GitLab Features

Fundamentally changing the way Development, Security, and Ops teams collaborate and build software - GitLab provides all of the essential DevSecOps tools in one DevSecOps platform. From idea to production, GitLab helps teams improve cycle time from weeks to minutes, reduce development costs, speed time to market, and deliver more secure and compliant applications.

Security

Security capabilities, integrated into your development lifecycle.

GitLab provides Static Application Security Testing (SAST), Dynamic Application Security Testing (DAST), Container Scanning, and Dependency Scanning to help you deliver secure applications along with license compliance.

Secure

SAST

Scans your application source code and binaries to spot potential vulnerabilities before deployment. SAST supports scanning a variety of different programming languages and automatically chooses the right analyzer even if your project uses more than one language. Vulnerabilities, additional data, and solutions are shown in-line with every merge request. Scanner results are collected and presented as a single report.

SAST

image for Basic SAST scanning

Basic SAST scanning

GitLab allows easily running Static Application Security Testing (SAST) in CI/CD pipelines, checking for security weaknesses in your codebase.
Basic scans, based on open-source scanners, are available in all tiers.
Advanced features are available only in Ultimate.

SAST

image for Advanced SAST

Advanced SAST

Advanced SAST uses a proprietary detection engine, with rules informed by in-house security research, to identify exploitable vulnerabilities in first-party code.
It delivers more accurate results so developers and security teams don't have to sort through the noise of false-positive results.

SAST

image for Security findings integrated in the IDE

Security findings integrated in the IDE

Developers can see and fix security findings directly in VS Code.
After a merge request is opened for a branch, the GitLab Workflow extension for VS Code shows new security findings that weren't previously found on the default branch.

SAST

image for Real-time SAST scanning in the IDE (Experiment)

Real-time SAST scanning in the IDE (Experiment)

Scan your project files directly in VS Code, before you've committed or pushed them, so you can find and fix security vulnerabilities faster. A SAST scanning side panel displays your scan results and updates as you make changes to your code. Hover over the vulnerability result to see a detailed description or open it in a separate editor window for more context.

This feature is currently an Experiment available for GitLab.com customers on the Ultimate tier.

SAST

image for Custom Rulesets for SAST

Custom Rulesets for SAST

GitLab SAST allows users to change the vulnerability detection defaults to tailor results to their organization's preferences. SAST custom rulesets allow you to exclude rules and modify the behavior of existing rules.

SAST

image for Infrastructure as Code (IaC) Security Scanning

Infrastructure as Code (IaC) Security Scanning

With Gitlab 14.5 we're introducing security scanning for Infrastructure as Code (IaC) configuration files.

Code Quality

Analyzes your source code quality and complexity. This helps keep your project’s code simple, readable, and easier to maintain.

Code Quality

image for Code Quality MR Widget

Code Quality MR Widget

Code Quality reports are available in the merge request widget area, giving you early insights into how the change will affect the health of your code before deciding if you want to accept it.

Code Quality

image for Code Quality Reports

Code Quality Reports

Full Code Quality reports are available on the pipeline page, showing areas of the codebase that do not meet the organization's preferred style or standards.

Code Quality

image for Code Quality violation notices in MR diffs

Code Quality violation notices in MR diffs

Code Quality violations introduced in a merge request are annotated in the merge request diff view to detail how the code quality could decrease if merged.

Secret Detection

Scans your repository to help prevent your secrets from being exposed. Secret Detection scanning works on all text files, regardless of the language or framework used. Code pushed to a remote Git branch can be rejected if a secret is detected.

Secret Detection

image for Security findings integrated in the IDE

Security findings integrated in the IDE

Developers can see and fix security findings directly in VS Code.
After a merge request is opened for a branch, the GitLab Workflow extension for VS Code shows new security findings that weren't previously found on the default branch.

