The GitLab 2022

Global DevSecOps Survey

Thriving in an insecure world

In May 2022, over 5,000 DevOps professionals shared details about their teams and practices. Despite a challenging business environment, strong momentum continued in automation, release cadences, and cutting-edge technology adoption.

Secure software development is now an imperative for DevOps teams around the world. It’s the number one reason for – and benefit of – DevOps platform usage.

How will DevOps pros navigate the future? They told us a stronger reliance on soft skills such as communication and collaboration, and an advanced understanding of technologies, including AI/ML.

Read on for our snapshot of DevOps in 2022. ↓

70%

of DevOps teams release code continuously, once a day, or every few days, up 11% from 2021.

Automated testing is growing

47% of teams report their testing is fully automated today, up from 25% last year.

New technologies and methodologies

62% of survey takers are practicing ModelOps, while 51% use AI/ML to check (not test) code.

DevOps = automation

24%

Fully automated in 2022

19%

in 2021

in 2020

What does modern DevOps look like in 2022?

44%

DevOps platforms in use

42%

Teams practice DevSecOps

35%

CI/CD is onboard

30%

Observability/monitoring tools are in place

24%

AI/ML is powering code review, software test and more

* Respondents could choose all that apply

Why use a DevOps platform?

Security

Cost and time savings

Improved DevOps

Easier automation

Improved monitoring

Improved observability

Better metrics

Developers

As we’ve seen over the last three years, devs are taking on more ops responsibilities, as well as more ownership of security.

35%

of devs are releasing code twice as fast, and 15% are releasing code between three and five times faster.

All told, almost 60% acknowledged code is moving into production at a much faster clip.

Why the faster releases?

We asked devs "what’s changed" and a majority said use of a DevOps platform, followed by automated testing, SCM, planning tools, and observability.

What do devs want more of?

More code reviews, automated testing, and planning.

If releases are delayed...

devs blame code development, code review, security analysis, test data management, and, of course, testing.

Roles are changing

Fully 38% of devs said they instrument the code they’ve written for production monitoring (up from 26% in 2021 and just 18% in 2020) and 38% monitor and respond to the infrastructure their apps are running on (up 25% from last year).

It’s a tough world

Developers acknowledge that Covid-19, hiring, security threats, culture changes, and complex tech learning curves added more real-world difficulties to their roles than ever before.

Less is more

Automation has lightened the dev load and eased the burden for manual testing, code review, opening tickets, and more.

Of time and toolchains

~40%

Devs who spend between one-quarter and one-half of their time on toolchain maintenance/integration

* More than double the 2021 percentage

33%

Devs who devote at least half their time and as much as all of their time on toolchain integration and maintenance

We have a development capacity challenge, a recruiting challenge, and a knowledge-sharing challenge.

- Developer respondent

Security

Security pros are also seeing their roles change, particularly when it comes to getting “hands on” with dev teams to get things done.

71%

rated their organization’s security efforts as either “good” or “excellent.”

The great shift left continues

57% of sec team members said their orgs have either shifted security left or are planning to this year. One-third of teams, though, aren’t thinking about a shift left until at least two years from now.

Who owns sec?

As we’ve seen in previous surveys, this is still an area in need of clarity. 43% of sec team members admitted to full ownership of security (a 12% jump from last year), but a resounding majority (53%) said everyone was responsible, a 25% increase from 2021.

Not as optimistic

Concern about security has never been higher, so perhaps it’s not surprising 43% of sec pros feel “somewhat” or “very” unprepared for the future.

In the future...

a majority of sec pros think AI/ML skills will help their careers the most, followed by communication and collaboration (33% each).

All in a day’s work

35% are more involved in daily tasks/more hands on, an 11-point jump from last year.

Security scanning is increasing… Across the board, devs report greater usage of scanning…

53%

run SAST scans (a dramatic jump from last year, which was less than 40%)

55%

employ dynamic application security testing (DAST) scans (up 11 points from last year)

~60%

scan containers today (up 10% from 2021)

56%

perform dependency scans

61%

ensure license compliance checks

…but easy access to data lags The majority of dev teams still aren’t getting scan data in their workflows.

30%

have SAST lite scanners in a web IDE

29%

pull scan results into a web pipeline report for devs

29%

make DAST, container and dependency scans easily available to devs

Operations

No one wears more hats on a DevOps team than an ops pro, and their roles continue to shift dramatically.

44%

of ops teams are “mostly” automated and almost one-quarter of ops teams report full automation, both big jumps from 2021.

Compliance and audits FTW

Most ops pros spend between one-quarter and half their time on audit and compliance, a 15% increase from 2021. And almost 25% of ops pros spend between half and three-quarters of their time dealing with audit and compliance.

The DevSecOps gets real

Just over 76% of ops teams agree at some level that devs are able to receive and address security issues during the development process (that’s a 10% jump from last year).