2022 Gartner® Magic Quadrant for Application Security Testing

GitLab Named a Challenger

Download the report

GitLab and the 2022 Gartner Magic Quadrant for Application Security Testing

This page outlines how Gartner positions GitLab in their 2022 Magic Quadrant for Application Security Testing, how Gartner views our application security testing capabilities in relation to the larger market, and how GitLab is working with that information in our ongoing product evolution.

Gartner Perspective on the Market and GitLab

Gartner Market Definition:

In the published report, “Gartner defines the application security testing (AST) market as the buyers and sellers of products and services designed to analyze and test applications for security vulnerabilities. This market is highly dynamic and continues to experience rapid evolution in response to changing application architectures and enabling technologies.”

Gartner further notes, “In this analysis, and in vendor assessments, we continue to increase our focus on emerging technologies and approaches, and AST tools that address the new requirements they bring. Overall, the market comprises tools offering core testing capabilities — e.g., static, dynamic and interactive testing; software composition analysis (SCA); and various optional, specialized capabilities.”

Gartner view of GitLab:

In this report, GitLab is recognized as a Challenger, which Gartner defines this way: "Challengers in this Magic Quadrant are vendors that have executed consistently, often with strength in a particular technology (for example, SAST, DAST or IAST) or by focusing on a single delivery model (e.g., on AST as a service only). In addition, they have demonstrated substantial competitive capabilities against the Leaders in their particular focus area, and have demonstrated momentum in their customer base in terms of overall size and growth."


GitLab's Commentary on this Report

We are thrilled to be recognized again by Gartner as a Challenger in the 2022 Magic Quadrant for Application Security Testing report and we are excited to see continued momentum for our unique approach that embeds security into the DevOps workflow. GitLab believes our recognition as a Challenger in the Magic Quadrant represents an evolving market understanding of the value of an approach that empowers and enables developers to find and fix vulnerabilities — and the simplicity of leveraging a DevOps platform to do so.

As an end-to-end DevSecOps platform, GitLab includes Source Code Management, industry-leading Continuous Integration (CI) and robust Security capabilities. GitLab is uniquely positioned to seamlessly unite security and DevOps while helping our customers standardize their pipelines around security and compliance policies. GitLab provides the visibility and controls necessary to not only create more secure software but also to protect the integrity of your software factory and its deliverables.

Product Highlights

If you are unfamiliar with GitLab's application security testing capabilities, here are a few things you should know.

Embedded security enables governance

GitLab Ultimate provides the single tool DevOps teams need to find and fix vulnerabilities in application code and cloud native environments and to manage their risk from detection through remediation. We empower and unite developers and security professionals alike using repeatable, defensible processes that automate security and compliance policies from development through production.

One platform can unite Dev and Sec

Having one tool for both developers and security professionals can unite efforts and improve collaboration. A single source of truth is more efficient and ensures that context isn't lost between multiple tools. When a vulnerability is found, the developer or the security analyst can open a confidential issue with one click. The issue remains tied to the vulnerability, making it easy to see the state of remediation efforts and to collaborate on the resolution.

Comprehensive, integrated security testing empowers developers

With GitLab Ultimate, all of our security scanners are seamlessly integrated into the CI pipeline out of the box - no additional licenses to manage. They run upon code commit and merge by default and can also be run on-demand outside of a pipeline. When run in the pipeline, vulnerabilities are shown in the “diff” (differential, or incremental code change), allowing the developer to see vulnerabilities they created — without noise from ones they did not — while they are still iterating on the code and best able to efficiently resolve them.

Policy Automation provides guardrails

It’s not enough to automate the process of scanning. When and how policies are applied, and how exceptions are handled, also needs to be automated to bring consistency and auditability. GitLab provides a broad range of policies and common controls for compliance. A couple of favorites include: MR approvals that allow you to define when to require active approval by an individual or a group; Compliance Pipelines, which ensure required scans are performed without modifying pipeline configurations; and Audit Events, which show who changed what, where, when across the entire lifecycle.