Secret Detection

image for Secret Detection

Secret Detection

GitLab allows you to perform Secret Detection in CI/CD pipelines; checking for unintentionally committed secrets and credentials. Results are then shown in the Merge Request and in the Pipeline view.
This feature is available as part of Auto DevOps to provide security-by-default.

Secret Detection

image for Custom Rulesets for Secret Detection

Custom Rulesets for Secret Detection

GitLab Secret Detection allows users to change the vulnerability detection defaults to tailor results to their organization's preferences. Secret Detection now supports disabling existing rules and adding new regex patterns that allow the detection of any type of custom secret.

Secret Detection

image for Full Git History Secret Detection

Full Git History Secret Detection

Identify historical secrets that might be hiding in your older git commit history.

Secret Detection

image for Automatic Response to Leaked Secrets

Automatic Response to Leaked Secrets

Automatic responses for Secret Detection help you mitigate the impact of leaked credentials. GitLab automatically revokes leaked Personal Access Tokens (PATs). On GitLab.com, Secret Detection also notifies a select set of partners when credentials they've issued are leaked. Partners choose which type of action they take to protect their services and customers in response to these alerts.

Secret Detection

image for Secret Push Protection

Secret Push Protection

Block secrets such as keys and API tokens from being pushed to your GitLab instance. Secret Push Protection is triggered when commits are pushed to any repository. If any secrets are detected, the push is blocked.

DAST

Runs automated penetration tests to find vulnerabilities in web applications and APIs as they are running. DAST can run live attacks against a Review App, an externally deployed application, or an active API. Scans can be run for every merge request, on a schedule, or even on-demand. DAST supports user inputted HTTP credentials to test private areas of your application. Vulnerabilities, additional data, and solutions are shown in-line with every merge request. Scanner results are presented as a single report.

DAST

image for Security findings integrated in the IDE

Security findings integrated in the IDE

Developers can see and fix security findings directly in VS Code.
After a merge request is opened for a branch, the GitLab Workflow extension for VS Code shows new security findings that weren't previously found on the default branch.

DAST

image for Dynamic Application Security Testing

Dynamic Application Security Testing

Ensure you are not exposed to web application vulnerabilities like broken authentication, cross-site scripting, or SQL injection by dynamically investigating your running test applications in CI/CD pipelines.

DAST

image for On-demand DAST

On-demand DAST

Identify vulnerabilities in your running application, independent of code changes
or merge requests.

DAST

image for Site and Scanner profiles for On-demand DAST scans

Site and Scanner profiles for On-demand DAST scans

Reuse configuration profiles quickly with on-demand DAST scans, instead of reconfiguring scans every time you need to run one.
Mix different scan profiles with site profiles to quickly conduct scans that cover different areas or depths of your application and API.

DAST

image for DAST Configuration UI

DAST Configuration UI

Enabling DAST is now as simple as three clicks. This guided configuration experience makes it easier for non-CI experts to get started with GitLab DAST. The tool helps a user create a merge request to enable DAST scanning while leveraging best configuration practices like using the GitLab-managed DAST.gitlab-ci.yml template.

DAST

image for Scheduling On-demand DAST scans

Scheduling On-demand DAST scans

Set on-demand DAST scans to run on ad hoc or recurring schedules.

DAST

image for DAST

DAST

Ensure you are not exposed to web application vulnerabilities like broken authentication, cross-site scripting, or SQL injection by dynamically investigating your running test applications in CI/CD pipelines. DAST runs in an a browser allowing for better testing of modern JavaScript frameworks and single-page applications.

Fuzz Testing

Sends random inputs to an instrumented version of your application in an effort to cause unexpected behavior in order to identify a bug that needs to be addressed. Helps you discover bugs and potential security issues that other QA processes may miss.

Fuzz Testing

image for Security findings integrated in the IDE

Security findings integrated in the IDE

Developers can see and fix security findings directly in VS Code.
After a merge request is opened for a branch, the GitLab Workflow extension for VS Code shows new security findings that weren't previously found on the default branch.

