Pre-commit SAST Scanning on GitLab - Any info available?

Hi Everyone,

I have a requirement to scan the the files when user commits the changes. Below is the actual thing I would like to do.

  1. A SAST Scanning should be triggered whenever user try to commit to GitLab.
  2. SAST Scanning should be performed around those files being committed.
  3. Precommit - should check for scan result and allow commit if there are zero vulnerabilities. Ideal time should be less than one minute(Scan time)

Can we do scanning before commits happen? Pls let me know if you have any information on this?

Thanks,
Prasad.

Hi Prasad,

At this point in time, there is no way to run a precommit scan with SAST. Thank you for your question.

Thanks,
Daniel

1 Like

Hi dsearles,

Thank you for response. I went through this video and came to know that we can do static analysis on the code being committed. If you can check the below video at 3:25 they mention that Static analysis can be done.

If above requirement possible by the service side hooks?

Thanks,
Prasad.

The precommit hook is run on the client, before the “git commit” command actually finishes. If the precommit hook scripts fail, no commit is done. If the scanning takes too long, it blocks every single commit. Especially on low resource hardware, this can make development harder.

I’m not sure about your exact use case, sharing a suggestion for a different workflow:

Work in branches locally, commit often, and regularly push to the remote GitLab server, and create a draft MR.

On the server, Static Application Security Testing can run, and report any found vulnerabilities into the MR. Developers can review and merge can be blocked too.

Running SAST scans on the server also reduces resource usage on the client. For example, a SAST scan can run for 60 seconds. If that’s added as a precommit hook on the client, it can block the git commit command, and may timeout. Fast commits help developers focus, while the server runs automated and asynchronous tests and scans.

Later, when the merge request is nearing approval and merge, you can set to squash all commits if needed. One thing you can implement as client precommit hooks - checking the styleguide for commit messages, e.g. with GitHub - conventional-changelog/commitlint: 📓 Lint commit messages

Hi dnsmichi,

Thanks for your valuable suggestions. You mentioned below point in the answer.

On the server, Static Application Security Testing can run, and report any found vulnerabilities into the MR. Developers can review and merge can be blocked too.

How to achieve this functionality? Can we trigger any Jenkins Job or anyother way?

Also I understood the challenges around the pre-commit scanning that you mentioned, but just want to know how to achieve this functionality with pre-commit hooks, with any shell/python script can we perform scanning or trigger a jenkins job?

Thanks,
Prasad.

You’ll need to enable the SAST feature in GitLab: Static Application Security Testing (SAST) | GitLab which automatically runs security testing on every commit push, merge request create, etc.

You can run the security analyzer Docker images locally, or you’ll select the underlying security scanners and run them by yourself. A list of integrated scanners in GitLab SAST is at SAST Analyzers | GitLab Potentially there are more OSS scanners for each language.

dnsmichi,

Anyway can we involve Jenkins Job which does the SAST scanning with SonarQube during post-receive commit/server side hooks or with the pre-commit hook? Need to scan the code repo with Jenkins job and get the scanned results back?

We are not using the gitlab for CI/CD or devSecOps purpose. We are doing CI/CD through jenkins only currently.

Thanks,
Prasad.

I don’t know how this could work with Jenkins, I stopped using it years ago before migrating to GitLab in my previous job. For this specific question outside of GitLab’s scope, you may want to ask on the Jenkins or Sonarcube community forums.

Not to side track the conversation, but would this functionality be viable with a combination of either an IDE plugin / local script to perform the scan and pre-receive hooks?

@jeymz If the SAST scans are fast enough, this might be an interesting feature proposal. In my experience, the runtimes can exceed one minute, which may block ongoing local work - if this blocks the developer from performing a commit action.

The IDE plugin could for example fetch the CI/CD status after the commit is pushed to the remote server, via the MR. The VS Code extension for GitLab already does that for the CI/CD parts, but not the security reports.

I’m not sure if Git hooks specifically help here, an event after the pipeline is finished might be more applicable.

1 Like

Yeah I think the intended workflow would be user creats branch, branch runs scan on commit, sast is requirement for branch to be merged into correct branch. With that though I know there are SAST providers like checkmarx that have a smaller scan that only runs on scoped code (code belonging to the commit) that can be run in the IDE via a plugin. Would be a neat concept, especially since the sast libraries seem to be open source.

1 Like

I’ve evaluated the IaC security scanners and parsing with jq and Python in this blog post:

Could be an inspiration for own implementation of CLI scanners.