Product Stage Direction - Secure

1. You are here:
2. GitLab Direction
3. Product Stage Direction - Secure

On this page

• Stage Overview
  • Groups
  • Resourcing and Investment
• 3 Year Stage Themes
  • Security Is A Team Effort
  • Shift Left. No, More Left Than That.
  • Shift Right. Yes, Right. Right Into Operations.
  • Provide Active Intelligence to Enable Data-Driven Decisions
  • BYOT - Bring Your Own (Security) Tools
• 3 Year Strategy
• 1 Year Plan
  • What We Recently Completed
  • What We Are Currently Working On
  • What's Next For Us
  • What We're Not Doing
• Target audience
  • Today
  • Medium Term (1-2 years)
  • Developers
  • Security teams
• Categories
  • SAST
  • Secret Detection
  • Code Quality
  • DAST
  • API Security
  • Fuzz Testing
  • Software Composition Analysis
  • Container Scanning
  • GitLab Advisory Database
  • Attack Emulation
• Other top-level features
  • Automatic Remediation
  • Bill of materials
  • Offline environment deployments
• Auto DevOps
• Pricing
  • Core/Free
  • Premium/Silver
  • Ultimate/Gold
• Upcoming Releases
  • 16.5 (2023-10-22)
  • 16.6 (2023-11-15)
  • 16.7 (2023-12-20)
  • 16.8 (2024-01-17)
  • 16.9 (2024-02-14)
  • 16.10 (2024-03-20)
• Other Interesting Items

Proactively identify vulnerabilities and weaknesses to minimize risk

The Secure stage enables accurate, automated, and continuous assessment of your applications and services enabling you to proactively identify vulnerabilities and weaknesses to minimize your security risk. Secure is not an additional step in your process nor an additional tool to introduce to your process. it is woven into your DevOps cycle thus allowing you to adapt your security testing and processes to your developers (and not the other way around).

Stage Overview

GitLab was named as a Challenger in the 2022 Magic Quadrant for Application Security Testing.

The Secure Stage focuses on identifying security findings (e.g., vulnerabilities and weaknesses) within applications and services prior to moving them to operations. Furthermore, Secure can (and will) provide security visibility for applications and services already deployed to production. Secure’s goal is to proactively identify vulnerabilities and weaknesses before they are exploited. This is done by:

• Applying a proactive approach to security with a focus on identifying security findings
• Analyzing applications and services including cloud-native infrastructure for security vulnerabilities and weaknesses
• Leveraging common methods including ethical hacking and fuzz testing as well as static and dynamic analysis

Groups

The Secure Stage is made up of one DevOps stage, Secure, and four groups supporting the major categories of DevSecOps including:

• Static Analysis - Assess your applications and services by scanning your source code for vulnerabilities and weaknesses.
• Dynamic Analysis - Assess your applications and services while they are running by leveraging the Review App available as part of GitLab’s CI/CD functionality.
• Composition Analysis - Assess your applications and services by analyzing dependencies for vulnerabilities and weaknesses, confirming only approved licenses are in use, and scanning your containers for vulnerabilities and weaknesses.
• Vulnerability Research - Leverage GitLab research to empower your Secure results by connecting security findings to industry references like CVE IDs.

Resourcing and Investment

The existing team members for the Secure Stage can be found in the links below:

• Development
• User Experience
• Product Management
• Quality Engineering

3 Year Stage Themes

Security Is A Team Effort

Everyone benefits when security is a team effort as testing happens regularly, issues are found earlier, and code shipped is more secure. To make this possible, security must be approachable, not overburden teams, and results must be easy to interpret. Security testing tools and processes must be adapted to your developers (and not the other way around). This means bringing security into the workflow of your developers such that they can stay within their context without having unnecessary steps added to their daily work. Furthermore, results provided as security findings must be presented in a way that they can be interpreted without needing a PhD in cybersecurity. This includes providing enough detail to begin identifying the root cause (including identifying the section of code causing the security finding) and suggesting remediation steps (including automatic remediation) as well as pointing to industry standards related to the security finding. By implementing an integrated DevSecOps lifecycle with actionable results, security becomes everyone’s responsibility.