Fuzz Testing

image for Coverage-guided Fuzz Testing

Coverage-guided Fuzz Testing

Find security vulnerabilities and bugs in your app that traditional
QA processes miss.

API Security

Secures and protects web Application Programming Interfaces from unauthorized access, misuse, and attacks. Tests for known vulnerabilities by performing penetration testing of APIs with DAST. Finds unknown vulnerabilities by performing Fuzz Testing of web API operation parameters.Users can provide credentials to test authenticated APIs. Vulnerabilities, additional data, and solutions are shown in-line with every merge request.. Scanner results are collected and presented as a single report.

API Security

image for Security findings integrated in the IDE

Security findings integrated in the IDE

Developers can see and fix security findings directly in VS Code.
After a merge request is opened for a branch, the GitLab Workflow extension for VS Code shows new security findings that weren't previously found on the default branch.

API Security

image for API Security Testing

API Security Testing

Gain insight into vulnerabilities across your entire running application's attack surface, not just your UI. Leverages Postman collection, HAR files, and OpenAPI specifications to automatically discover and dynamically test URLs and API endpoints.

API Security

image for API Fuzz Testing

API Fuzz Testing

Test the APIs in your apps to find vulnerabilities and bugs that traditional QA processes miss.

API Security

image for On-demand API Security Testing scans

On-demand API Security Testing scans

Identify vulnerabilities in your APIs, independent of code changes
or merge requests.

Software Composition Analysis

Analyzes external dependencies within your application for known vulnerabilities on each CI/CD code commit. Vulnerabilities, additional data, and solutions are shown in-line with every merge request. Scanner results are collected and presented as a single report. Upon code commit, project dependencies are searched for approved and denied licenses defined by per project custom policies. Software licenses are identified if they are not within policy and are shown in-line for every merge request for immediate resolution.

Software Composition Analysis

image for Security findings integrated in the IDE

Security findings integrated in the IDE

Developers can see and fix security findings directly in VS Code.
After a merge request is opened for a branch, the GitLab Workflow extension for VS Code shows new security findings that weren't previously found on the default branch.

Software Composition Analysis

image for Dependency Scanning

Dependency Scanning

Protect your application from vulnerabilities that affect dynamic dependencies by automatically detecting well-known security bugs in your included libraries.

Software Composition Analysis

image for Automated solutions for Dependency Scanning vulnerabilities

Automated solutions for Dependency Scanning vulnerabilities

Download and apply a patch to fix vulnerabilities affecting your codebase.

Software Composition Analysis

image for License Compliance

License Compliance

Check that licenses of your dependencies are compatible with your application, and approve or deny them. Results are then shown in the Merge Request and in the Pipeline view.

Container Scanning

Scans your container images for known vulnerabilities within the application environment. Image contents are analyzed against public vulnerability databases.Security findings, additional data, and solutions reported in-line with every merge request along with additional data including solutions. Results are presented as a single report. Container Scanning is considered part of Software Composition Analysis.

Container Scanning

image for Security findings integrated in the IDE

Security findings integrated in the IDE

Developers can see and fix security findings directly in VS Code.
After a merge request is opened for a branch, the GitLab Workflow extension for VS Code shows new security findings that weren't previously found on the default branch.

Container Scanning

image for Container Scanning

Container Scanning

Run a security scan to ensure the Docker images for your application do not
have any known vulnerabilities in the environment where your code is shipped.

Container Scanning

image for Automated solutions for Container Scanning vulnerabilities

Automated solutions for Container Scanning vulnerabilities

Download and apply a patch to fix vulnerabilities affecting your codebase.

GitLab Advisory Database

The GitLab Advisory Database serves as a repository for security advisories related to software dependencies. GitLab integrates the advisory database with its proprietary and open-source application security scanning tools. In order to maintain the efficacy of those scanners, we strive to keep their underlying vulnerability databases up-to-date.

GitLab Advisory Database

image for GitLab Advisory Database

GitLab Advisory Database

A vulnerability database that can be viewed and enhanced by anyone.

