GitLab SAST - Semgrep Analyzer

Overview

What is GitLab SAST?

GitLab Static Application Security Testing (SAST) is an integrated security feature that automatically scans your source code for potential security vulnerabilities as part of your CI/CD pipeline.

GitLab's Built-in Semgrep Scanner

GitLab SAST includes Semgrep as one of its primary static analysis engines. When you enable GitLab SAST, the Semgrep analyzer automatically:

Scans your codebase for security vulnerabilities
Generates detailed findings
Integrates results into GitLab's security dashboard

Mobb Integration with GitLab SAST (Semgrep)

Mobb enhances GitLab SAST by providing automated vulnerability fixing capabilities. While GitLab SAST identifies security issues, Mobb goes further by:

Automatically generating fixes for Semgrep-detected vulnerabilities
Providing contextual explanations for each fix
Maintaining code functionality while addressing security concerns

How the Integration Works

GitLab SAST runs Semgrep and generates a SARIF report
Mobb analyzes the SARIF findings and generates appropriate fixes
Fix Report URL will be provided in the Gitlab runner console log
Developers review and create Merge Requests on the security enhancements from Mobb UI

Sample GitLab CI/CD Configuration

Below is a complete .gitlab-ci.yml configuration that integrates GitLab SAST (Semgrep) with Mobb's automated fixing capabilities:

include:
  - template: Security/SAST.gitlab-ci.yml

image:
  name: node:20

stages:
  - test          # required because the SAST template defaults to 'test'
  - sast-scan     # keep this even if you removed 'sast-scan-job'
  - mobb-autofixer

workflow:
  rules:
    - if: '$CI_PIPELINE_SOURCE == "merge_request_event"'
    - if: '$CI_PIPELINE_SOURCE == "web"'

# Disable the default 'sast' job from the template (optional but common)
sast:
  stage: test
  rules:
    - when: never

# Run Semgrep (GitLab SAST analyzer) and publish SARIF for Mobb
semgrep-sast:
  extends: .sast-analyzer
  stage: sast-scan
  artifacts:
    when: always
    expire_in: 1 week
    paths:
      - semgrep.sarif
      - '**/semgrep.sarif'

mobb-autofixer-job:
  stage: mobb-autofixer
  tags: [saas-linux-medium-amd64]
  needs:
    - job: semgrep-sast
      artifacts: true
  script:
    - ls -la
    - 'test -f semgrep.sarif || { echo "semgrep.sarif not found"; ls -R; exit 1; }'
    - >
      npx mobbdev@latest analyze
      -f semgrep.sarif
      -r "$CI_PROJECT_URL"
      --ref "$CI_COMMIT_REF_NAME"
      --mobb-project-name "GitLab-Fix-Reports"
      --api-key "$MOBB_API_TOKEN"
      --ci
  when: always

Configuration Breakdown

Pipeline Structure

test stage: Required by GitLab SAST template
sast-scan stage: Runs Semgrep analysis
mobb-autofixer stage: Processes findings and applies fixes

Workflow Rules

The pipeline triggers on:

Merge request events
Manual web triggers

Semgrep SAST Job

Extends: Uses GitLab's built-in SAST analyzer
Artifacts: Preserves SARIF reports for Mobb processing
Output: Generates semgrep.sarif file

Critical SARIF Export Configuration

By default, GitLab's Semgrep SAST analyzer does not export SARIF files - it only publishes results to GitLab's security dashboard. However, Mobb requires SARIF format for vulnerability analysis and fix generation.

This is why our configuration explicitly extends the .sast-analyzer and adds the artifacts section to:

Force SARIF generation: Ensure Semgrep outputs findings in SARIF format
Preserve artifacts: Store the SARIF file for downstream consumption by Mobb
Enable integration: Make vulnerability data available in the format Mobb expects

Without this configuration, the Mobb integration would fail because there would be no SARIF file to analyze.

Mobb Autofixer Job

Dependencies: Waits for SARIF artifacts from Semgrep
Validation: Checks for SARIF file existence
Execution: Runs Mobb analysis and auto-fixing

Required Environment Variables

Set these variables in your GitLab project settings:

Variable

Description

MOBB_API_TOKEN

Your Mobb API token for authentication (How to create API tokens)

Mobb CLI Parameters Explained

Parameter

Description

-f semgrep.sarif

Input SARIF file from GitLab SAST

-r "$CI_PROJECT_URL"

Repository URL for context

--ref "$CI_COMMIT_REF_NAME"

Branch/ref being analyzed

--mobb-project-name "GitLab-Fix-Reports"

Project identifier in Mobb

--api-key "$MOBB_API_TOKEN"

Authentication token

--ci

CI/CD mode for optimized execution

PreviousGitLab Pipeline NextAzure DevOps

Last updated 2 months ago

hashtagOverview

hashtagWhat is GitLab SAST?

hashtagGitLab's Built-in Semgrep Scanner

hashtagMobb Integration with GitLab SAST (Semgrep)

hashtagHow the Integration Works

hashtagSample GitLab CI/CD Configuration

hashtagConfiguration Breakdown

hashtagPipeline Structure

hashtagWorkflow Rules

hashtagSemgrep SAST Job

hashtagMobb Autofixer Job

hashtagRequired Environment Variables

hashtagMobb CLI Parameters Explained