As examples, GitLab will provide:

• Security findings within the merge request view allowing developers to stay within their context.
• Security gates enabling the ability to require approval to merge when security findings are above a pre-set severity.
• Industry references with security findings to aid in root cause analysis and remediation.
• Automatic remediation, where applicable, enabling faster resolution of security findings.
• Summary views, or dashboards, showing the overall health of the project, group, and instance enabling security teams to contribute and interact with development teams.
• Historical reporting for security findings such that root cause can be identified and addressed, preventing recurring issues.

Shift Left. No, More Left Than That.

The “shift left” approach is not a new concept within software testing and DevOps best practices. It is commonly thought of when discussing the DevSecOps lifecycle. This usually includes security testing earlier in the software development lifecycle with the goal of identifying security vulnerabilities and weaknesses prior to shipping code to operations. Today’s techniques include static application security testing (SAST), dynamic application security testing (DAST), interactive application security testing (IAST), dependency scanning, and license compliance. The continuation of the “shift left” approach requires a harder shift left, bringing security testing as close as possible to the developer. This enables earlier detection of security vulnerabilities and weaknesses, thus lowering the cost of remediation (as well as reducing work for the entire team as security findings are addressed prior to reaching the QA and security teams).

As examples, GitLab will provide:

• Static analysis beyond traditional SAST functionality, enabling more ways to white-box test source code.
• Expanded identification functionality, enabling secret detection beyond API tokens, passwords, and cryptographic keys with improved secrets management leveraging cloud-native technologies.
• Real-time feedback to developers via integrated development environments (IDEs), enabling developers to write secure code prior to code commit.

Shift Right. Yes, Right. Right Into Operations.

Security testing doesn’t stop once code is shipped. New vulnerabilities, security weaknesses and, attacker techniques are constantly discovered, leaving operations and their associated applications and services open to being compromised. Also, as organizations continue to shift to the cloud and employ cloud-native strategies, new attack surfaces are exposed that did not exist within the traditional data center. These include items like cloud storage permissions and unwanted network services. Applications, services, and their associated cloud-native infrastructure need to be assessed just as a user (or an attacker) would interact with them. This means performing the same tasks that an attacker would perform including reconnaissance, vulnerability assessment, and penetration testing. Implementing a continuous assessment strategy of operations is needed to provide full visibility into all potential risk.

As examples, GitLab will provide:

• Dynamic analysis categories, including DAST and DAST API, providing the ability to assess the operations side of the DevOps lifecycle.
• New categories purposefully designed to assess the operations network including automatic penetration testing and vulnerability assessment functionality.
• Cloud-native assessment capabilities allowing users to truly understand their attack surface.
• Active monitoring of public key infrastructure (PKI), providing full visibility into the cryptographic health of your cloud-native environment (and associated containers).

Provide Active Intelligence to Enable Data-Driven Decisions

Security findings, without context, can lead to making incorrect decisions on remediation, leaving applications and services vulnerable. With more data made available, better decisions can be made while prioritizing security findings, enabling users to best manage their security risk. Furthermore, this enables developers to write secure code, build operations to package dependencies free of vulnerabilities, and security team members to test deeper than previously achievable. Leveraging machine learning provides active intelligence, enabling users to make smart, data-driven decisions at the right time, lowering overall security risk. Machine learning, to be successful, relies on big data to build accurate models. The GitLab community includes developers, build operators, and security teams all working together within their organizations to code, build, deliver and secure application and services going into operations. As a global community, developers can learn from each other to identify and better secure code. Dependency vulnerabilities and weaknesses can be avoided, and security teams can test smarter, faster, and deeper. Machine learning, powered by anonymized data, provides active intelligence enabling data-driven decisions.

