►
From YouTube: Walk through of GitLab's APEX Static Application Security Testing (SAST) for Salesforce Development
Description
This is a casual Q/A discussion with Lucas C, GitLab's Sr. engineer who helped build our SAST functionality for APEX code in GitLab. In this video you'll see us discuss:
1. Overview of SAST in GitLab. Brief review of visual diagrams.
2. Details around how we leverage PMD under the hood and what all is currently supported for scanning.
3. Demo of how to set up SAST on a new project that has APEX code starting from a blank .gitlab-ci.yml template. Also we touch on setting up optional approval groups from Security teams.
4. How to leverage SAST in our existing Salesforce Project Template's .gitlab-ci.yml. In the video we create this MR : https://gitlab.com/sfdx/sfdx-project-template/merge_requests/2
Also check out resources at:
1. https://gitlab.com/sfdx
2. https://docs.gitlab.com/ee/user/application_security/sast/
3. https://pmd.github.io/pmd/
A
A
Cool
I'm
just
doing
barring
some
slides
from
a
talk
I
did
a
little
while
ago
on
this,
but
I'm
with
like
kind
of
a
traditional
application
security
approach.
What
you'll
have
here
is
you'll
you'll
push
up
your
code,
your
future
wrench
and
of
an
emerging
quest
merge
like
loading,
a
master,
kick
sophomore
CICE
pipeline,
and
it
goes
through
the
process
at
some
point.
In
that
stage,
you're
pushing
your
code
up
to
like
a
QA
environment
and
you'll.
Have
your
security,
team
mentor
and
security
teams
will
run
the
security
scans,
create
issues
things
like
that.
A
So,
in
our
case,
we
actually
kind
of
take
a
different
paradigm
where
we're
focused
primarily
on
running
our
security
scans
on
before
actually
gets
merged
into
the
master
branch
here.
So
with
a
more
modern
approach.
The
idea
here
is
that
we
can
actually
run
our
security
scans
about
the
feature
branch
stage
instead.
So
from
here,
what
we
actually
do.
Is
you
push
up
your
code
into
a
feature
branch?
We
spin
up
a
review
app
on
our
end
and
we
can
run
our
security
scans
within
the
context
of
that
merge,
request
itself.
A
So
with
there's
a
number
of
different
security
scans,
there's
dynamic
and
application
security
dependency
scanning
different
methods
and,
in
this
case
we're
talking
about
static
application,
security
testing,
so
sassed
is
really
just
analyzing
code
for
patterns
in
both
analyze
and
source
code
and
byte
code
to
recognize
common
anti
patterns
in
when
you're
writing
your
code.
In
this
case,
it's
making
sure
that
you're
not
allowing
any
sequel
injections
to
occur,
you're
minimizing
cross-site,
scripting
and
yours
making
sure
that
you're
handling
permissions
correctly
and
things
of
that
nature.
A
A
So,
as
you
noted,
this
is
a
collab
ultimate
feature.
So
once
you
have
that
license
enabled
on
a
given
group,
then
you
can
kick
off
security
testing
on
any
er
products.
The
way
that
we
really
structure.
This
is
that
you
enable
security
testing
for
your
CI
configuration
and
that
actually
works
for
all
of
your
C
either
during
the
security
scanning
process.
It
looks
for
certain
markers
in
your
project
for
what
language,
or
what
relevant
scanner
to
use
and
in
some
cases,
if
you're
running
java,
you
might
be
running
maven,
you
might
be
running
ants.
A
You
might
be
using
a
different
build
system
entirely
and
we
use
a
thing
called
an
Orchestrator
to
figure
out
what
language
you're
running
and
run
the
necessarily
scanner
coordinate.
So
in
our
case
apex
we're
going
to
be
looking
for
well,
we
can
certainly
need
markers
in
the
language
to
determine
that's
an
apex
project.
Sometimes
that's
a
packaged
XML
file.
Sometimes
that's
the
s
FTC
project
JSON
file,
things
of
that
nature,
so
here's
a
little
wizard
that
you'll
actually
see
in
our
merger
craft
shortly
in
this
case,
we're
merging
awesome
feature
into
master.
A
The
pipeline
was
passed
and
our
SAS
noticed
that
there
was
one
improved
one
security,
vulnerability
and
that
was
a
fixed
and
then
three
that
were
introduced
in
this
merge
request.
As
you
can
see
from
the
little
markers
here,
we
also
sign
with
each
one
a
severity
rating.
