobb analysis and auto-fixing

Required Environment Variables

Set these variables in your GitLab project settings:

Variable
Description

MOBB_API_TOKEN

Your Mobb API token for authentication (How to create API tokens)

Mobb CLI Parameters Explained

Parameter
Description

-f semgrep.sarif

Input SARIF file from GitLab SAST

-r "$CI_PROJECT_URL"

Repository URL for context

--ref "$CI_COMMIT_REF_NAME"

Branch/ref being analyzed

--mobb-project-name "GitLab-Fix-Reports"

Project identifier in Mobb

--api-key "$MOBB_API_TOKEN"

Authentication token

--ci

CI/CD mode for optimized execution

PreviousGitLab PipelineNextAzure DevOps

Last updated

Was this helpful?