As examples, GitLab will provide:

• Machine learning that will be opt-in when it relates to using anonymized user data from the GitLab community.
• Actionable intelligence to identify insecure coding practices to help developers write more secure code in real-time.
• Dynamic application security testing (DAST) tailored to the application or service being tested, identifying security findings which may have been missed with traditional testing techniques.
• Real-time data about software vulnerabilities and weaknesses related to technologies used within users’ projects, groups, and instances.
• Automatic remediation of discovered software vulnerabilities and weaknesses within project source code, dependencies (e.g., libraries and packages), and containers.
• Autogeneration of signatures and policies to address security findings within Secure Stage categories that can be automatically applied to Govern Stage categories.

BYOT - Bring Your Own (Security) Tools

At GitLab, we believe everyone can contribute and security is everyone’s responsibility. We empower GitLab users by providing security tools which include Static Analysis, Dynamic Analysis, Container Scanning, Dependency Scanning, and License Scanning. However, we recognize our users may have existing security tools and may want to continue to use them. As such, we strive to play well with others. Security tool vendors will be provided standardized components (e.g., APIs) within the GitLab complete DevOps platform enabling easy integration into our Security Dashboard and Merge Request controls including security approvals. This allows our users to have alternate security tools that either replace, or augment, our Secure tools.

As examples, GitLab will provide:

• A walkthrough (e.g., wizard) enabling users the ability to configure and enable integrations they wish to use as part of their DevSecOps processes.
• Standardize REST APIs, following CRUD principles, for integrating third-party security scanners the ability to start scanning via GitLab CI/CD as well as submit their security findings into the GitLab complete DevOps platform.
• Security vulnerability reporting framework, following JSON notation, allowing third-party security scanners to submit their security findings in such a way that their results can be integrated into Secure’s Security Dashboard and Merge Request controls including security approvals.

If you are interested in contributing such an integration, please create an issue so we can collaborate on questions and adding any enabling functionality.

3 Year Strategy

In three years the Secure Stage market will:

• Have the application security testing (AST) market continue to grow, adding new techniques into its definition
  • This includes a bigger focus on API readiness with API fuzzing and security testing growing in popularity
  • See a resurgence of security testing within operations / production
• Continue the "Shift Left" trend, with Static Analysis (SAST) becoming more prominent
• Adopt machine learning techniques within the development phases of the DevOps lifecycle

As a result, in three years, Gitlab will:

• Identify insecure coding practices in real-time and provide recommendations to correct them prior to merge request
• Provide fuzz testing across the entire application technology stack (protocol, API, application), including both black-box and white-box testing techniques
• Expand Secure to support testing in development as well as in operations / production
  • Introduce categories that enable continuous verification (e.g., hourly, daily, weekly) of operations / production
• Expand focus within preexisting categories to apply knowledge / results from one scan type to optimize another scan type's configuration

1 Year Plan

What We Recently Completed

The Secure team has been actively delivering updates to help you reduce risk. The following are some highlights from recent GitLab releases:

• Next Generation SAST. We released a proprietary static application security testing engine, initially focused on reducing false positives in Ruby and Rails, that builds upon years of experience leveraging open source analyzers. This engine leverages program analysis techniques, including data and control flow analysis and a novel pattern extraction language, to eliminate vulnerabilities that may have been falsely reported by other integrated security tools. It also lays the groundwork for future integration of across scanning disciplines offered within GitLab for smarter, more actionable results.
• DAST API Beta. We beta-released API scanning capabilities based on technology gains from our acquisition of Peach Tech. This scanner will eventually fully replace OWASP ZAP as our API scanner, but in the immediate term gave users the benefit of enabling more API specification methods, more API language support, and additional authentication methods, as well as the ability to use Postman collections and HAR files to provide multiple options for defining what can be tested in the API.
• Infrastructure as Code (IaC) Scanning. We released an IaC scanner to address common misconfiguration issues in IaC templates. Initially, our scanner supports Terraform, Ansible, AWS CloudFormation, and Kubernetes and is based on the open-source Keeping Infrastructure as Code Secure (KICS) project.
• Vulnerability Management Usability. We've made multiple usability improvements to our vulnerability management workflows, including a change to the structure of our reporting format so that, regardless of scanner provenance, results are handled and displayed uniformly for the user in the UI.