That's
this
medium
here.
I
can
range
from
critical
to
low
and
it
tells
you
exactly
to
the
line
where
exactly
where
your
code,
that
vulnerability
is
so
here's
our
severity
levels
and
as
you
can
see,
we
covered
a
variety
of
languages
and
right.
A
A
In
this
case.
These
are
the
current
security
scans
supported
and
as
soon
as
I'm,
more
work
in
PMD
continues
to
improve.
We
can
pull
this
directly
into
get
lab
itself
and
scan
for
even
more
security
issues.
So,
right
now
we
can
look
for
things
like
cred,
while
Asians
CSRF
attacks
from
a
lack
of
escaping
cross-site,
scripting
possibilities,
and
even
though
there's
an
idea
of
suggesting
using
named
credentials
in
this
case
we're
recognizing
a
specific
paradigm.
That's
preferred
in
Apex
itself
to
properly
write
credentials
and
pass
those
appropriately
cool.
B
A
Yeah,
so
in
this
case
it's
PMD,
as
you
can
see,
there's
a
priority
level
here.
We
actually,
we
spend
a
lot
of
time
thinking
about
this
paradigm,
unlike
what
we
consider
to
be
a
vulnerability,
and
we
are
working
on
a
new
issue
right
now
in
first-class
vulnerabilities,
which
is
the
idea
that
a
more
appropriate
term
for
this
thing
that
we
find
in
a
pipeline
here.
This
is
a
finding
and
finding
is
the
potential
for
a
problem.
So
before
you
actually
merge
code
in
it's
not
necessarily
a
vulnerability.
A
It's
in
this
kind
of
pre
merged
state
right.
So
we
can't
really
say
your
code
is
vulnerable
until
you
merge
that
in
and
once
it
is
and
it's
it
could
still
be
a
false
positives,
but
I
would
say,
there's
a
much
higher
probability
of
vulnerability
once
it's
actually
in
your
your
deployed
branch.
So
there's
an
idea
of
priority
that
comes
from
some
of
the
underlying
tools
in
some
cases
of
mixture
of
severity
and
confidence.
But
we
use
a
number
of
these
different
measures
to
essentially
assess
the
risk
of
each
one
and
just
accordingly
got.
B
It
that
definitely
make
sense.
The
other
question
I
had
was
the
green
checkmark
in
the
summary,
and
you
had
mentioned
this
had
been
ticked
or
addressed.
Is
that
part
of
like
automatically
being
remediated
my
gate
level?
Was
this
in
the
previous
run,
someone
had
already
fixed
it,
but
it
still
came
up
as
a
it.
Wouldn't
you.
A
That's
a
great
question,
and
in
this
case
what
happens
is
the
developer,
who
opened
awesome,
feature
branch
fix
of
themselves?
We
do
have
auto
remediation
capabilities
within
get
lab.
Currently,
that's
limited
to
dependency
scanning,
and
only
certain
package
managers.
Well,
even
with
our
Auto
remediation
feature.
Part
of
our
security
program
is
that
we
enable
developers
and
we
we
are
essentially
non-blocking
and
augmenting
abilities
and
in
in
that
case,
what
are
on
a
remediation
does.
Is
it
will
create
a
merge
request
back
into
this
branch
to
fix
the
problem?
A
It
doesn't
automata,
but
it
it
provides
the
details
and
information
to
the
developers
to
handle
this
themselves
and
I.
Don't
think
that
will
be
ok
quite
dig
into
the
other
mediation
for
now,
but
I
guess,
as
I
said,
it's
currently
it's
based
on
dependency
scanning,
so
hopefully
we'll
get
that
over
to
static
analysis.
Soon,
Johnny.
A
A
So,
let's
get
into
how
to
actually
enable
this
now
with
much
of
our
in
all
of
our
security
scans.
The
process
is
adding
this
to
your
pipeline
configuration.
So
we
go
to
a
configuration
section
here.
We
support
SAS
in
give-up,
eleven,
nine
or
later
and
in
the
case
of
apex,
it's
twelve
one
so
by
running,
get
live
12.1
and
this
should
run
automatically
just
by
including
the
snippet
here.
So
this
eases
our
CI
syntax,
so
to
include
a
template
called
SAS
and
this
ships
with
every
get
live
version.
A
So
it'll
just
pull
that
locally
from
within
the
installation
and
run
it
right
there
part
of
this
template
what
it
does
is
it
will,
as
I
mentioned
before
it
looks
for
project
markers
in
the
case
of
the
in
the
case
of
the
apex
scanner.
