Blog Security GitLab's commitment to enhanced application security in the modern DevOps world
Published on June 21, 2022
5 min read

GitLab's commitment to enhanced application security in the modern DevOps world

Security abounds in our latest DevOps platform release, GitLab 15.

gl15.jpg

With GitLab 14, we saw deep emphasis on modernizing our DevOps capabilities. This modernization enabled enhanced application security and strenghtened collaboration between developers and security professionals.

We saw enhancments such as:

  • global rule registry and customization for policy requriements with support for separation of duties
  • a newly developed browser-based Dynamic Application Security Testing (DAST) scanner used to test and secure modern APIs and Single Page Applications
  • more support for different languages using Semgrep
  • new vulnerability management capabilities to increase visibility

With the GitLab 15 release, we can see how our commitment to enhancing application security across the board is stronger than ever. In this blog post, I will provide details on how GitLab is commited to enhancing not only security, but efficiency.

Discover how GitLab 15 can help your team deliver secure software, while maintaining compliance and automating manual processes. Save the date for our GitLab 15 launch event on June 23rd!

GitLab 15 security features

We see that with every GitLab release, there are plenty of enhancements to our security tools. GitLab 15 is no exception! We can see a boatload 🚢 of security enhacements released in GitLab 15 below:

These features run across different stages of the software development lifecycle. I have created a video showing some of the coolest new security features in GitLab 15:

Scanners moved to GitLab Free Tier

A lot of our scanners were only part of GitLab Ultimate in the past. However, over time, certain scanners have been moved over to GitLab Free Tier, enabling you to enhance the security of your application no matter what tier of GitLab you are using.

Scanner Introduced Moved to Free
SAST 10.3 13.3
Container Scanning 10.4 15.0
Secret Detection 11.9 13.3

Within the free tier, you are able to download the reports generated by the security scanners. This allows developers to see what vulnerabilities were detected within their source code and container images.

Report on vulnerabilities

However, there are benefits to upgrading to Ultimate, which are described below.

Benefits of upgrading to Ultimate

Some organizations have multiple groups and projects they are working on, as well as a the security team, which manages all the detected vulnerabilities. While having security scan reports ready for download is useful, it is not exactly scalable across an organization. This is where Ultimate assists in enhancing DevSecOps efficiency.

Scanners

While the GitLab Free Tier includes SAST, Secret Detection, and Container Scanning to find vulnerabilities in your source code, when you upgrade to Ultimate, you are provided with even more scanners. Here are some of the additional scanners provided in Ultimate:

Developer Lifecycle

In Ultimate, there is enhanced functionality within the developer lifecycle. The merge request a developer creates will contain a security widget which displays a summary of the new security scan results. New results are determined by comparing the current findings against existing findings in the default branch.

Ultimate security widget

The results contain not only detailed information on the vulnerability and how it affects the system, but also solutions to mitigating or resolving the issue. These vulnerabilities are also actionable, meaning that a comment can be added in order to notify the security team, so they may review – enhancing developer and appsec collaboration. A confidential issue can also be created so that developers and security professionals can work together towards a resolution safely and efficiently.

Confidential issue

While these features were avaliable in Ultimate on older versions of GitLab, within release 14 this feature was heightened to include developer training within the vulnerability, helping to educate developers and make them more security-aware. GitLab 15 will provide even more enhancements to the developer lifecycle.

Ultimate enhancements

Security team lifecycle

There are also several features which greatly benefit members of a security team.

The security team is able to effectively manage and triage vulnerabilities using the Vulnerability Reports.

Vulnerability reports

The security dashboard allows the security team to assess the security posture of a project or group of projects. This is helpful to see how many vulnerabilities were introduced/resolved over time, as well as which projects require more attention than others

security dashboard

Separation of duties can be enforced using Compliance Frameworks and Security Policies assuring code requires approval before making it to production.

Separation of duties

These are just some of the features GitLab has to offer in terms of security. For even more features, please see the GitLab application security documentation.


Thanks for reading! To find out more about the newest security features in GitLab 15, check out the release post. For upcoming version features, see the Upcoming Releases page.

It is also helpful to check out our Secure and Protect roadmaps to get an idea of the direction we are headed!

We want to hear from you

Enjoyed reading this blog post or have questions or feedback? Share your thoughts by creating a new topic in the GitLab community forum. Share your feedback

Ready to get started?

See what your team could do with a unified DevSecOps Platform.

Get free trial

New to GitLab and not sure where to start?

Get started guide

Learn about what GitLab can do for your team

Talk to an expert