What We Are Currently Working On

The Secure team is actively working to bring world class security to DevSecOps and the following outlines where we are currently investing our efforts:

• Application Security Testing (AST) Leadership - We will take a leadership position within the Application Security Testing (AST) market. This will be accomplished by focusing on moving Dynamic Analysis (DAST), API Security, Dependency Scanning, and Vulnerability Management categories to Complete maturity, as well as returning License Compliance to Viable maturity.
• Dogfooding - We will “practice what we preach”, including leveraging Secure Categories in all things GitLab does. This tight circle will provide immediate feedback and increase our rate of learning.
• Security for everyone - In order to make security accessible to everyone across the DevOps lifecycle, we will bring all Secure OSS scanners to Core (self-managed) / Free (GitLab.com).

What's Next For Us

To meet our audacious goals, the Secure Stage will focus on the following over the next 12 months:

• Differentiate on value - Running a security test is just the beginning. We want to provide a first-class experience and enable users to make data-driven decisions to secure their applications and services as well as their enterprise. Our Security Dashboards and Merge Request Approvals is just the beginning.
• Holistic developer-first experience - We will capitalize on a unique opportunity to present results and activate workflows for developers and security professionals that standalone security products cannot replicate. We want to provide a first-class experience and enable users to make data-driven decisions to secure their applications and services as well as their enterprise. Our Security Dashboards and Merge Request Approvals is just the beginning.

What We're Not Doing

The following will NOT be a focus over the next 12 months:

• Machine learning - Machine learning (ML) will be leveraged, as part of static analysis, to identify insecure coding practices and help developers write more secure code. This will be opt-in and will enable the power of the GitLab global community.
• Security services - The cybersecurity staffing shortage continues to grow with no solvable solution yet defined. To solve this issue, organizations have been relying on security services to fill this gap in their security processes. As part of Secure’s 3 Year Strategy, we want to address this for the GitLab community by offering cybersecurity augmentation powered by GitLab Secure categories.

Please explore the individual Category Direction pages for more information on 12 month plans.

Target audience

GitLab identifies who our DevSecOps application is built for utilizing the following categorization. We list our view of who we will support when in priority order.

• 🟩 - Targeted with strong support
• 🟨 - Targeted but incomplete support
• ⬜️ - Not targeted but might find value

Today

To capitalize on the opportunities listed above, the Secure Stage has features that make it useful to the following personas today.

1. 🟩 Developers / Development Teams
2. 🟩 Security Teams
3. 🟨 SecOps Teams
4. 🟩 QA engineers / QA Teams
5. 🟨 Security Consultants
6. ⬜️ Compliance Specialists / Manager

Medium Term (1-2 years)

As we execute our 3 year strategy, our medium term (1-2 year) goal is to provide a single DevSecOps application that enables collaboration between developers, security teams, SecOps teams, and QA Teams.

1. 🟩 Developers / Development Teams
2. 🟩 Security Teams
3. 🟩 SecOps Teams
4. 🟩 QA engineers / QA Teams
5. 🟨️ Security Consultants
6. 🟨️ Compliance Specialists / Manager

Developers

We want to support developers and provide feedback during the application development process. Security Reports in merge request widgets and pipelines allow early access to security information that can be used to fix problems even before they are merged into the stable branch or released to the public, embracing the idea of shift left testing.

This approach is valuable to highlight how specific changes could affect the security of the application.

