With GitLab 14, we saw deep emphasis on modernizing our DevOps capabilities. This modernization enabled enhanced application security and strenghtened collaboration between developers and security professionals.
We saw enhancments such as:
- global rule registry and customization for policy requriements with support for separation of duties
- a newly developed browser-based Dynamic Application Security Testing (DAST) scanner used to test and secure modern APIs and Single Page Applications
- more support for different languages using Semgrep
- new vulnerability management capabilities to increase visibility
With the GitLab 15 release, we can see how our commitment to enhancing application security across the board is stronger than ever. In this blog post, I will provide details on how GitLab is commited to enhancing not only security, but efficiency.
Discover how GitLab 15 can help your team deliver secure software, while maintaining compliance and automating manual processes. Save the date for our GitLab 15 launch event on June 23rd!
GitLab 15 security features
We see that with every GitLab release, there are plenty of enhancements to our security tools. GitLab 15 is no exception! We can see a boatload 🚢 of security enhacements released in GitLab 15 below:
- Container Scanning available in all tiers
- Audit changes to group IP allowlist
- Revoke a personal access token without PAT ID
- Project-level Secure Files in open beta
- Dependency scanning support for poetry.lock files
- Semgrep-based Static Application Security Testing (SAST) scanning available for early adoption
- Access and Verify actions for environments
- Terraform CI/CD template authenticates to Terraform module registry
- GitLab advisory data included in container scanning results
- New audit events for merge settings
- Users with the Reporter role can manage iterations and milestones
- Dependency path information
- Secure and Protect analyzer major version update
- Static Analysis analyzer updates
- Approve deployments from the Environments detail page
- Scan result policies listed under MR approval settings
These features run across different stages of the software development lifecycle. I have created a video showing some of the coolest new security features in GitLab 15:
Scanners moved to GitLab Free Tier
A lot of our scanners were only part of GitLab Ultimate in the past. However, over time, certain scanners have been moved over to GitLab Free Tier, enabling you to enhance the security of your application no matter what tier of GitLab you are using.
| Scanner | Introduced | Moved to Free |
|---|---|---|
| SAST | 10.3 | 13.3 |
| Container Scanning | 10.4 | 15.0 |
| Secret Detection | 11.9 | 13.3 |
Within the free tier, you are able to download the reports generated by the security scanners. This allows developers to see what vulnerabilities were detected within their source code and container images.
However, there are benefits to upgrading to Ultimate, which are described below.
Benefits of upgrading to Ultimate
Some organizations have multiple groups and projects they are working on, as well as a the security team, which manages all the detected vulnerabilities. While having security scan reports ready for download is useful, it is not exactly scalable across an organization. This is where Ultimate assists in enhancing DevSecOps efficiency.
Scanners
While the GitLab Free Tier includes SAST, Secret Detection, and Container Scanning to find vulnerabilities in your source code, when you upgrade to Ultimate, you are provided with even more scanners. Here are some of the additional scanners provided in Ultimate:
- DAST
- Operational Container Scanning
- Dependency Scanning
- Infrastructure as Code Scanning
- Coverage-Guided Fuzzing
- Web-API Fuzzing
Developer Lifecycle
In Ultimate, there is enhanced functionality within the developer lifecycle. The merge request a developer creates will contain a security widget which displays a summary of the new security scan results. New results are determined by comparing the current findings against existing findings in the default branch.
The results contain not only detailed information on the vulnerability and how it affects the system, but also solutions to mitigating or resolving the issue. These vulnerabilities are also actionable, meaning that a comment can be added in order to notify the security team, so they may review – enhancing developer and appsec collaboration. A confidential issue can also be created so that developers and security professionals can work together towards a resolution safely and efficiently.
While these features were avaliable in Ultimate on older versions of GitLab, within release 14 this feature was heightened to include developer training within the vulnerability, helping to educate developers and make them more security-aware. GitLab 15 will provide even more enhancements to the developer lifecycle.
Security team lifecycle
There are also several features which greatly benefit members of a security team.
The security team is able to effectively manage and triage vulnerabilities using the Vulnerability Reports.
The security dashboard allows the security team to assess the security posture of a project or group of projects. This is helpful to see how many vulnerabilities were introduced/resolved over time, as well as which projects require more attention than others
Separation of duties can be enforced using Compliance Frameworks and Security Policies assuring code requires approval before making it to production.
These are just some of the features GitLab has to offer in terms of security. For even more features, please see the GitLab application security documentation.
Thanks for reading! To find out more about the newest security features in GitLab 15, check out the release post. For upcoming version features, see the Upcoming Releases page.
It is also helpful to check out our Secure and Protect roadmaps to get an idea of the direction we are headed!