System Access

System Access provides tools to authenticate through all points of GitLab (UI, CLI, API). These tools allow you to configure what an individual/process has access to once they authenticate, determined by their role. GitLab integrates with several OmniAuth providers, LDAP, SAML, and more.

System Access

image for IP allowlist

IP allowlist

Restrict access at the group level to incoming traffic adhering to an IP address subnet, keeping your code secure.

System Access

image for Limit access token lifetime

Limit access token lifetime

*Only available on Self-Managed

Administrators can set a limit for access tokens that is less than the maximum of 365 days for compliance purposes

System Access

image for Personal access tokens

Personal access tokens

Personal access tokens

System Access

image for Credentials inventory

Credentials inventory

*Only available on Self-Managed

Keep track of all the personal access tokens, SSH keys, and GPG keys that can be used for access and verification. See when they expire and manage rotation policies.

System Access

image for Authenticate with GitLab

Authenticate with GitLab

*Only available on Self-Managed

GitLab can integrate with most of the authentication and authorization providers that support standards such as OIDC, SAML, and SCIM. Also includes SSO capabilities, including OAuth login.

System Access

image for LDAP Authentication

LDAP Authentication

*Only available on Self-Managed

Authenticate with LDAP

System Access

image for SAML SSO

SAML SSO

Simplify user login with SAML SSO

System Access

image for OAuth Applications

OAuth Applications

Support for instance wide OAuth applications

System Access

image for Service Accounts

Service Accounts

Service Accounts serve non-human authentication needs, like bots and integrations. They do not consume a seat.

System Access

image for Enterprise Users

Enterprise Users

Enterprise level User Management controls

System Access

image for Two-factor Authentication (2FA)

Two-factor Authentication (2FA)

Two-factor authentication secures your account by requiring a second confirmation, in addition to your password. That second step means your account stays secure even if your password is compromised. The ability to enforce 2FA provides further security by making sure all users are using it.

System Access

image for Smart card support

Smart card support

*Only available on Self-Managed

Authenticate into GitLab using a smart card with a compliant X.509
certificate.

System Access

image for Group Access Tokens

Group Access Tokens

Generate an access token scoped to a single group that can authenticate with the GitLab API.

System Access

image for Project Access Tokens

Project Access Tokens

Generate an access token scoped to project authenticate with the GitLab API.

Permissions

GitLab provides various permissions and roles in order to evaluate what access or rights an identity should have in an environment. Custom roles can also be created to allow an organization to create user roles with the precise privileges and permissions desired.

Permissions

image for Granular user roles and flexible permissions

Granular user roles and flexible permissions

Manage access and permissions with five different user roles and settings
for external users. Set permissions according to people's role, rather
than either read or write access to a repository. Don't share the source
code with people that only need access to the issue tracker.

Permissions

image for Custom Roles

Custom Roles

Custom roles allow group members who are assigned the Owner role to create roles specific to the needs of their organization.

Permissions

image for Token Permissions

Token Permissions

Token permissions control what actions and resources a token can access within GitLab.

Instance Resiliency

Instance Resiliency provides tools to prevent malicious activity from occurring within GitLab Instances. These tools include external pipeline validation allowing you to use an external service to validate a pipeline before it is created.

Instance Resiliency

image for reCAPTCHA

reCAPTCHA

GitLab leverages Google's reCAPTCHA to protect against spam and abuse.

Insider Threat

Insider Threat identifies attacks and high risk behaviors by correlating different data sources and observing user behavioral patterns

Insider Threat

image for Git abuse rate limiting

Git abuse rate limiting

Automatically notify administrators when a user downloads
or clones more than a specified number of repositories in a group or any of its
subgroups within a given time frame."

Audit Events

Audit Events track important actions within GitLab along with who performed the actions and the time in which they occurred. These events can be used in a security audit to assess risk, strengthen security measures, respond to incidents, and adhere to compliance.