Personas

• Sasha - Software Developer
• Delaney - Development Team Lead

Security teams

We want to support security teams as first-class citizens. GitLab should be their primary tool to manage monitoring and remediation of security issues. Using the Security Dashboard, security specialists know exactly which is the most important thing they need to take care of, while Directors of Security can manage workflows and analyze historical data to figure out how to improve the response time.

This is a vulnerability-centric approach where items are grouped and ordered to suggest what's most important in a group, or in the entire instance.

Personas

• Sam - Security Analyst
• Alex - Security Operations Engineer

Categories

There are a few product categories that are critical for success here; each one is intended to represent what you might find as an entire product out in the market. We want our single application to solve the important problems solved by other tools in this space - if you see an opportunity where we can deliver a specific solution that would be enough for you to switch over to GitLab, please reach out to the PM for this stage and let us know.

Each of these categories has a designated level of maturity; you can read more about our category maturity model to help you decide which categories you want to start using and when.

SAST

Static Application Security Testing scans the application source code and binaries to spot potential vulnerabilities before deployment using open source tools that are installed as part of GitLab. Vulnerabilities are shown in-line with every merge request and results are collected and presented as a single report. This category is at the "complete" level of maturity.

Priority: high • Documentation • Direction

Secret Detection

Check for credentials and secrets in commits. This category is at the "viable" level of maturity.

Priority: medium • Documentation • Direction

Code Quality

Automatically analyze your source code to surface issues and see if quality is improving or getting worse with the latest commit. This category is at the "minimal" level of maturity.

Documentation • Direction

DAST

Dynamic Application Security Testing analyzes your running web application for known runtime vulnerabilities. It runs live attacks against a Review App, an externally deployed application, or an active API, created for every merge request as part of the GitLab's CI/CD capabilities. Users can provide HTTP credentials to test private areas. Vulnerabilities are shown in-line with every merge request. Tests can also be run outside of CI/CD pipelines by utilizing on-demand DAST scans This category is at the "complete" level of maturity.

Priority: high • Documentation • Direction

API Security

API Security focuses on testing and protecting APIs. Testing for known vulnerabilities with DAST API and unknown vulnerabilities with API Fuzzing, API Security runs against a live API or a Review App to discover vulnerabilities that can only be uncovered after the API has been deployed. Users can provide credentials to test authenticated APIs. Vulnerabilities are shown in-line with every merge request. This category is at the "viable" level of maturity.

Priority: high • Documentation • Direction

Fuzz Testing

Fuzz testing increase chances to get results by using arbitrary payloads instead of well-known ones. This category is at the "viable" level of maturity.

Priority: high • Documentation • Direction

Software Composition Analysis

Analyze external dependencies (e.g. libraries like Ruby gems) for known vulnerabilities on each code commit with GitLab CI/CD. This scan relies on open source tools and on the integration with Gemnasium technology (now part of GitLab) to show, in-line with every merge request, vulnerable dependencies needing updating. Results are collected and available as a single report. Additionally upon code commit, project dependencies are searched for approved and denied licenses defined by custom policies per project. Software licenses being used are identified if they are not within policy. License analysis results are shown in-line for every merge request for immediate resolution. This category is at the "viable" level of maturity.

Priority: high • Documentation • Direction

Container Scanning

Check Docker images for known vulnerabilities in the application environment. Analyze image contents against public vulnerability databases using the open source tool, Clair, that is able to scan any kind of Docker (or App) image. Vulnerabilities are shown in-line with every merge request. This category is at the "viable" level of maturity.

Priority: medium • Documentation • Direction

GitLab Advisory Database

GitLab integrates access to proprietary and open-source application security scanning tools. In order to maintain the efficacy of those scans, we strive to keep their underlying vulnerability databases up-to-date.

