How Vector Technology Solutions achieved 75% faster license auditing with GitLab

VTS used GitHub as its primary source code platform but supplemented by a patchwork of six third-party tools across source control, code quality, vulnerability scanning, CI/CD, and license management. Code quality required SonarQube. Vulnerability scanning needed separate tools. CI/CD pipelines required another external service. This fragmented setup increased overhead and created a growing risk of configuration drift across repositories.

"I'd describe it as annoying, cumbersome, and prone to hidden gaps," explained Jacques Buitendag, Head of Technology. "Teams would get GitHub, but GitHub never aimed to be a one-stop solution. When we needed code quality, we needed to bring in another tool like SonarQube. For vulnerability scanning, we needed tools such as OWASP Dependency-Check. With GitHub’s focus on repositories, it left the door open for drift across our pipelines."

Governance requirements demanded clear answers: Do we have the right processes? Are we executing them consistently? Can we prove it? With tools scattered across vendors, assembling audit reports became a multi-day exercise.

License compliance auditing exposed the problem. Each year, VTS manually checked each project, extracted dependencies, consolidated duplicates, and compared them against previous years. This process took two full days of engineering time.

Security visibility faced the same problem. VTS scanned at the repository level without an organization wide review, so vulnerabilities appeared late—after teams had committed to customer milestones—making it difficult to assess risk and decide whether to accept or remediate the vulnerabilities.

VTS selected GitLab Ultimate with self-hosted deployment for three reasons: consolidated governance capabilities, infrastructure control, and seamless developer experience.

GitLab provided VTS with a unified view across all projects, consolidating vulnerability management, license compliance, and security scanning. Teams gained a clear audit trail and no longer needed to integrate separate tools or manually assemble audit data.

The self-hosted model also proved critical. VTS needed to plan for worst-case scenarios. By running GitLab on VTS's infrastructure, the team could isolate systems, shut down network communications and demonstrate clear boundaries to customers during a security incident.

"In the regulated space, we always need a plan for the worst-case scenario. With GitLab self-hosting, we have that. GitLab self-hosting gives us hard control over network access,” Buitendag explained.

VTS completed its migration in three months, including standing up infrastructure, configuring backups, and migrating all repositories and pipelines.

From an engineering perspective, the transition was deliberately invisible. GitLab delivered feature parity with GitHub and the core workflow remained unchanged—same branches, merge requests, review process. Teams didn’t need retraining.

"The migration was really smooth," Karen Ip, Head of Engineering, noted. "We had strong support from the GitLab team, who helped our technical staff approach the infrastructure setup with confidence."

The governance benefits appeared immediately. Previously scattered security scanning—SAST, DAST, container scanning, dependency scanning, secret detection—consolidated into GitLab's native capabilities.

License compliance auditing demonstrated the efficiency gain. What previously required two full days now took half a day. Buitendag navigated to GitLab's dependency view, downloaded the consolidated list, and identified changes from the previous year.

“I literally took a multi-day process and got my answer within half a day," Buitendag explained. "It wasn't just faster, it increased accuracy and visibility.”

Security improved substantially. Vulnerabilities now appear directly in merge requests, allowing teams to assess impact before code is merged. Rather than discovering issues after committing to customer deliverables, teams can evaluate risks upfront and make informed decisions about remediation.

“Shifting left and having visibility early is a great help," Ip noted. "When a vulnerability gets raised, we can look at the transitive dependency chain and ask: Is this in a part of the dependency we actually use? If not, we can consider the most appropriate option depending on the nature of the vulnerability; could be removing it, or fix it when the patch is available if the risk level is low and impact is unlikely.”

The business impact showed in delivery confidence. Engineers could commit to customer timelines knowing security issues would surface during development rather than after delivery commitments. License audits that once consumed two full days now took half a day, reducing governance overhead across the engineering team.

Leadership gained the audit visibility they needed. Rather than scraping multiple tools, they could generate comprehensive reports directly from GitLab showing projects, licenses, vulnerabilities, and access control.

The governance capabilities and self-hosted deployment model enables VTS to compete in the U.S. market by meeting U.S. utilities cybersecurity requirements, including robust documentation of security, incident response and data governance controls.

With GitLab's consolidated governance and infrastructure control, VTS is able to further strengthen the ability to demonstrate the security posture required for regulated markets. When prospective customers ask about worst-case-scenario planning or data isolation capabilities, the team can leverage and reference the capabilities of GitLab in the responses about its ability to physically isolate systems, shut down network communications, and maintain clear security boundaries.

For an engineering team building critical infrastructure in the energy sector, consolidation wasn't just about cost savings—it was about reducing overhead, improving governance visibility, and enabling the team to focus on building innovative energy management capabilities rather than managing tool sprawl.

This market readiness is critical as VTS continues to expand beyond New Zealand and Australia into U.S. utility sector opportunities.

VTS views the initial migration as phase one. The team plans to use GitLab to automatically spin up temporary environments, run full test suites, and validate changes before merging—providing automated indicators when something isn't right. VTS projects that phase two of the migration will reduce build time by up to 50% with GitLab's configuration flexibility across its pipeline architecture.

"We're looking at how GitLab can further help improve and optimize our Software Development Lifecycle process," Ip explained. " GitLab automating processes, testing in temporary environments, and validating before embedding back to main, that's really important."