We
look
for
an
SF
DC
project
JSON
file,
which
is
for
a
newer
Salesforce
projects
where
we
fall
back
to
a
excuse.
Me
I'm
a
packaged
XML
file
for
some
of
the
older
ones,
so.
B
We
do
have
a
CI
template
made
for
development
for
Salesforce,
and
then
we
also
have
a
project
template
made.
That
includes
a
boilerplate
for
the
s
FD
X
J
sauce,
so
I'm
wondering
when
you
add
this
include
template
that
that
append
the
existing
github
CI
mo
or
does
that
replace
someone
that
functionality?
How
do
you
how
to
use
this
call
if
you
already
have
a
CI
template
for
your
project,
yeah.
A
In
this
case,
you
can
just
add
this
to
the
end
of
the
file.
The
include
will
actually
go
in
and
append
this
on
to
any
previous
include,
so
it
won't
override
any
and
it
will
just
work
with
it
and
there's
another
way
as
well,
which
is
within
the
context
of
a
project.
You
can
use
the
CI
template,
so
you
can
drop
click
the
drop-down
and
select
sassed
to
inject
it
in
directly,
but
in
that
case
that
will
actually
override
the
content,
because
you're
essentially
templating
on
a
new
one.
A
A
Okay,
so
we've
now
imported
our
project.
As
you
can
see,
this
is
100%
Apex
and
it
doesn't
have
a
CI
configuration
yet.
So
what
we're
going
to
do
is
we're
going
to
set
up
CICE
here
and
when
I
click
this
it's
essentially
the
equivalent
of
creating
a
new
file
in
this
directory
and
then
specifying
it
as
our
CI
configuration
so
go
ahead
and
click
that
and
then
we'll
go
ahead
and
go
back
here
to
the
docs.
A
And
we're
creating
a
new
merge
request.
So
what
we're
doing
in
this
case
is
we're
adding
a
new
CI
configuration
as
soon
as
I
commit
these
changes.
It's
going
to
recognize
new
changes
on
a
new
branch
and
start
running
a
pipeline.
Now
in
this
process
it
will
actually
run
our
security
scan,
since
this
is
the
only
job
defined
in
our
pipeline
currently
now
one
thing
to
note
here
is
that
when
this
actually
runs,
this
is
going
to
actually
be
running
against
our
main
branch.
A
Normally,
when
you
run
a
merton,
when
you
run
code
on
a
merging
quest,
it
will
only
look
at
those
changes
within
the
merge
quest
and
it
will
dis
them
against
changes
in
your
master.
But
in
this
case
it's
not
there's
not
really
anything
to
diff,
because
no
security
scam
has
been
run
on
the
master.
So
it's
going
to
recognize
changes
in
the
master
branch
within
the
merge
request,
and
this
way
it
just
really
helps
you
get
started
to
recognize
with
your
first
skin,
exactly
what's
mul
nerville
and
then
from
there
on
out.
B
A
In
in
this
case,
the
green
check
would
the
green
check
is
only
there
to
clarify
something
has
been
fixed,
specifically,
okay,
it's
not
present
if
there
is
a
vulnerability
in
your
master
branch
and
you
don't
touch
that
file
or
that
code
at
all.
Within
the
merge
request,
it
won't
be
present,
and
so
we
we
actually
aim
for
two
major
stakeholders
with
our
security
tools.
There
is
a
developer
and
then
there's
a
security
professional
so
as
such
there's
really
two
different
contexts
by
which
we
exposed
vulnerable
abuse.
A
So
as
I'm
explaining
this,
we
have
this
pipeline
here.
It's
penny
and
it'll
get
picked
up
by
a
runner
in
a
second
and
we'll
go
to
checkout,
just
click
through
to
check
out
the
results
here,
but
we
have
this
over
here
we
have
a
thing
called.
The
security
dashboard
through
dashboard
is
an
overview
of
all
vulnerabilities
the
base.
So
when
you
go
here,
it
will
show
every
vulnerability
that
is
currently
in
your
default
branch.
A
So
that
is
the
content
that
is
upon
expiry,
which
you
have
an
overview
within
the
context
of
a
merger
quest,
though
the
aim
is
to
target
developers
and
developers,
they
might
not
care.
If
there's
a
vulnerability,
that's
been
introduced
in
some
other
merger
quest,
we
only
give
them
the
context
of
the
changes
they
have
made
then
does
that
make
sense,
yeah
I.