Priority: high • Direction

Attack Emulation

Continuously assess your applications and services are not vulnerable to security threats through automated, real-world emulated scenarios to identify weaknesses in your attack surface

Priority: low

Other top-level features

In the Secure stage there are features that are cross-category. They allow Security Teams and Developers to manage security with a holistic approach. The prioritization of a security issue doesn't fully depend on the type of vulnerability, but on its severity and so which is the impact on the application.

That's why we want to create features where vulnerabilities are in one single place, no matter if they are coming from SAST, Dependency Scanning, Container Scanning, etc.

Automatic Remediation

When a vulnerability is automatically detected by GitLab, users can be aware of that using the Security Dashboard or looking at security reports. But this still requires manual intervention to create a fix and push it to production, and during this time there is a vulnerable window where attackers can leverage the vulnerability.

Automatic Remediation aims to automate vulnerability solution flow, and automatically create a fix. The fix is then tested, and if it passes all the tests already defined for the application, it is deployed to production.

GitLab can then monitor performances of the deployed app, and revert all the changes in case performances are decreasing dramatically, warning the user about the entire process and reducing the need for manual actions.

Read more about this in our user documentation or in this epic. Sometimes this feature is incorrectly referred to as Auto-Remediation, Auto Remediation, or Suggested Solutions.

Slides are available here.

Bill of materials

Software is often based on many components that are reused. Every modern programming language makes it easy to pull and use external libraries via package managers. There is a growing need to know exactly what is included in the final app, and the relevant information about those third-party components, like the version number, the license, and the security status.

The bill of materials (BOM) makes this information available and accessible so that compliance can validate that the app may be released and deployed.

Read more in this epic.

Offline environment deployments

Users of GitLab Self-Managed may have installations with limited or no internet connectivity. These environments might be in their lab, their datacenter, or even in their preferred cloud provider. GitLab refers to these deployments as offline environment deployments however other common names include air-gapped environments, limited connectivity environments, local area network (LAN) environments, or intranet environments. These environments have physical barriers preventing internet access or potentially have security policies (e.g., firewalls) which limit access.

We are actively working to allow users to run all of our Secure categories in physically disconnected networks with access to internal registries. This will enable users within the other environment types like limited connectivity to be successful using Secure categories by following the same documentation and use cases.

Learn more about this in GitLab Docs as well as in the epic for Secure's current status supporting these types of environments.

Auto DevOps

Auto DevOps provides pre-defined CI/CD configuration for your applications. To do so, Auto DevOps includes security testing templates including SAST, Dependency Scanning, License Compliance, Container Scanning, and DAST to enable quick setup of security jobs within CI/CD. The relevant Secure stage groups maintain the pre-defined Auto DevOps jobs for those tests.

Pricing

Secure is focused on providing enterprise-grade application security testing (AST) capabilities to minimize overall risk. The intent is to provide enough value in paid features so as to allow Secure to contribute in a significant way over the next 3 years toward GitLab's company-level financial goals.

Although paid features are the primary focus, there are several reasons why features for unpaid tiers might be prioritized above paid features:

1. The Secure stage has a powerful potential to help improve the security of projects everywhere. Features with the potential to significantly improve the security posture of all projects will be highly prioritized and made available in an unpaid tier.
2. To continue to be good stewards in the open source community, any basic integration with open source projects will be available in an unpaid tier by default, along with the "table stakes" set of functionality required to allow that feature to be usable with GitLab. Any open source project integrations that currently exist in paid tiers will have a discussion opened about moving the integration to an unpaid tier.

Core/Free

This tier is the primary way to increase broad adoption of the Secure stage, as well as encouraging community contributions and improving security across the entire GitLab user base.

