22 lines
2.7 KiB
YAML
22 lines
2.7 KiB
YAML
|
- title: "The Security Code Scan-based GitLab SAST analyzer is now removed" # (required) Clearly explain the change. For example, "The `confidential` field for a `Note` is removed" or "CI/CD job names are limited to 250 characters."
|
||
|
announcement_milestone: "15.9" # (required) The milestone when this feature was first announced as deprecated.
|
||
|
removal_milestone: "16.0" # (required) The milestone when this feature is being removed.
|
||
|
breaking_change: true # (required) Change to false if this is not a breaking change.
|
||
|
reporter: connorgilbert # (required) GitLab username of the person reporting the change
|
||
|
stage: secure # (required) String value of the stage that the feature was created in. e.g., Growth
|
||
|
issue_url: https://gitlab.com/gitlab-org/gitlab/-/issues/390416 # (required) Link to the deprecation issue in GitLab
|
||
|
body: | # (required) Do not modify this line, instead modify the lines below.
|
||
|
GitLab SAST uses various [analyzers](https://docs.gitlab.com/ee/user/application_security/sast/analyzers/) to scan code for vulnerabilities.
|
||
|
We've reduced the number of supported analyzers used by default in GitLab SAST.
|
||
|
This is part of our long-term strategy to deliver a faster, more consistent user experience across different programming languages.
|
||
|
|
||
|
As of GitLab 16.0, the [SAST CI/CD template](https://gitlab.com/gitlab-org/gitlab/-/blob/master/lib/gitlab/ci/templates/Security/SAST.gitlab-ci.yml) no longer uses the [Security Code Scan](https://gitlab.com/gitlab-org/security-products/analyzers/security-code-scan)-based analyzer for .NET.
|
||
|
We've removed this analyzer from the SAST CI/CD template and replaced it with GitLab-supported detection rules for C# in the [Semgrep-based analyzer](https://gitlab.com/gitlab-org/security-products/analyzers/semgrep).
|
||
|
|
||
|
Because this analyzer has reached End of Support in GitLab 16.0, we won't provide further updates to it.
|
||
|
However, we won't delete any container images we previously published for this analyzer or remove the ability to run it by using a [custom CI/CD pipeline job](https://docs.gitlab.com/ee/ci/yaml/artifacts_reports.html#artifactsreportssast).
|
||
|
|
||
|
If you've already dismissed a vulnerability finding from the deprecated analyzer, the replacement attempts to respect your previous dismissal. See [Vulnerability translation documentation](https://docs.gitlab.com/ee/user/application_security/sast/analyzers.html#vulnerability-translation) for further details.
|
||
|
|
||
|
If you customize the behavior of GitLab SAST by disabling the Semgrep-based analyzer or depending on specific SAST jobs in your pipelines, you must take action as detailed in the [deprecation issue for this change](https://gitlab.com/gitlab-org/gitlab/-/issues/390416#actions-required).
|