| Reason | What it gives you | When it’s the right choice |
|---|---|---|
| No extra cost | All scans are included with GitLab Ultimate | When you want to avoid purchasing third‑party tools such as SonarQube or ZAP |
| Seamless CI/CD integration | Pre‑written CI templates, single‑file change | When your repo is already on GitLab and you want instant coverage |
| Supported languages | 30+ languages & frameworks (Java, Python, .NET, Node, etc.) | When your application stack is on the supported list |
| Uniform reporting | JSON artifacts that integrate with Merge Request widgets | When you want to surface findings in the same UI you already use |
| One‑tool‑only option | Either native scanner or external tool, not both | When you choose a single vendor‑less approach |
Tip – If you’re already using SonarCloud or ZAP, you do not need to add GitLab’s scanners. Pick the one that best fits your process.
The following steps show the minimal changes required to your .gitlab-ci.yml to activate the native scanners.
Add the include templates
`include:
- template: Security/DAST.gitlab-ci.yml *# Native DAST*
Set required variables
`variables: *# Enable experimental GitLab SAST features (recommended)*SAST_EXPERIMENTAL_FEATURES: "true"
*# The URL of the web app to scan (required for DAST)*DAST_WEBSITE: "https://demo.example.com"
# Run a full passive+active DAST scanDAST_FULL_SCAN_ENABLED: "true"
*# Use a browser‑based DAST (false → in‑memory)*DAST_BROWSER: "true"`
Define the stages
GitLab already supplies sast and dast stages.
If your pipeline previously defined custom stages, just add these names:
`stages:
The CI runner will download the scanner Docker images, execute the analyses, and upload the results as artifacts:
| Stage | Artifact name | Format |
|---|---|---|
sast |
gl-sast-report.json |
JSON |
dast |
gl-dast-report.json |
JSON |
sast or dast job.type: sast or dastlocation: file/URL and line rangecwe_id: CWE identifierseverity: info, low, medium, high, or critical