A
A
So
right
now
there
was
no
security
widget
here,
because
our
security
scans
have
mountain
to
run
yet,
but
right
in
here
we'll
see
our
widget
soon
the
same.
When
you
see
here
in
the
docs
with
well
slightly
different
data,
that
would
tell
us
exactly
how
many
vulnerabilities
are
present
in
our
master
branch.
A
Now,
along
with
this,
we
have
an
additional
feature
that
we've
just
recently
released
called
a
called
a
security
approvals.
So
if
you
create
a
specific
security
group
that
will
actually
be
an
approval
group
right
here,
then
you
can
enable
a
mandatory
approval
if
there
is
a
loner
ability
of
medium
or
higher
confidence.
So
the
idea
here
is
that
if
you
enable
a
security
approval
group,
then
they
will
be
required
to
approve
something
if
a
specific
vulnerability
of
a
specific
severity
is
detected.
A
Now
the
first
thing
we're
going
to
see
here
is
our
security
scan
kicks
off.
It
pulls
down
our
sassed
container
and,
as
it
runs
you
can
see,
it
actually
starts
running
our
Orchestrator
and
trying
to
figure
out
what
kind
of
project
we've
got.
So
our
ghost
scanner
looks
for
some
go
code.
Our
spot
leg
scanner
looks
for
some
Java
code,
flaw
finder
for
dotnet,
and
we
go
through
and
ensure
that
each
project
where
this
is
compatible,
it
runs
our
skin.
A
Additionally,
our
secret
detection
kicks
off
here,
and
in
this
case
it
determined
that
the
project
is
compatible
with
secret
detection.
In
this
case,
just
ensuring
there's,
no
API
keys
or
any
high
entry
streams
that
are
present
looks
like
that
got
pulled
down.
It
ran
successfully
and
then
right
there,
our
PMD
analyzer
ran
and
recognized
Apex
code
from
there.
It
pulls
down
on
the
PMD
analyzer
and
starts
running
that
as
well.
A
Right
yeah,
so
not
much
get
really
excited
that
there's
our
abilities,
but
here
we
go
so
it
looks
like
intercept
summary.
There
was
a
five
owner
builders
detected
all
by
PMD
apex.
So,
while
the
secret
detection
ran,
it
didn't
find
any
secrets,
and
within
these
files
at
these
specific
locations,
we're
seeing
crud
violations
and
then
a
cross-site
scripting
from
URL
cram,
which
is
likely
an
unsafe
URL
program,
is
getting
passed
straight
into
some
functional,
so
the
upload
the
artifact
ran-
and
this
is
one
very
important
part.
A
While
there
are
security
scans
detected,
we
still
consider
the
job
to
be
a
success.
In
this
case,
our
goal
is
to
provide
developers
with
more
information.
So
you're,
not
you
should
expect
a
pipeline
failure
when
our
security
scans.
This
is
just
information,
we're
providing
to
developers
to
make
a
decision
within
the
merger
quest.
A
This
part
right
here
is
what
I
was
talking
about
is
essentially
recognizing
is
that
there
are
five
ulnar
abilities,
but
these
are
from
the
source
branch
as
well.
So
these
are
not
just
within
the
context
of
the
merging
cost
from
here.
We
can
expand
it
out,
and
these
are
the
vulnerability
types
and
these
are
the
new
patients.
A
Let's
go
to
open
this
one
up
rule
validates
that
you're
checking
for
access
permissions
before
running
a
sequel
operation
and
then
here's
a
file
and
if
I
click
through
here
we
go
to
the
exact
area
where
this
is
occurring
within
the
context
of
this
branch
and
I
can
figure
out.
Oh
that's,
that's
not
a
big
deal
and
I
can
go
back
and
I
could
dismiss
this
vulnerability.
I
can
leave
them
know
during
dismissing
it
not
a
big
deal
and
then
that
one's
gone.
A
Take
a
look
at
one
more
here,
make
sure
that
all
the
values
are
properly
escapes.
Take
a
look
at
the
context.
In
this
case
it
looks
like
we're
passing
this
node
straight
into
a
query:
where's
our
node
here
get
params
get
node,
so
it
looks
like
it's
just
pulling
a
string
straight
from
the
parameter
and
passing
it
right
into
the
query.
That's
a
bit
concerning
so
I'm
gonna.
Go
back
to
my
emergency.
