GitLab SAST and GitLab Integrations
June 24, 2020

GitLab SAST: Using GitLab With Klocwork


GitLab SAST is a combination of GitLab— an integrated solution that covers the entire DevOps lifecycle — and, Klocwork — a static code analysis and SAST tool. When used together, these tools provide software development teams with a powerful GitLab SAST solution. Here we explain the benefits of GitLab SAST.

Read along or jump ahead to the section that interests you the most:

➡️ start Now with gitlab sast

Back to top

What Is GitLab?

GitLab is a web-based DevOps lifecycle tool that provides a Git-repository manager for wiki, issue-tracking, and CI/CD Pipeline features. It was developed by Gitlab Inc. and released in 2011.

Software development teams have used GitLab to unite their developers’ workflows and shorten DevOps cycle times — enabling them to produce higher-quality software.

GitLab is used by software development teams from a variety of industries, including aerospace and defense, automotive, medical device, and video game development.

Back to top

Why GitLab Users Should Use Klocwork

GitLab is a popular DevOps lifecycle tool because it shortens cycle time, reduces engineering risk, helps to ensure more secure applications, and bridges silos and stages. So it makes sense that many developers also use a static application security tracking (SAST) tool like Klocwork to complement GitLab.

How Klocwork Complements GitLab

Klocwork is a static code analysis and SAST tool that has been designed to optimize DevSecOps processes, like CI/CD Pipelines.

Differential Analysis

Using system context data from the server, Klocwork is able to analyze only the files that have changed while also providing Differential Analysis results as if the entire system had been analyzed. This provides you with the shortest possible analysis times of new and changed code.

📹 Related Resource: See a Demo of Differential Analysis

Integration Analysis

Using system context data from the server, Klocwork is able to provide a snapshot of the current health of your software project. After each Integrated Analysis, Klocwork will provide a list of detected coding issues along with other reports on your code. By regularly running Integrated Analysis, you are able to improve code quality and ensure uniformity across your codebase.

Back to top

Using GitLab with Klocwork

There are many ways to integrate Klocwork’s static analysis tools within a continuous integration system such as GitLab, as Klocwork provides a command-line interface and flexible tooling to fit most workflows. Suggested here is one example of how Klocwork can be integrated into a DevSecOps workflow, using developer feature branches.

GitLab Integrations

The designed workflow shows a simplified version of developers creating their own feature branches to develop new features or resolve known defects. Once the new feature or bug has been resolved the code is merged into the main branch ready for release.

With Klocwork’s tools, you can create a baseline of the known issues within the codebase using the Integration Analysis tool. These results then become viewable to all via the web portal and can be deferred to a later date or assigned to be fixed. This integration analysis also provides the full project context and existing issue data that the differential analysis utilizes.

Here with the Differential Analysis it is now possible to check on the server-side if the developers commit includes new defects and that should the branch be merged would add technical debt to the project.

It is then configurable to provide feedback via GitLab to the developer that their commit contains new defects as they develop and fail pull requests based on quality gate criteria such as no new defects.

Back to top

Set up GitLab SAST

To set up the GitLab and Klocwork integration, watch the following tutorial:

If you don't want to watch the video, here are the step-by-step instructions for how to set up GitLab SAST:

1. Install GitLab

First, you’ll need to install GitLab. If you’ve already done this, skip to the next step.

To install GitLab:

  1. Go to and click install GitLab.
  2. Select your preferred GitLab Omnibus package.
  3. Install and configure the necessary dependencies.
  4. Add the GitLab package repository and install the package.
  5. Browse to the hostname and login.
  6. Set up your communication preferences.
  7. Launch GitLab.

2. Install Klocwork

Next, you’ll download Klocwork.

If you’re not using Klocwork yet, get started here >>

If you’re already a Klocwork user, download the latest version here >>

3. Configure GitLab Runners

A runner needs configuring where the Klocwork analysis will take place, either by connecting to an existing machine via ssh or by configuring a docker image with Klocwork.

Klocwork provides analysis tool packages for the differential and integration analysis, which means it is simple to deploy to a machine by copying it over and extracting.

The runner should be configured with a tag to identify the runner is capable of a Klocwork analysis, this can then be utilized in the job steps. In these examples, the tag ‘klocwork’ has been used.

4. Klocwork Integration Analysis

This provides the baseline of existing issues, full project context, web portal overview of health, and trending. It is the backbone of the Klocwork analysis and for this example, we will configure it to run only on commits to the master branch, which given the workflow should be coming from pull requests.

Editing the “.gitlab-ci.yml” for the project:

GitLab Integrations

Introducing variables into the file for the Klocwork server and project that this relates to will simplify the configuration.

GitLab Integrations

The Integration Analysis is command-line based, here it has been filtered to only run on the master branch as part of the testing phase. Using the same procedure of capture, analyze, and load as normal, however one change being the use of the commit reference as the name of the Klocwork baseline build. This is used later as a reference in the differential analysis.

5. Klocwork Differential Analysis

With the integration analysis performed and at least one baseline available in the project, it is now possible to analyze changes quickly without previous local analysis data.

GitLab Integrations

Within the same yml file for the project, it is possible to also configure the Differential Analysis. This time running on everything except the master branch( i.e any developer feature branches), it is configured to run the Klocwork differential tool ‘kwciagent’. The steps taken are as follows:

  1. Capture build data using Klocwork’s tooling.
  2. Generate a text file which should contain a list of the changed files in this commit without any formatting (one file per line). Shown is an example git diff command to generate this, it requires a reference to diff against, of which we use the last baseline build name.
  3. Create a local workspace for Klocwork using ‘kwciagent create’.
  4. Run the analysis, however, it is filtered only to run on the changed files bypassing the diff list text file as an argument.
  5. Optionally it is possible to create an artifact of the ‘new’ issues detected if any, here a xml is created.
  6. Optionally it is possible to fail the CI run by checking the artifact for a threshold of issues. In this example, it fails the CI run if any new issues exist.
Back to top

How GitLab SAST Looks

As feature branches are created and pull requests committed it is then possible to get an overview of the analysis runs:

GitLab Integrations

On the Differential Analysis above, note that the run is marked as failed due to the introduction of new issues to the code in respect to the baseline. It’s also shown by the tick and then cross that it failed on the second stage, which in this case means that the build was successful however the testing phase failed.

GitLab Integrations

On the pull request, it is now possible to view if the pipeline has been successful in the development feature branch, providing warnings against merging.

Also note that during the configuration it was configured to archive the diff results file and change list, which are downloadable from the pipeline run

GitLab Integrations

GitLab SAST — The Full Cycle

With the pull request showing warnings against merging it is possible to resolve the defects and re-commit. GitLab will automatically run the differential analysis on the new commit and update the status on the pull request

GitLab SAST and GitLab Integrations

Once merged into the master branch a full integration is then performed again to create the new baseline, capturing the changing made by the merge and this can be shown below

Back to top

Get Started with GitLab SAST

Start optimizing your DevSecOps process with GitLab and Klocwork today.

➡️ Request Your Klocwork free trial

Back to top