Blog DevSecOps Why GitLab self-managed is the perfect partner for the public sector
Published on: December 13, 2023
7 min read

Why GitLab self-managed is the perfect partner for the public sector

Planning, source code management, CI/CD, app security, and compliance features make the DevSecOps platform a great pairing for government environments.


While Atlassian Server is closing in on end of life (February 15), GitLab is expanding the capabilities of its self-managed DevSecOps platform to fully support the needs of the public sector. GitLab’s Agile Planning and Delivery features help public sector teams consolidate their various Atlassian tools into GitLab’s comprehensive DevSecOps platform. With GitLab, everyone can truly collaborate and efficiently deliver value and consistent quality throughout the DevSecOps lifecycle, including planning, source code management, and continuous integration and delivery – all wrapped with application security and compliance.

"GitLab self-managed is not only something we offer, but it is important to us. It's a path we are going to continue to support with new functionality and a strong security SLA for critical and high vulnerabilities," says Joel Krooswyk, GitLab Federal CTO.

GitLab is trusted across the public sector in federal civilian agencies, all branches of the U.S. Department of Defense, the intelligence community, state and local governments, and many government contractors and system integrators due to its best-in-class DevSecOps features. GitLab’s application security and compliance features help public sector organizations meet increasing requirements to secure their software factories and supply chains when developing and delivering solutions to their customers.

Here are some of the benefits of the GitLab DevSecOps Platform for the public sector.

Migrations your way

GitLab can help organizations expedite their migration from Atlassian Server to a self-managed instance of the DevSecOps platform. Connectivity between Atlassian and GitLab is built into the GitLab platform to automate and simplify data transfer from Jira, Bitbucket, Bamboo, and more. Also, because the process is not a wholesale "lift and shift," organizations can carry out their migration at their own pace, even running the Atlassian and GitLab platforms in parallel, if necessary.

"Customers can stage their migrations in the way that works best for them, moving teams over in a careful, phased approach. And, if you have a program that is ending soon, you don't have to include it in the migration at all," Krooswyk says.

These guides will help ease the migration from Atlassian to GitLab:

Process-neutral planning

GitLab is process-neutral; Agile features can be leveraged to utilize a variety of processes from simple to complex, such as Scaled Agile, on a project-by-project basis. Public sector teams can tailor their work to best meet their needs, while also using group-defined labels to roll information up to management group-level boards and analytics to track progress across their organization.

Reduced administration burden

Public sector organizations can reduce their administrative burden in numerous ways with GitLab, from simplifying procurement processes to streamlining DevSecOps toolchains.

For instance, if an organization has a conglomerate of boutique contractors all under a single umbrella, they can consolidate licensing into a single purchase and achieve cost savings. They also can eliminate fragile and complex DIY toolchains that impede collaboration and innovation by consolidating onto a single DevSecOps platform.

Support for security automation and strong SLAs

GitLab features security automation and governance at scale at every step of the DevSecOps lifecycle. Public sector organizations can practice defense in depth and set granular policies and rules that automate compliance, ensuring a secure software supply chain. Developers can use security automation to minimize manual repetitive tasks so they can focus on deep, value-generating work. At the same time, GitLab's governance guardrails assure security teams that developers are following best practices across the entire company.

For instance, required merge request approvals for protected branches and approval rules enable an organization to support zero trust in the DevSecOps lifecycle by defining code owners for reviews. Approval rules also can call out when application security scanning or license scanning finds a vulnerability or license that needs additional team members with that expertise to join the review and approval process.

Government customers can choose to deploy the GitLab DevSecOps Platform as a single, hardened application that simplifies end-to-end visibility and traceability.

With GitLab, security and compliance policies are managed and enforced consistently across an organization's DevSecOps processes. GitLab has worked closely with government customers to ensure that the platform operates in a fully offline environment to support the development needs of sensitive programs related to national security.

GitLab's vulnerability remediation timelines or SLAs are based on many factors, such as regulatory compliance, customer SLOs and SLAs, vulnerability impact, scope, prevalence in GitLab environments, impact if exploited, and defining reasonable turn-around times for mitigation and remediation to protect GitLab and its customers. All of these factors will be considered when mapping the priority to GitLab’s priority labels. All components in scope of vulnerability management are subject to the same SLAs.

Compliance across the entire software supply chain

Securing the whole software supply chain is about more than just the platform being compliant; GitLab also helps the public sector develop and deliver compliant software to their own customers. For instance, GitLab supports NIST SSDF guidance right out of the box, including the ability to generate a software bill of materials (SBOM).

GitLab also has critical features to keep the software supply chain secure such as continuous vulnerability scanning, which can detect new vulnerabilities outside of an organization's pipeline and in the latest CycloneDX SBOM reports for the default branch. The compliance dashboard enables public sector organizations to report on and manage standards adherence, violations, and compliance frameworks for groups.

Controlling access is a key aspect of compliance and GitLab gives public sector organizations complete control over who has access to their development environment. Following zero trust principles, GitLab supports role-based permissions out of the box as well as custom roles.

Find out how Lockheed Martin used GitLab's compliance framework to enforce software quality and automation to make releases and dependency management more efficient.

Pipeline best practices everyone can access

With GitLab, organizations can easily share knowledge internally and across agencies by leveraging innersourcing. Teams can centralize their best practices around CI/CD and enable sharing of pipeline processes, including integrations with other tools, that have already been approved.

"As pipeline improvements are made, they are contributed back to that shared CI/CD knowledge," Krooswyk says.

For instance, public sector organizations can use compliance frameworks to describe the type of compliance requirements projects must follow and compliance pipelines to define a pipeline configuration to run for any projects with a given compliance framework. Teams can also create CI/CD templates to accelerate new development projects.

Customers also can build a CI component catalog to make reusing pipeline configurations easier and more efficient. Users can discover and collaborate on pipeline constructs so that they can be evolved and improved over time.

Get an introduction to GitLab CI component catalogs and how to best use them.

Support for cloud-neutral environments

The public sector has a mandate to remain cloud-neutral. Because GitLab isn’t commercially tied to any specific cloud provider, organizations can de-risk their multi-cloud strategy and avoid being locked into a single vendor. The DevSecOps platform also is designed to meet the unique needs of cloud-native applications and the infrastructure upon which they rely.

Visibility across the software development lifecycle

A key aspect of succeeding at DevSecOps is visibility — it's necessary to measure, monitor, and make decisions. GitLab's dashboarding and visualization features help organizations to leverage people, processes, and technology to create value-stream-driven software development and go from idea to customer value with the fastest cycle time possible. With one unified data store, teams on GitLab can measure efficiency, productivity, and other key metrics in one place, including applying industry-standard DORA metrics. Get a holistic view of everything from DevOps adoption to developer productivity, vulnerability detection, software quality, innovation, and more.

Experienced professionals at the ready

GitLab's professional services team has extensive experience in the public sector and understands your particular requirements. If you have multiple services, servers, and programs you need to migrate, we will help you plan that out.

Ready to migrate to GitLab? Contact our sales team to start a conversation today.

We want to hear from you

Enjoyed reading this blog post or have questions or feedback? Share your thoughts by creating a new topic in the GitLab community forum. Share your feedback

Ready to get started?

See what your team could do with a unified DevSecOps Platform.

Get free trial

Find out which plan works best for your team

Learn about pricing

Learn about what GitLab can do for your team

Talk to an expert