GitLab now supports 3rd-party security scanners via SARIF ingestion
If you missed it, third-party SARIF ingestion landed in 19.1 (Ultimate). Any scanner that emits SARIF json can have its findings pulled directly into GitLab. Ingestion is performed natively by adding the following syntax to a scanner job within the .gitlab-ci.yml:artifacts:
reports:
sarif: scanner.sarif
I created a deliberately vulnerable Python app and ran several open-source scanners against it in a single pipeline:
- Semgrep (SAST)
- Bandit (Python SAST)
- Trivy (containers/vulns)
- Gitleaks (secrets)
- OSV-Scanner (dependencies)
- Ruff (lint)
Some scanners may require some tuning in order for the ingestion to work, these are just the ones I've tried. Each emits SARIF, the findings get ingested, the results integrate with several security workflows:
- Vulnerability Report
- MR Security Widget
- Security Policies
- SAST Auto Resolution
- False-Positive Detection
Vulnerability Report with Scanner Filtering
Curious to see whether anyone here has wired up any scanners themselves since the release.