# GitLab SAST - Semgrep Analyzer ## Overview ### What is GitLab SAST? GitLab Static Application Security Testing (SAST) is an integrated security feature that automatically scans your source code for potential security vulnerabilities as part of your CI/CD pipeline. ### GitLab's Built-in Semgrep Scanner GitLab SAST includes Semgrep as one of its primary static analysis engines. When you enable GitLab SAST, the Semgrep analyzer automatically: 1. Scans your codebase for security vulnerabilities 2. Generates detailed findings 3. Integrates results into GitLab's security dashboard ## Mobb Integration with GitLab SAST (Semgrep) Mobb enhances GitLab SAST by providing **automated vulnerability fixing** capabilities. While GitLab SAST identifies security issues, Mobb goes further by: * **Automatically generating fixes** for Semgrep-detected vulnerabilities * **Providing contextual explanations** for each fix * **Maintaining code functionality** while addressing security concerns ### How the Integration Works 1. **GitLab SAST runs Semgrep** and generates a SARIF report 2. **Mobb analyzes the SARIF findings** and generates appropriate fixes 3. **Fix Report URL** will be provided in the Gitlab runner console log 4. **Developers review and create Merge Requests** on the security enhancements from Mobb UI ## Sample GitLab CI/CD Configuration Below is a complete `.gitlab-ci.yml` configuration that integrates GitLab SAST (Semgrep) with Mobb's automated fixing capabilities: ```yaml include: - template: Security/SAST.gitlab-ci.yml image: name: node:20 stages: - test # required because the SAST template defaults to 'test' - sast-scan # keep this even if you removed 'sast-scan-job' - mobb-autofixer workflow: rules: - if: '$CI_PIPELINE_SOURCE == "merge_request_event"' - if: '$CI_PIPELINE_SOURCE == "web"' # Disable the default 'sast' job from the template (optional but common) sast: stage: test rules: - when: never # Run Semgrep (GitLab SAST analyzer) and publish SARIF for Mobb semgrep-sast: extends: .sast-analyzer stage: sast-scan artifacts: when: always expire_in: 1 week paths: - semgrep.sarif - '**/semgrep.sarif' mobb-autofixer-job: stage: mobb-autofixer tags: [saas-linux-medium-amd64] needs: - job: semgrep-sast artifacts: true script: - ls -la - 'test -f semgrep.sarif || { echo "semgrep.sarif not found"; ls -R; exit 1; }' - > npx mobbdev@latest analyze -f semgrep.sarif -r "$CI_PROJECT_URL" --ref "$CI_COMMIT_REF_NAME" --mobb-project-name "GitLab-Fix-Reports" --api-key "$MOBB_API_TOKEN" --ci when: always ``` ### Configuration Breakdown #### Pipeline Structure * **test stage**: Required by GitLab SAST template * **sast-scan stage**: Runs Semgrep analysis * **mobb-autofixer stage**: Processes findings and applies fixes #### Workflow Rules The pipeline triggers on: * Merge request events * Manual web triggers #### Semgrep SAST Job * **Extends**: Uses GitLab's built-in SAST analyzer * **Artifacts**: Preserves SARIF reports for Mobb processing * **Output**: Generates `semgrep.sarif` file {% hint style="warning" %} **Critical SARIF Export Configuration** By default, GitLab's Semgrep SAST analyzer does **not** export SARIF files - it only publishes results to GitLab's security dashboard. However, Mobb requires SARIF format for vulnerability analysis and fix generation. This is why our configuration explicitly extends the `.sast-analyzer` and adds the `artifacts` section to: 1. **Force SARIF generation**: Ensure Semgrep outputs findings in SARIF format 2. **Preserve artifacts**: Store the SARIF file for downstream consumption by Mobb 3. **Enable integration**: Make vulnerability data available in the format Mobb expects Without this configuration, the Mobb integration would fail because there would be no SARIF file to analyze. {% endhint %} #### Mobb Autofixer Job * **Dependencies**: Waits for SARIF artifacts from Semgrep * **Validation**: Checks for SARIF file existence * **Execution**: Runs Mobb analysis and auto-fixing ### Required Environment Variables Set these variables in your GitLab project settings: | Variable | Description | | ---------------- | -------------------------------------------------------------------------------------------------------------------- | | `MOBB_API_TOKEN` | Your Mobb API token for authentication ([How to create API tokens](/mobb-user-docs/administration/access-tokens.md)) | ### Mobb CLI Parameters Explained | Parameter | Description | | ------------------------------------------ | ---------------------------------- | | `-f semgrep.sarif` | Input SARIF file from GitLab SAST | | `-r "$CI_PROJECT_URL"` | Repository URL for context | | `--ref "$CI_COMMIT_REF_NAME"` | Branch/ref being analyzed | | `--mobb-project-name "GitLab-Fix-Reports"` | Project identifier in Mobb | | `--api-key "$MOBB_API_TOKEN"` | Authentication token | | `--ci` | CI/CD mode for optimized execution | --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://docs.mobb.ai/mobb-user-docs/ci-cd-integrations/gitlab-pipeline/gitlab-sast-semgrep-analyzer.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.