The following page may contain information related to upcoming products, features and functionality. It is important to note that the information presented is for informational purposes only, so please do not rely on the information for purchasing or planning purposes. Just like with all projects, the items mentioned on the page are subject to change or delay, and the development, release, and timing of any products, features or functionality remain at the sole discretion of GitLab Inc.
This page combines priorities across the feature categories that Static Analysis maintains. For details on each category, see the category direction pages:
These are primarily feature enhancements, curated by Product Management.
| Name | Overall status | One-month plan | Three-month plan |
|---|---|---|---|
| Advanced SAST support for PHP | Expected in FY26Q1. In progress. | Finalize engine support, implement rules | Complete rules; test; identify any additional changes required |
| Duo Vulnerability Resolution: Support new single-file vulnerability types | Expected in FY26Q1. In progress. | Complete evaluation. Begin enabling vuln types that pass the quality standard. | |
| New metrics for SAST adoption | Expected in 17.10. Define technical plan and implement in 17.10. | Implement high-priority missing metrics | |
| Proactive detection accuracy updates for Python, Go, Java | Expected FY26Q1. (Primarily Vulnerabilty Research.) | Ship findings based on analysis of benchmark/example applications | |
| Multi-core Advanced SAST scanning | Expected in FY26Q1. Available as an opt-in. | Enable by default | |
| Improve Advanced SAST performance and stability | Beginning implementation in 17.10. | Begin implementation | Differential-scanning, multi-threaded engine, incremental scanning |
| Enable Advanced SAST by default | Expected in 18.0 (FY26Q2). | Make necessary preparations | Complete transition |
| Implement Advanced SAST for C/C++ | Expected by FY26Q4. Beginning technical planning in 17.10. | Create technical plan | |
| Use Advanced SAST engine and rules for real-time IDE SAST scanning | Expected in FY26Q2. | Use Advanced SAST engine; identify action items from user feedback | Work toward self-managed support; address other user feedback |
| Incremental scanning for Advanced SAST (skip unchanged code) | Expected FY26Q2. Reassessing technical plan. | ||
| Reduce false negatives in C# Advanced SAST | Expected FY26Q2. (Primarily Vulnerabilty Research.) | ||
| Real-time IDE SAST scanning: Beta release | Expected FY26Q3 | ||
| Customizable detection logic for Advanced SAST | Expected FY26Q3 | ||
| Real-time IDE SAST scanning: GA release | Expected FY26Q4 | ||
| Duo Vulnerability Resolution: Support resolving cross-file injection vulnerabilities | Expected FY26Q4. Will require coordination with Security Risk Management. |
These are primarily technical tasks, curated by Engineering Management.
| Priority | Name | Target release |
|---|---|---|
| 1 | AST CI-templates improvements | TBD |
| 2 | Static Analysis 18.0 deprecations, removals and breaking changes | 18.0 |
These are proactive documentation-focused tasks, outside of the context of feature or maintenance efforts already tracked elsewhere. Curated by Product Management.
| Name | Overall status | One-month plan | Three-month plan |
|---|---|---|---|
| Provide guidance on how to evaluate GitLab SAST | Initial guide shipped | Implement further edits to the evaluation guide | Publish benchmark/example project guide, based on analysis project listed below |
| Restructure and update Advanced SAST docs now that the feature is GA | In progress. (Primarily documentation.) | Complete most issues in this epic | Complete entire epic |
These are priorities that Static Analysis has, where we believe we would benefit from support from Vulnerability Research. Curated by Product Management and Engineering Management.
| Name | Overall status | One-month plan | Three-month plan |
|---|---|---|---|
| Release rule updates based on benchmark analysis | Expected to complete in 17.9/17.10. In progress. | Ship Python updates. Refresh Go ground-truth and ship updates. Ship already-drafted Java updates only (with further Java updates later). | |
| Create Advanced SAST ruleset for PHP | Expected in FY26Q1. In progress. | Migrate existing rules; develop new rules; analyze performance. | |
| Address false-negative results in C# Advanced SAST coverage | Expected by FY26Q2. | Analyze existing cases; diagnose gaps; analyze and improve source/sink coverage; analyze and improve rule coverage | |
| Update Java rules based on benchmark/example analysis | To be scheduled. Will involve refreshing our ground-truth analysis and implementing rule changes. | ||
| Create Advanced SAST ruleset for C++ | |||
| Expand detection of dangerous query construction without traceable user input | |||
| Implement the next level of documentation for rule/CWE coverage | Assessing implementation options. | Interview internal users and develop technical plan | Ship documentation |
We believe that the world is safer when everyone can contribute to software security. Our customers, and those they serve, are better protected when developers and security professionals can fix potential security risks earlier.
The earliest possible time to catch a security issue is when the code is first written. GitLab sees code very early in the software development lifecycle, since we store production code and also support customer workflows (like merge requests) for pre-production development. So, our group is uniquely positioned to integrate static analysis everywhere as part of a comprehensive DevSecOps platform. We can do what others can't by making security omnipresent, and by supporting collaboration right in the tools that development teams are already using to do their jobs.
Building on those fundamental beliefs, the Static Analysis group's business purpose is to build value for GitLab and our customers…
We are responsible for ensuring that customers can use GitLab Ultimate to:
Our responsibility is for the full customer experience—not just security analyzers or specific software systems we maintain. At times this may mean:
We will do what it takes to deliver these customer results—our customers use the entire product to do their jobs, so it's important that we collaborate effectively with other groups to deliver end-to-end results.
This page is designed to clarify competing priorities between feature categories and provide a high-level summary of the problems the Static Analysis group plans to tackle.
It includes "headline" items that we're planning to work on, and ranks them across the feature categories that Static Analysis maintains.
However, it doesn't:
| Stage | Application Security Testing |
| Content Last Reviewed | 2025-02-18 |