►
From YouTube: Breaking down the GitLab SAST Analyzer's Work
Description
Learn how GitLab executes SAST Scans and prepares output for GitLab to consume.
https://gitlab.com/poffey21/java-maven-multimodules/-/blob/f18027159450e20a3377665af4cc3aea70d874ba/.gitlab-ci.yml
A
Hi,
my
name
is
tim
poffenburger
and
I
am
a
solutions
architect
with
git
lab
and
wanted
to
talk
about
our
static
analysis.
Security
scanning
wrapper
that
is
used
and
the
example
that
I'm
going
to
talk
through
specific
to
java
right
now,
but
the
the
intent
of
our
our
static
analysis
scanning
wrapper
it.
It
is
used.
It
works
with
a
lot
of
different
language,
specific
libraries
and
security
plugins
and
what
it
what
it
typically
does
is.
A
It
builds
the
code
and
that
code,
that's
being
built,
is
usually
going
to
be
generating
a
set
of
binaries
or
bytecode
objects,
and
then
it's
going
to
use
that
language,
specific
scanner
and
scan
the
actual
code
and
the
binaries
and
link
vulnerabilities
up
between
the
binaries.
What
was
built
with
the
source
code?
A
A
A
A
A
A
In
looking
at
the
the
spot
bug
sas
job
as
well
as
the
the
sas
analyzer
that
is
referenced
here
and
the
the
sas
job.
What
I
was
able
to
put
together
was
this
file
here,
and
all
this
is
going
to
do
is
this
is
going
to
leverage
the
sas
job
and
it's
going
to
override
the
spot,
bugs
sast
and
with
four
lines
overriding
the
the
original
script.
A
I
was
able
to
update
the
path
so
that
it
has
all
the
different
locations
where
binaries
are
at
for
the
executables
of
maven
spot
bugs
the
analyzer
I'm
going
to
kick
off
the
maven
package
process,
I'm
going
to
kick
off
spot
bugs,
which
is
running
the
security
plugins.
It's
going
to
take
in
all
the
necessary
xml
parameters
or
the
include
and
exclusion
files.
It's
going
to
also
include
the
find
sec
bugs
plug-in
with
a
scanning
effort
of
max,
and
then
that's
going
to
port
all
this
stuff
out
to
an
xml
file.
A
Specifically,
what
I'm
actually
doing
here
is
I'm
only
going
to
pass
in
specific
class
files,
so
I
wanted
to
only
scan
class
files
that
were
associated
with
a
particular
directory
in
this
web
folder
and
lastly,
this
this
xml
file
will
then
be
converted
via
the
analyzer
that
gitlab
owns
and
supports
and
has
authored
it
themselves,
and
it's
going
to
convert
this
into
that
json
format,
and
this
will
then
store
this
json
format.