Application Security

Maintained by:

Application Security Mission
Application Security Roadmap
Roles & Responsibilities
Application Security KPIs & Other Metrics in Sisense
General Role Functions
- Stable Counterparts
- Application Security Reviews
Project ownership
Application Security Engineer Runbooks
Meeting Recordings
Backlog reviews
GitLab Secure Tools coverage

Application Security Mission

As part of the Security Engineering & Research sub-department, the application security team's mission is to support the business and ensure that all GitLab products securely manage customer data. We do this by working closely with both engineering and product teams.

Application Security Roadmap

Please see the Security Engineering and Research Program Strategy document.

Roles & Responsibilities

Please see the Application Security Job Family page.

Application Security KPIs & Other Metrics in Sisense

For KPIs and other metrics, please see this page.
For Embedded KPIs which you filter by section, stage, or group, please see this page.

General Role Functions

Stable Counterparts

Please see the Application Security Stable Counterparts page.

Application Security Reviews

Please see the Application Security Reviews page.

Project ownership

Please see the Appsec project owners page

Application Security Engineer Runbooks

Please see the Application Security Engineer Runbooks page index

Meeting Recordings

The following recordings are available internally only:

Backlog reviews

When necessary a backlog review can be initiated, please see the Vulnerability Management Page for more details.

GitLab Secure Tools coverage

As part of our dogfooding effort, the Secure Tools are set up on the following GitLab projects:

Project	SAST	Dependency Scanning	Container Scanning	DAST	Secrets Detection
GitLab	✅	✅	`N/A`	✅¹
Customers	✅	✅	`N/A`
version	✅	✅	✅	✅
License	✅	✅	✅	✅
Gitaly	✅²	✅	`N/A`¹¹	`N/A`
Pages	✅	✅	`N/A`	`N/A`
Workhorse	✅	✅	`N/A`	`N/A`
GitLab Shell	✅	✅	`N/A`	`N/A`
GitLab Runner	✅	✅		`N/A`	✅
GitLab Markup	✅⁸	`N/A`³	`N/A`	`N/A`
gitlab-ui	✅	✅	✅⁹	`N/A`¹⁰
gitlab-exporter	✅⁷	✅⁶	✅⁶	✅⁶
GitLab Omnibus				`N/A`
GitLab ElasticSearch Indexer	✅	✅	`N/A`	`N/A`
release-cli	✅	✅	✅⁹	`N/A`
VS Code Extension	✅	✅	`N/A`	`N/A`
figma plugin	✅	✅	`N/A`	`N/A`
sketch plugin	✅	✅	`N/A`	`N/A`
GitLab Agent
labkit	✅
labkit-ruby
gitlab-build-images	`N/A`	`N/A`		`N/A`
gitlab-agent	✅	✅	✅	`N/A`	✅
gitlab-terminal	✅	✅	`N/A`	`N/A`	✅

DAST authenticated full scan configured and scheduled to run nightly. To-do: https://gitlab.com/gitlab-com/gl-security/security-department-meta/-/issues/959#note_400990122
Only Go code is scanned. Gitaly's ruby code cannot be tested by brakeman (brakeman is specific to rails).
Dependency Scanning checks also transitive dependencies and , hence, DS does not need to be turned on for projects that are dependencies of other projects. It suffices to turn on DS on the parent project. For example, gitlab-markup is a dependency of gitlab. If DS is turned on for gitlab, gitlab-markup will also be checked for outdated deps.
https://gitlab.com/gitlab-org/gitlab-runner/-/merge_requests/1897
TODO: Setup DAST scan to be authentified (see https://gitlab.com/gitlab-com/gl-security/engineering/-/issues/769#note_315567580)
https://gitlab.com/gitlab-org/gitlab-exporter/-/merge_requests/117
https://gitlab.com/gitlab-org/gitlab-markup/-/merge_requests/26
https://gitlab.com/gitlab-org/release-cli/-/merge_requests/39
https://gitlab.com/gitlab-org/gitlab-ui/-/merge_requests/1557
https://gitlab.com/gitlab-com/gl-security/engineering/-/issues/769#note_379478139
Container scanning on GitLab Omnibus will also perform checks for Gitaly Setup standalone Gitaly

The results of these scans populate our Security Dashboards, which are reviewed by our team.