GitLab

SecDim offers contextual secure coding training integrating with any SARIF compatible AST tool. This Gitlab Pipeline will take a SARIF file, search the SecDim Catalouge for the relevant challenges, add the link to the challenge in the finding, output a new SARIF file, and upload it to GitLab.

GitLab’s Security features (SAST, Dependency Scanning, etc.) only accept their own JSON schema. By converting the SecDim SARIF output into GitLab SAST JSON, you can surface enriched findings in:

  • Merge Request Security widget

  • Pipeline → Security tab

  • Project Security Dashboard (GitLab Ultimate)

This feature is experimental. GitLab does not yet support uploading SARIF natively. To display enriched findings in GitLab’s Security Dashboard and Merge Request Security Widget, we must convert SARIF → GitLab’s SAST JSON format. ---

Workflow

  1. Run your chosen scanner (e.g., Semgrep) and output SARIF.

  2. Pass SARIF through SecDim Sandbox to enrich findings.

  3. Convert enriched SARIF into GitLab SAST JSON.

  4. Publish the converted JSON as a sast artifact in .gitlab-ci.yml.

Example .gitlab-ci.yml

stages: [test, security]

semgrep:
  stage: test
  image: python:3.10
  script:
    - pip install semgrep
    - semgrep scan --config auto --sarif > findings.sarif
  artifacts:
    paths: [findings.sarif]
    expire_in: 1 week

secdim:
  stage: test
  image: ghcr.io/secdim/sandbox-action:2.0.0
  script:
    - /entrypoint --input_sarif_file findings.sarif --output_sarif_file findings.processed.sarif
  needs: [semgrep]
  artifacts:
    paths: [findings.processed.sarif]
    expire_in: 1 week

convert-to-gitlab-sast:
  stage: security
  image: ghcr.io/qodana/sarif-converter:latest
  script:
    - sarif-converter findings.processed.sarif gl-sast-report.json
  needs: [secdim]
  artifacts:
    reports:
      sast: gl-sast-report.json
    when: always

Output

Once the pipeline completes:

  • gl-sast-report.json is published as a SAST report artifact.

  • Findings are displayed in:

    • Merge Request → Security widget

    • Pipeline → Security tab

    • Security Dashboard (Ultimate tier)

Limitations

  • Experimental: GitLab does not officially support arbitrary SARIF uploads.

  • Requires an extra conversion step.

  • Some SARIF fields may not map 1:1 into GitLab’s SAST JSON.

See Also