A
I'm
gonna
create
an
issue
to
fix
this.
In
this
case,
I
can
follow
a
standard
development
flow
I
can
assign
out
the
issue.
Someone
can
make
a
merge
request
straight
into
this
target
branch
and
we
can
actually
remediate
this
before
it
even
gets
merged.
No
so
I'll
create
that
issue,
and
then
we
can
follow
up.
B
A
That's
right,
so
we
can
go
ahead
and
just
do
this
now,
depending
on
the
context
of
a
project.
If
your
project
public,
you
may
want
to
do
everything
confidentially
there,
if
it's
pretty
project
projects
and
confidential
issues
or
Mrs,
it
just
really
depends
on
your
organization
if
it's
a
good
fit
yeah
and
then
here's
our
issue
right
here,
as
you
can
see,
if
we
look
at
this
previous
one,
we
can
undo
the
dismissal
see
who
dismissed
it,
and
why
or
even
creating
this,
you
can
fix
it
as
well.
A
A
A
We
go
into
our
general
settings
here.
We
can
go
to
merge
across
approvals
and
we
can
create
a
promoter
of
Seir
approval.
Ooks
has
have
really
felt
in
powerful
features,
so
there's
quite
a
bit
here
that
you
can
use.
You
can
do
things
like
require
proof
from
code
owners.
So
if
you
define
a
clone
in
her
file,
say
I
am
a
Docs
person,
so
any
any
file
in
the
doc
folder
I
want
to
be
an
approval.
Approval,
for
you
can
do
things
like
prevent.
Approval
is
by
merging
past
authors
or
maybe
I.
A
A
A
A
Ok
and
now
no
pools
are
required
because,
with
our
security
check
default
behavior,
none
of
these
are
higher
or
critical,
but
there
are
eligible
approvals,
and
so
you
see
this
pending
approvals
on
the
phone.
A
village
chat
group
is
now
optional.
It's
already
introduced
a
high
one
here,
then
this
was
actually
become
required.
B
And
then
there
yep
that's
it,
and
so
this
is
the
group
that
we
have.
Will
we
keep
our
project
template
in
our
CI
CD
template,
so
Francis
helped
us
tremendously
in
creating
that
CI
CD
template
and
the
project
template
actually
includes
the
template
from
the
second
project
below
so
I
was
wondering:
how
would
we
inject
the
SAS
getting
into
this
gitlab
see?
I
am
oh.
A
A
A
In
this
case,
the
the
template
job
pulls
in
in
this
case
templates
really
just
pulling
in
some
other
yo
mofos
right.
In
this
case
our
file
is
called
cest
or
our
job
definition
within
the
templates
course
assess
so
within
sauce.
We
can
also
override
a
couple
of
things.
In
one
case,
let's
say:
I,
don't
want
secret
detection
to
run
and
well
it
didn't
pick
up
anything.
We
saw
with
the
context
of
approach
request.
Secret
detection
was
running.
B
A
We're
gonna
look
here
at
our
deep
sauce
default.
Analyzers
we're
gonna
override
the
names
of
the
default
analyzer
images,
or
in
this
case
we
only
want
p.m.
Dax
run.
We
don't
want
our
secrets
fun.
So
what
we're
going
to
do
is
we're
going
to
say
we're
going
to
find
in
your
variables
section
and
we're
going
to
our
SAS
diva
analyzers
such
a
PMD
apex.
A
B
A
Yes,
look
at
this
because
I'm
curious
trying
to
remember
how
this
this
exact
syntax
since
and
they're
rusty
on
the
illness,
so
her
only
syntax
only
defines
the
names
of
branches
and
tapes
with
the
job
will
run
and
except
for
when
they
would
not
run.
Look
at
some
examples
here.
Only
on
texture
schedules,
okay,
so
I
think
we'd
use
something
a
lot
like
this
here,
so
I'm
going
to
copy
that
will
say
there
will
be
only
branches
that
master,
because
master
really
is
just
another
branch.
It's
just
a
in
our
case,
a
speciality
branch.
B
B
A
A
B
Cool
cool
so
again,
thank
you
so
much
for
walking
us
through
how
to
enable
SAS
for
apex
and
in
Salesforce
development.
I
think
this
is
extremely
helpful
and
I'm
sure
our
viewers
are
gonna,
find
that
useful
as
well
so
I'm
gonna
go
ahead
and
stop
the
recording
again
because,
thank
you
so
much
for
having
this
Q&A
discussion.