At GitLab, we believe there's something magical about a video demo as a way to convey strategic vision. We've created this video to internally align where we're going; and since we're transparent by default, you get to see it as well!
So sit back, watch the video, follow along with the presentation, or read below for a lightly edited transcript of the video. You can also play with the prototype yourself (click the header to move to the next page, click the left sidebar to move back) or follow our progress.
Introduction
Today I’m going to talk about GitLab’s product vision for 2018. Specifically, I’m going to show a prototype of what the product might look like.
As you can imagine with a product vision as extensive as ours, there’s a lot to cover. So if you only remember three things from this presentation, know that:
- We’re going after the complete DevOps lifecycle, and specifically,
- we want Operations and Security to use GitLab as a primary interface, and
- a single application covering this entire scope brings emergent benefits, specifically that people can work concurrently, on the same data, with the same interface.
So hopefully it’s obvious by now that we’re going from covering the development lifecycle to covering the entire DevOps lifecycle.
{: .shadow}
From Dev to DevOps
But traditional DevOps tools only focus on the intersection between Dev and Ops, and GitLab is going to deliver a complete scope for both Dev and Ops. In particular, that means we’re not just looking at how Developers can get their code into production, but how Operations can then monitor and manage those applications and underlying infrastructure. A big milestone for GitLab will be when Operations people log into GitLab every day and consider it their main interface for getting work done.
But even that’s not really sufficient, as we’re redefining what the scope of DevOps even is; we’re also covering Security and Business needs (such as project managers). Rather than coming up with some crazy DevSecBizOps name, we’re just calling it DevOps, and putting it all into a single application.
{: .shadow}
No DevSecBizOps; a single application for DevOps
And with that, each group gets an experience tailored to their needs, but shares the same data and interface as everyone else, so collaboration is easy. Imagine an Ops person finds an issue in production, drills down to find the application with the problem, and sees that a recent deploy caused the problem. Simultaneously, a dev gets alerted that their recent deploy triggered a change in production, goes to the merge request and sees the performance change right there. When Dev, Ops, and Security talk, they’re looking at the same data, but from their own point of view.
Now the scope we’re going after is quite large, with a lot of new categories being introduced this year. I won’t go into all of these today, but instead I want to focus on a couple flows that paint a picture of how this could look.
{: .shadow}
New product categories in 2018
Interactive prototype
For this, I’ll switch over to an interactive prototype. [Note: if you want to try it for yourself, click the header to move to the next page, click the left sidebar to move back.] While this may look like a fully functioning instance of GitLab, it is just a demo and many of these features have not been implemented yet.
Development flow
I’ll start by showing a merge request.
{: .shadow}
Developer Flow: Merge Request
One of the new elements we see is a “Test summary” which shows a deeper understanding of your test results. Using standard JUnit XML output, we can tell exactly which tests fail, and provide that information in a nice summary format.
We also see links to the binary artifacts and container images associated with this merge request.
As I scroll down, we see a lot of information about the extensive collection of tests we’ve run on the code.
First we see the code quality section, which we’ve had for a while.
Then the relatively new Security section with static application security testing to find vulnerabilities in your code or your code's dependencies, dynamic application security testing to find vulnerabilities while actually running your app, and an analysis of any vulnerabilities in any of your underlying Docker layers.
We’ll also show how your application performance has changed.
And lastly, we’ll check your dependencies for any violations of your company’s license policy.
Now, this is a LOT to cover for every merge request, so we have separate issues to redesign for all this new information, but I wanted to show it all to you now to see how much we’re doing automatically for you.
Down below all of that is an enhanced code diff that highlights any code you should pay attention to because of code quality concerns or missing test coverage.
{: .shadow}
Code coverage and alerts
This is all part of the “shift left” movement, where important quality, security, and performance tests that may have once been run manually, if at all, and usually much later in the development lifecycle, are now being run automatically as soon as the first code is written.
There’s a lot more planned, but this is a good idea of the direction we’re going in to help Developers get their ideas into production faster.
Operations flow
But that only covers part of our vision, because there’s also the Operations point of view. And a big milestone for our DevOps vision is when Operations start using GitLab as their primary interface.
{: .shadow}
Operations flow: operations health dashboard
There’s a long way to go, but here we’re answering the question, “How is production doing?” In this case we’re seeing a group with four projects in it, and a quick green/yellow/red indicator of how those projects are doing. We’ve put a graph of the Apdex score there to represent the one-metric-to-watch.
Below the projects is a view of the cluster, including CPU and memory usage, possibly indicating when you need to scale up or down the cluster size.
Now, if there was an indication that something was wrong, you’d be able to drill down and see more details and rectify the situation.
But that’s only the first-level understanding of operations. I mean, if we’ve got the data about how things are doing, why not proactively alert you to the problem? Well, that’s the second level, and a natural step. But we’re not going to stop there. The third level is to automatically detect and resolve any issues. If your app needs more resources, just autoscale it. If you then hit a limit on the cluster, well, add a node to the cluster automatically. The Operations experience then should really just be that I go to work in the morning and see an email summary of what has happened, without me having to do anything.
But autoscaling is just scratching the surface, as Operations involves a lot more, from application, infrastructure, and network monitoring, to security patches. After we’ve got this breadth as a structure, we look forward to the customer feature requests.
Security flow
So that covers Dev and Ops, but we’ve got a lot of security features in the product now. How about treating Security folks as first-class citizens and giving them their own Security Audit view?
{: .shadow}
Security flow: security audit
This is your one-stop-shop to see what security vulnerabilities have been detected across the group, showing any automatic or manual actions taken to address the vulnerabilities, and of course letting you click into details.
In the top left we’re reporting an overall success rate in hitting our own internal SLAs for security vulnerabilities.
Full circle
Let’s drill down on one of these vulnerabilities.
{: .shadow}
Automatic updates for security vulnerabilities
We see that the GitLab Bot automatically created a merge request to upgrade one of our dependencies because it noticed that a new version was released.
Since the tests all pass, and of course the merge request fixed the vulnerability, the merge request was automatically merged by the Bot as well.
But, to bring it full circle, l’m showing here that after merging, the CI/CD pipeline started deploying automatically to Production. I mean, why leave a known, fixable security vulnerability live any longer than it needs to, right?
But, in this case, even though all tests passed, we still saw the error rate jump to more than five percent, so we automatically stopped the rollout process, and actually rolled back to the last-known good version immediately.
Then, the Bot detects this and automatically reverts the merge request so we can
leave master
in a good state.
Phew.
Summary
So, wrapping it up:
- We’re going after the complete DevOps lifecycle,
- we want Operations and Security to be our new favorite users, and
- we want teams working concurrently.
And that’s the GitLab Product Vision for 2018!