Category Direction - Container Scanning

1. You are here:
2. GitLab Direction
3. Product Stage Direction - Application Security Testing
4. Group Direction - Composition Analysis
5. Category Direction - Container Scanning

• Container Scanning
  • Introduction and how you can help
  • Overview
  • Strategy and Themes
  • 1 year plan
    • What we recently completed
    • What we are currently working on
    • What is next for us
    • What is Not Planned Right Now
  • Best in Class Landscape
    • Key Capabilities
    • Roadmap
    • Top Competitive Solutions
  • Target Audience
  • Pricing and Packaging
  • Analyst Landscape

Container Scanning

Stage	Secure
Maturity	Viable
Content Last Reviewed	2024-02-23
Content Last Updated	2024-02-23

Introduction and how you can help

Thanks for visiting this category direction page on Container Scanning in GitLab. This page belongs to the Composition Analysis group of the Secure stage. The Product Manager is John Crowley.

This direction page is a work in progress, and everyone can contribute:

• Please comment and contribute in the linked issues or epics on this page. Sharing your feedback directly on GitLab.com is the best way to contribute to our strategy and vision.
• Please share feedback directly via email or on a video call. If you're a GitLab user and have direct knowledge of your need for container scanning, we'd especially love to hear from you.

Overview

Container scanning analyzes the packages and libraries used in a container image. It identifies dependencies that have been directly included and it also analyzes those dependencies to get a list of their dependencies (also known as indirect or transitive dependencies). Once a full listing of all direct and transitive dependencies has been obtained, container scanning solutions analyze those dependencies to identify known vulnerabilities in those dependencies.

Container Scanning is often considered an element of Software Composition Analysis and Application Security Testing.

GitLab was named as a Challenger in the 2022 Magic Quadrant for Application Security Testing.

Additional details about our current features and capabilities can be viewed in our documentation.

Strategy and Themes

We have three main themes in our container scanning strategy:

1. Increase usability
   1. Continuous vulnerability scans
   2. Better support scanning of multiple images
   3. Simplify setup for AWS ECR images
2. Decrease noise
   1. Group/consolidate similar findings
   2. Prioritize findings that are fixable by the dev team
   3. Identify false positives
3. Integrate with the rest of GitLab
   1. Automatically scan GitLab's container registry
   2. Alert when the database is updated and vulnerabilities exist in previously-scanned images (Epic/Issue creation in progress)

1 year plan

What we recently completed

In GitLab 16.6 we added support for filtering Container Scanning findings in cases where a fix will not be released. See more details here.

What we are currently working on

During 16.10 we are working towards supporting Continuous Vulnerability Scanning for Container Scanning. This will allow users to receive more timely insights into the vulnerabilities associated with their projects. When a new advisory is added to the GitLab Advisory Database scan results will be updated with any relevant vulnerabilities. Once this work is completed, users will no longer need to run regularly scheduled scans to have their vulnerability results updated for container images that have been scanned as part of the CI pipeline for their default branch.

What is next for us

In the short-term, the Composition Analysis team will be focused on improving Continunous Vulnerability Scanning for Container Scanning. We will be focused on optimizing performance and making iterative changes based on feedback from users.

What is Not Planned Right Now

We currently do not have plans to add the following functionality during the next 12 months:

1. Support for runtime analysis of code execution to help filter out vulnerabilities that exist in code that is never executed. As a workaround, users can explore our partnership with Rezilion which allows for this type of analysis to be performed and the results sent into GitLab.
2. Improvements to our ability to automatically generate merge requests to update dependencies. As a workaround, users can use the open source Renovate project, which has an integration with GitLab.

Best in Class Landscape

BIC (Best In Class) is an indicator of forecasted near-term market performance based on a combination of factors, including analyst views, market news, and feedback from the sales and product teams. It is critical that we understand where GitLab appears in the BIC landscape.

Key Capabilities

For this product area, these are the capabilities a best-in-class solution should provide:

1. The ability to accurately and comprehensively detect known vulnerabilities for both direct and transitive dependencies in a container image.
2. Support for detecting vulnerabilities across a wide variety of operating systems.
3. A robust advisory database that is curated to reduce false positives and contains data from a variety of sources.
4. Support for shifting vulnerability results left into the IDE.
5. Support for identifying fix versions when available.
6. The ability to differentiate between vulnerabilities in packages that exist in the base image vs vulnerabilities in packages that were introduced in a new image layer.
7. Support for automation to help keep dependencies up-to-date.
8. Support for runtime analysis of code execution to help filter out vulnerabilities that exist in code that is never executed.
9. Extensive analysis of other risk factors (quality, supply chain security, maintenance, etc) beyond just security vulnerabilities.

This list represents some key capabilities of a comprehensive container scanning solution. Not all of these capabilities are currently supported by GitLab today.

Roadmap

Our prioritized roadmap can be viewed on our group direction page. Plans to move the category from Viable to Complete are tracked in GitLab.

Top Competitive Solutions

• Black Duck
• Snyk
• Sonatype Nexus
• Qualys
• sysdig
• Aqua
• StackRox
• Prisma Cloud - was TwistLock

Target Audience

Primary: Sasha (Software Developer) wants to know when adding a dependency to a container image if it has known vulnerabilities so alternate versions or dependencies can be considered.

Secondary: Amy (Application Security Engineer) and Isaac (Infrastructure Security Engineer) want to know what dependencies in their container images have known vulnerabilities, to be alerted if a new vulnerability is published for an existing component, and to know how behind current version the components are.

Other:

1. Cameron (Compliance Manager)
2. Devon (DevOps Engineer)
3. Sidney (Systems Administrator)
4. Delaney (Development Team Lead)

Pricing and Packaging

The GitLab Container Scanning features are all packaged as part of the GitLab Ultimate tier. This aligns with our pricing strategy as these features are relevant for executives who are concerned about keeping their organization secured from known vulnerabilities.

Analyst Landscape

Container Scanning is frequently bundled together with Dependency Scanning and License Compliance to provide an overall Software Composition Analysis (SCA) solution within the Application Security Testing (AST) market. GitLab was recently named as a Challenger in the 2022 Magic Quadrant for Application Security Testing.