All-in-one, but you can use only what you need

GitLab makes it simple to embrace our security and governance capabilities. As a single platform, we offer all GitLab functionality (SCM, CI/CD, Security, and more) to the user for one price, with one product — no clumsy tool chain to manage. Subscriptions can be purchased by tier. You will find Static Application Security Testing (SAST) and Secret Detection in the Free tier and many other capabilities in the Ultimate tier, including all other security scanners (i.e., IaC Scanning, Dependency Scanning, Container Scanning, License Compliance, DAST, Fuzzing, and API Security), the Security Dashboard, Compliance, and Value Stream Management. We can include results from third-party security scanners or bug bounty platforms into our pipeline and dashboards — or we can replace them. The choice is yours.

Recent enhancements

We release on the 22nd of every month, delivering value and innovation to our customers. Recent improvements to our application security testing and vulnerability management capabilities include proprietary scanning engines for SAST and DAST to improve coverage, accuracy, and speed; container scanning improvements; and the addition of infrastructure-as-code (IaC) scanning and API security testing. Findings from these, and all of the other security scanners within GitLab, can be actioned from the MR pipeline pre-merge and from vulnerability reports once merged to a default branch. We also recently introduced integrated security training, which provides context-specific training content to help developers understand and remediate the vulnerabilities they introduce in an individual commit. Another favorite: we created a user interface to simplify policy customization — no YAML editing required.

What's Next

Themes for what's next include:

  1. Enabling users to embrace better security practices for cloud-native development.
    This includes things like API discovery and general availability of container scanning in production.
  2. Helping our customers establish & manage security governance of their software supply chain.
    We are working to provide compliance reporting at the group and namespace level, as well as move compliance tasks into the developer’s daily workflow — shifting compliance left, like security, to identify and remediate these flaws earlier in the development process.
  3. Providing innovative capabilities only achievable through a single DevOps platform.
    The CI pipeline is your software assembly line. It must be: standardized, protected, measured, inspected. This is naturally more easily accomplished in a single DevOps platform than in a fragmented DIY tool chain. We have a comprehensive vision) for improving the security of the software supply chain, end-to-end, beyond traditional application security bounds.

We’re excited about our unique ability to lead the application security testing market into a modern approach that harnesses the software factory to create more secure code while better protecting the factory itself. It’s wonderful to see some of the world’s largest enterprises, in the most regulated industries, moving to GitLab for our security capabilities and the unique perspective we bring. These organizations are able to break down departmental silos and empower cross-functional teams to achieve transparency end-to-end in their DevOps lifecycle.

With GitLab, “Everyone Can Contribute.” We invite you to contribute to our product direction and roadmap, which we share publicly. Issues listed under upcoming releases are actual issues (aka stories) assigned to engineers. Please converse with them directly in the issue to share your feedback.

If you haven’t tried Ultimate, this demo shows the security features in action, or check out the free trial.


This page contains information related to upcoming products, features, and functionality.

It is important to note that the information presented is for informational purposes only. Please do not rely on this information for purchasing or planning purposes.

As with all projects, the items mentioned on this page are subject to change or delay. The development, release, and timing of any products, features, or functionality remain at the sole discretion of GitLab Inc. ___ Gartner, “Magic Quadrant for Application Security Testing,” Dale Gardner, Mark Horvath, Dionisio Zumerle, April 18, 2022.

GARTNER and Magic Quadrant are registered trademarks and service marks of Gartner, Inc. and/or its affiliates in the U.S. and internationally and are used herein with permission. All rights reserved.

Gartner does not endorse any vendor, product or service depicted in our research publications, and does not advise technology users to select only those vendors with the highest ratings or other designation. Gartner research publications consist of the opinions of Gartner's research organization and should not be construed as statements of fact. Gartner disclaims all warranties, expressed or implied, with respect to this research, including any warranties of merchantability or fitness for a particular purpose.

Edit this page View source