At GitLab, we have worked hard to make application security testing a natural by-product of software development. We started with the developer, bringing scan results into their native workflow, then we added a dashboard for the security pro. We acquired Gemnasium and most recently Peach Tech and Fuzzit. We have a board goal to be a world-class security product and have allocated just under 25% of our R&D budget to these capabilities.

We know our SAST, dependency, container, and other scanners are great but we’d also bought into the idea that people choose to use our DevOps platform largely because of CI or SCM and our security is just an added bonus.

But it seems we are our own worst critic, especially on how we determine product maturity. Data points include:

And customers are noticing too:

Here’s a look at other built-in security features in Ultimate for self hosted and Gold for SaaS.

Vulnerability scans (no assembly required)

If there are two truths in security, it’s these: The more you scan, the less risk you will have, and it’s cheaper to find and fix vulnerabilities in development than later in the lifecycle. Developers need access to that data in their workflow. GitLab Ultimate/Gold offers comprehensive scanning, out of the box with no integration required: dynamic and static (now including mobile apps), container scanning, dependency scanning, API scanning, and fuzz testing, along with scanning for secrets and license compliance. All of these scans are built into the workflow with results presented in the MR pipeline – meaning busy developers don’t have to go hunting for results.

The scans are also easy to apply for security pros. With one click, you can choose what to do via AutoDevOps, or add in third-party scanners via the ci.yml. Just start with a CI job definition. We’ve even added a handy UX so non-developers can modify the ci.yml without coding (add link). By using CI templates you can easily set and apply security policies for merge approvals and more. You can also limit security scanning to running offline for highly sensitive environments.

Comprehensive dashboards

While this developer-first perspective will reduce vulnerabilities, they can’t all be fixed on the spot. So our security dashboard capability (included with GitLab Ultimate/Gold) helps security pros manage remaining vulnerabilities. It provides a single source of truth, eliminating translation and friction between development and security, and makes it simple for anyone to see the status of remediation work, who changed what, where and when, and even who approved merge requests across the entire software development lifecycle.

And because we know compliance also plays a key role in security, we have a dedicated compliance dashboard that gathers key data to ensure quick and accurate reporting.

Container monitoring

DevOps teams taking advantage of the modularity of containers also need a way to keep all the moving parts safe. Gitlab Ultimate offers container threat monitoring in addition to container scanning.

Integrated fuzz testing

Thanks to our acquisition of Peach and FuzzIt, GitLab Ultimate now offers integrated coverage-guided fuzzing and continuous fuzzing, adding new types of testing previously unavailable.

Cover image by Zhen Hu on Unsplash

Try all GitLab features - free for 30 days

GitLab is more than just source code management or CI/CD. It is a full software development lifecycle & DevOps tool in a single application.

Try GitLab Free
Git is a trademark of Software Freedom Conservancy and our use of 'GitLab' is under license

Try GitLab risk-free for 30 days.

No credit card required. Have questions? Contact us.

Gitlab x icon svg