As a general rule of thumb, features will fall in the Core/Free tier when they meet one or more of the following criteria:

• The feature is primarily for an individual with a few small projects rather than meeting the needs of an organization or enterprise that is operating at scale
• The feature is provided by an integration with an open source project rather than being natively developed by GitLab
• The feature has the potential to increase the security posture of all GitLab projects in a significant way, or there is a reasonable ethical/moral obligation to make the feature available to all users
• The ongoing cost for GitLab to maintain and update the feature is relatively minimal

Some examples include:

• Basic installation and use of scanners, especially when the underlying scanner is taken from an open source project
• The basic ability to retrieve scan results in some way
• Documentation and directions on how to install and configure a scanner

Premium/Silver

This tier is not a significant part of Secure's pricing strategy.

Ultimate/Gold

This tier is the primary focus for the Secure stage as the security posture of an organization is typically a primary concern of the executive team and even the board of directors. Just as a major security incident has far reaching consequences that impact the entirety of an organization, the features and capabilities that enable organizations to assess their overall security risk tend to be valued with equal weight. The types of capabilities that fall in the Ultimate/Gold tier vs an unpaid tier should be those that are necessary for an organization, rather than an individual, to properly secure their code before pushing it into a production environment.

As a general rule of thumb, features will fall in the Ultimate/Gold tier when they meet one or more of the following criteria:

• The feature is focused on enabling an organization or enterprise to operate at scale rather than an individual with a few smaller personal projects
• The feature is natively developed or acquired by GitLab rather than being provided by an open source project
• The feature has a significant ongoing cost for GitLab to maintain and update the feature

Some examples include:

• Vulnerability management functionality, including Security Dashboards to aggregate, prioritize, and remediate findings as well as vulnerability workflows, including inline workflows, such as merge request and pipeline security reports, that help streamline and expedite the vulnerability remediation process
• Scanning capabilities that are not open source and provide value above what typical open source tools provide
• Enterprise features including summary reports, UI tools to simplify and streamline scanner configurations, and creation or enforcement of scanning policies
• Vulnerability research including a dedicated vulnerability database enabling better security scanner true positive detection rates

Upcoming Releases

16.5 (2023-10-22)

• Container Scanning: CVS Trigger scans on Trivy DB changes Ultimate
• Container Scanning: Identify if a finding is fixable Ultimate
• Browser-based scanner for DAST
• Static Analysis Group Direction
• SAST (Static Application Security Testing) Category Direction
• Simplify primary ids for SAST rules

16.6 (2023-11-15)

• Container Scanning - Viable to Complete

16.7 (2023-12-20)

16.8 (2024-01-17)

16.9 (2024-02-14)

16.10 (2024-03-20)

Other Interesting Items

There are a number of other issues that we've identified as being interesting that we are potentially thinking about, but do not currently have planned by setting a milestone for delivery. Some are good ideas we want to do, but don't yet know when; some we may never get around to, some may be replaced by another idea, and some are just waiting for that right spark of inspiration to turn them into something special.

Remember that at GitLab, everyone can contribute! This is one of our fundamental values and something we truly believe in, so if you have feedback on any of these items you're more than welcome to jump into the discussion. Our vision and product are truly something we build together!

