diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml
index 7a5649f7dcac954d04ef9d79144bff0db8b2c788..16ad0ab06b97b5958895f0ce86cd6c722340cbf7 100644
--- a/.gitlab-ci.yml
+++ b/.gitlab-ci.yml
@@ -16,6 +16,7 @@
 stages:          # List of stages for jobs, and their order of execution
   - build
   - test
+  - analysis
   - packaging
 
 variables:
@@ -27,6 +28,13 @@ variables:
   ARTIFACT_COMPRESSION_LEVEL: "fast"
   CACHE_COMPRESSION_LEVEL: "fast"
 #  CI_DEBUG_TRACE: "true"
+  SAST_DEFAULT_ANALYZERS: "spotbugs"
+  SAST_EXCLUDED_ANALYZERS: ""
+  SAST_JAVA_VERSION: 11
+
+include:
+  - template: Security/SAST.gitlab-ci.yml
+  - template: Security/Secret-Detection.gitlab-ci.yml
 
 default:
   image:
@@ -76,6 +84,53 @@ test-job:
     - ROSETTASDK=$ROSETTASDK make -e check_prerequisites
     - ROSETTASDK=$ROSETTASDK make -e test
 
+spotbugs-sast:
+  stage: analysis
+  variables:
+    FAIL_NEVER: 1
+  tags:
+    - cmr
+  artifacts:
+    paths:
+      - gl-sast-report.json
+  rules:
+    - if: '$CI_PIPELINE_SOURCE == "merge_request_event"'
+      when: always
+    - if: '$CI_COMMIT_BRANCH && $CI_OPEN_MERGE_REQUESTS'
+      when: always
+    - if: '$CI_COMMIT_BRANCH == "main"'
+      when: always
+    - when: manual
+      allow_failure: true
+
+secret_detection:
+  stage: analysis
+  tags:
+    - cmr
+  rules:
+    - if: '$CI_PIPELINE_SOURCE == "merge_request_event"'
+      when: always
+    - if: '$CI_COMMIT_BRANCH && $CI_OPEN_MERGE_REQUESTS'
+      when: always
+    - if: '$CI_COMMIT_BRANCH == "main"'
+      when: always
+    - when: manual
+      allow_failure: true
+
+eslint-sast:
+  stage: analysis
+  tags:
+    - cmr
+  rules:
+    - if: '$CI_PIPELINE_SOURCE == "merge_request_event"'
+      when: always
+    - if: '$CI_COMMIT_BRANCH && $CI_OPEN_MERGE_REQUESTS'
+      when: always
+    - if: '$CI_COMMIT_BRANCH == "main"'
+      when: always
+    - when: manual
+      allow_failure: true
+
 
 packaging-job:
   stage: packaging