gitlabhq/data/deprecations/16-9-sast-analyzer-consolidation.yml

- title: "SAST analyzer coverage changing in GitLab 17.0"  # (required) Clearly explain the change, or planned change. For example, "The `confidential` field for a `Note` is deprecated" or "CI/CD job names will be limited to 250 characters."
  announcement_milestone: "16.9"  # (required) The milestone when this feature was first announced as deprecated.
  removal_milestone: "17.0"  # (required) The milestone when this feature is planned to be removed
  breaking_change: true  # (required) Change to false if this is not a breaking change.
  reporter: connorgilbert  # (required) GitLab username of the person reporting the change
  stage: secure  # (required) String value of the stage that the feature was created in. e.g., Growth
  issue_url: https://gitlab.com/gitlab-org/gitlab/-/issues/412060  # (required) Link to the deprecation issue in GitLab
  body: |  # (required) Do not modify this line, instead modify the lines below.
    We're reducing the number of supported [analyzers](https://docs.gitlab.com/user/application_security/sast/analyzers/) used by default in GitLab SAST.
    This is part of our long-term strategy to deliver a faster, more consistent user experience across different programming languages.

    In GitLab 17.0, we will:

    1. Remove a set of language-specific analyzers from the [SAST CI/CD template](https://gitlab.com/gitlab-org/gitlab/-/blob/master/lib/gitlab/ci/templates/Jobs/SAST.gitlab-ci.yml) and replace their coverage with [GitLab-supported detection rules](https://docs.gitlab.com/user/application_security/sast/rules/) in the [Semgrep-based analyzer](https://gitlab.com/gitlab-org/security-products/analyzers/semgrep). The following analyzers are now deprecated and will reach End of Support in GitLab 17.0:
       1. [Brakeman](https://gitlab.com/gitlab-org/security-products/analyzers/brakeman) (Ruby, Ruby on Rails)
       1. [Flawfinder](https://gitlab.com/gitlab-org/security-products/analyzers/flawfinder) (C, C++)
       1. [MobSF](https://gitlab.com/gitlab-org/security-products/analyzers/mobsf) (Android, iOS)
       1. [NodeJS Scan](https://gitlab.com/gitlab-org/security-products/analyzers/nodejs-scan) (Node.js)
       1. [PHPCS Security Audit](https://gitlab.com/gitlab-org/security-products/analyzers/phpcs-security-audit) (PHP)
    1. Change the [SAST CI/CD template](https://gitlab.com/gitlab-org/gitlab/-/blob/master/lib/gitlab/ci/templates/Jobs/SAST.gitlab-ci.yml) to stop running the [SpotBugs-based analyzer](https://gitlab.com/gitlab-org/security-products/analyzers/spotbugs) for Kotlin and Scala code. These languages will instead be scanned using [GitLab-supported detection rules](https://docs.gitlab.com/user/application_security/sast/rules/) in the [Semgrep-based analyzer](https://gitlab.com/gitlab-org/security-products/analyzers/semgrep).

    Effective immediately, the deprecated analyzers will receive only security updates; other routine improvements or updates are not guaranteed.
    After the analyzers reach End of Support in GitLab 17.0, no further updates will be provided.
    However, we won't delete container images previously published for these analyzers or remove the ability to run them by using custom CI/CD pipeline job definitions.

    The vulnerability management system will update most existing findings so that they're matched with the new detection rules.
    Findings that aren't migrated to the new analyzer will be [automatically resolved](https://docs.gitlab.com/user/application_security/sast/#automatic-vulnerability-resolution).
    See [Vulnerability translation documentation](https://docs.gitlab.com/user/application_security/sast/analyzers/#vulnerability-translation) for further details.

    If you applied customizations to the removed analyzers, or if you currently disable the Semgrep-based analyzer in your pipelines, you must take action as detailed in the [deprecation issue for this change](https://gitlab.com/gitlab-org/gitlab/-/issues/412060#action-required).