• Flawfinder-sast should ignore invalid csv output when creating reports
• Normalize dependency scanning CI/CD variable naming Ultimate
• Switch to different JDK build in gemnasium-maven Ultimate
• Gemnasium: Specify line number in "invalid spec" error
• Rebuild/update all containers Premium
• Automated Dependency Management (IE greenskeeper.io)
• Code quality report for default branch Premium
• Show Code Quality report for changed files only
• Get feedback about false positive results in application security testing features (Signal to Noise)
• Notify users when a vulnerability fix is automatically merged Ultimate
• Monitor performances of Auto Remediate fixes and revert if not good Ultimate
• Automatically notify and update dependencies Ultimate
• Disable patch creation via environment variables Ultimate
• Fully unattended Auto Remediation Ultimate
• Check if a vulnerable component is really used by a container Ultimate
• Support multiple Auto Remediation patches when applying a vulnerability solution Ultimate
• Add an optional reason when approving/denying licenses Ultimate
• Integrate Auto-dependency update into GitLab AutoDevops Ultimate
• Support c# code quality results directly
• [Container Scanning] Add information about image name Ultimate
• Dogfooding: use container scanning on GitLab omnibus Ultimate
• Prevent merge on code quality degradation Ultimate
• Discovery, Auto-remediation: auto-merge merge request with fixes Ultimate
• Auto Remediation: auto-merge the auto-created merge requests Ultimate
• Container Scanning: Allow configurable allowlist path Ultimate
• HTTPS Cipher Suite Algorithm Guidance
• Document multi-image container scanning Ultimate
• Can we scan all the containers in GitLab Ultimate
• Show projects that include security bot (suggested solution feature opted-in/active) Ultimate
• DAST support of SOAP, GraphQL, and JSON:API
• Provide more details when creating an issue for a container scanning finding Ultimate
• Container Scanning - Enable scan of multiple images Ultimate
• API Fuzz test Rails code in GitLab Ultimate
• Allow to filter vulnerabilities by image name on the group dashboard Ultimate
• Allow to filter vulnerabilities by image name on the instance dashboard Ultimate
• Allow to filter vulnerabilities by image name on the pipeline security tab Ultimate
• Allow to filter vulnerabilities by image name on the MR view Ultimate
• Improve extensibility of SAST, Dependency Scanning template rules
• Coverage guided fuzzing - C# language Ultimate
• Support Windows Auth authentication meachanism
• Support OAuth 1.0 authentication
• Support Hawk authentication
• Publish JUnit integration for API Fuzzing Ultimate
• Publish scala test integration for api fuzzer
• Report vulnerable dependency paths for Maven, Gradle (Java) Ultimate
• Coverage-guided fuzz test crash reproduction binaries Ultimate
• Ignore rules with severity marked ignore in config
• Support gRPC testing with API Fuzzer
• Auto-Remediation - Remove user callout - Frontend Ultimate
• Add "clean up policy" to corpus management Ultimate
• Add sort feature to corpus management list Ultimate
• Fuzz corpus management - Add more details to corpus management page - crash % & coverage Ultimate
• Project Code Quality Graph Ultimate
• Show CodeQuality annotations inline in WebIDE Ultimate
• List dependency updates in MR Ultimate
• Dependency Scanning scans multiple Python projects in monorepos Ultimate
• SAST for IBM z/OS: PL/I (and Cobol) Ultimate
• Allow target dir and configuration name to be customizable in sbt dependency scanning Ultimate
• Run Dependency, SAST, and Secret Detection Security Scanning within Developers IDE Ultimate
• research tools to convert isbom into spdx Ultimate
• Make Gemnasium scan, report Sbt dependencies of all scopes Ultimate
• enable users to augment the advisory-DB privately Ultimate
• Rulesets for Salesforce-specific JavaScript Frameworks (Aura and Lightning Component Framework) Ultimate
• DAST Pre-scan verification implementation Ultimate
• Improve the interaction for selecting a profile in DAST
• SBoM component PURL fields do not contain the repository_url field Ultimate
• Ruby on Rails API discovery Ultimate
• Python Flask API discovery Ultimate
• Find software license in repository when NPM returns an empty license Ultimate
• Allow all Java and Python files to be scanned Ultimate
• DAST vuln - if no longer found - can we have them auto resolved? Currently they find themselves having to triage them even if the vuln is no longer found Ultimate
• Decide what to do with Yarn berry patch packages
• Add end of life information to dependency view Ultimate
• Support Gradle in Coverage-guided fuzz testing
• Dependency scanner image exit 1 - without further indication about root cause Ultimate
• Add shortest_path and introduced_by fields when creating report with Gitlab::VulnerabilityScanning::SbomScanner Ultimate
• Add dependency scanning for Python projects that use pyproject.toml Ultimate

Last Reviewed: 2021-12-13
Last Updated: 2021-12-13