Audit Events

image for Audit events report

Audit events report

Continuously log events that are commonly requested in audits. Discover who did what and when.

Audit Events

image for Audit events CSV export

Audit events CSV export

*Only available on Self-Managed

Create a .csv report for a comprehensive view of audit events in an instance of GitLab.

Audit Events

image for Chain of custody report

Chain of custody report

Create a .csv report of all merge commits within the group.

Audit Events

image for Auditor access

Auditor access

*Only available on Self-Managed

Provide users read-only access to all projects, groups, and other resources on the GitLab instance.

Audit Events

image for Streaming Audit Events

Streaming Audit Events

Send audit events as they occur to a destination of your choosing. Use this to drive custom automation, create backups, or integrate with other data streams. Configure this with the API or GitLab UI.

Compliance Management

Compliance Management provides customers with the tools necessary to ensure and manage their compliance programs. Compliance Workflow Automation is provided to enforce custom pipelines to run on projects which have specific compliance needs. For compliance oversight, the Compliance Center provides a central location for compliance teams to manage their compliance standards adherence reporting, violations reporting, and compliance frameworks for their group.

Compliance Management

image for Compliance pipeline configuration

Compliance pipeline configuration

Ensure projects perform the steps necessary to meet regulatory requirements with a common pipeline definition that will run for all projects which adhere to a given compliance framework.

Compliance Management

image for Customizable system header and footer messages

Customizable system header and footer messages

*Only available on Self-Managed

Easily distinguish controlled environments and post warnings to users. Including custom header and footer messages throughout GitLab and in email notifications sent from GitLab.

Compliance Management

image for Violations report

Violations report

View an aggregated list of merge requests for all projects in a group. Easily identify and act on merge requests that are out of compliance or generate and export a chain of custody report for the group's projects.

Compliance Management

image for Custom compliance frameworks

Custom compliance frameworks

Create unique compliance frameworks that projects must follow. These will appear as a label next a project to distinguish it from others.

Compliance Management

image for Compliance frameworks report

Compliance frameworks report

View a list of projects and the compliance frameworks that have been applied to them. Easily view which projects are tagged with a compliance framework and identify projects that are missing frameworks.

Compliance Management

image for Compliance standards adherence report

Compliance standards adherence report

View a list of compliance adherence checks and see how well your projects are adhering to regulations and standards.

Release Evidence

Release Evidence provides assurances and evidence collection that are necessary for you to trust the changes you're delivering. When a release is created, GitLab takes a snapshot of relevant release data as evidence that it occurred.

Release Evidence

image for Release Evidence

Release Evidence

Snapshots of the Release's metadata at time of creation and completion in JSON format leveraged as a chain of custody to support review processes, as conducted in an
audit.

Secrets Management

Secure and protect access to secrets, such as API keys and passwords, to ensure that sensitive data is protected throughout your development process.

Secrets Management

image for HashiCorp Vault Integration

HashiCorp Vault Integration

Securely retrieve secrets from HashiCorp Vault to use in your CI/CD pipelines

Secrets Management

image for Azure Key Vault Integration

Azure Key Vault Integration

Securely retrieve secrets from Azure Key Vault to use in your CI/CD pipelines

Secrets Management

image for Google Secret Manager Integration

Google Secret Manager Integration

Securely retrieve secrets from Google Secret Manager to use in your CI/CD pipelines

Secrets Management

image for Secure your CI/CD workflow using ID Tokens

Secure your CI/CD workflow using ID Tokens

Use OIDC with ID Tokens to connect to secrets managment providers in order to retrieve secrets

Secrets Management

image for CI/CD job token

CI/CD job token

Use a CI/CD job token to authenticate with certain GitLab features from running jobs.
You can use a job token to authenticate with GitLab to access another project's resources (the target project). By default, the job token's project must be added to the target project's allowlist.

Ready to get started?

See what your team can do with the most comprehensive
AI-powered DevSecOps platform.