GitLab Ultimate is ideal for organizations aiming to optimize and accelerate delivery while managing priorities, security, risk, and compliance.
Available in both SaaS and self-managed deployment options, GitLab Ultimate adds advanced security capabilities, security risk mitigation, compliance, portfolio management and value stream management. In addition, GitLab Ultimate allows for free guest user licenses to improve your license usage for users with minimal interaction with the system.
Please note this is not a comprehensive set of capabilities in GitLab Ultimate, visit about.gitlab.com/features for the latest. GitLab continuously adds features every month and evaluates features that can be moved to lower tiers to benefit more users.
|Increase Operational Efficiencies||Deliver Better Products Faster||Reduce Security & Compliance Risk|
|GitLab Ultimate provides a single, scalable interface for organization wide DevSecOps, reducing handoffs across tools and teams - thereby improving efficiencies.||With end to end Value Stream Management and Portfolio Management, GitLab Ultimate allow for greater visibility and transparency across projects - helping to eliminate bottlenecks and deliver products faster.||GitLab Ultimate introduces built-in security testing, compliance and preventive security for cloud native applications helping you manage security risk and achieve regulatory compliance.|
Read all case studies here
Protect the integrity of your software supply chain with built in security testing. Learn more about Advanced security testing with GitLab.
|Dynamic Application Security Testing||Ensure you are not exposed to web application vulnerabilities like broken authentication, cross-site scripting, or SQL injection by dynamically investigating your running test applications in CI/CD pipelines.|
|Security Dashboards||Gain visibility into top-priority fixes by identifying and tracking trends in security risk across your entire organization.|
|Vulnerability Management||Empower your entire team, and not just Security, to act on security findings with a unified interface for scan results from all GitLab Security scanners.|
|Container Scanning||Run a security scan to ensure the Docker images for your application do not have any known vulnerabilities in the environment where your code is shipped.|
|Dependency Scanning||Protect your application from vulnerabilities that affect dynamic dependencies by automatically detecting well-known security bugs in your included libraries.|
|Vulnerability Reports||Vulnerability Reports give teams an effient way to view, triage, track, and resolve vulnerabilities detected in applications, giving you full visibility into your organization’s risk. They are available for groups, projects, and the Security Center.|
|API Fuzz Testing||Test the APIs in your apps to find vulnerabilities and bugs that traditional QA processes miss.|
|Vulnerability Database||A vulnerability database that can be viewed and enhanced by anyone.|
|On-demand DAST||Identify vulnerabilities in your running application, independent of code changes or merge requests.|
|Create Jira issues from vulnerabilities||Efficiently collaborate between teams using GitLab for security testing and Jira for agile planning. Create a Jira issue type of your choosing directly from a vulnerability record.|
|Project Dependency List||Identify components included in your project by accessing the Dependency List (also referred to as Bill of Materials or BOM) ,which is often requested by Security and Compliance teams.|
|Custom Rulesets for SAST||GitLab SAST allows users to change the vulnerability detection defaults to tailor results to their organization's preferences. SAST custom rulesets allow you to exclude rules and modify the behavior of existing rules.|
|DAST Configuration UI||Enabling DAST is now as simple as three clicks. This guided configuration experience makes it easier for non-CI experts to get started with GitLab DAST. The tool helps a user create a merge request to enable DAST scanning while leveraging best configuration practices like using the GitLab-managed
|Coverage-guided Fuzz Testing||Find security vulnerabilities and bugs in your app that traditional QA processes miss.|
|Configuration UI||Enabling SAST is now as simple as two clicks. This guided configuration experience makes it easier for non-CI experts to get started with GitLab SAST. The tool helps a user create a merge request to enable SAST scanning while leveraging best configuration practices like using the GitLab-managed
Manage your organization's security policies, alerts, and approval rules. Learn more about Security risk mitigation with GitLab.
|Security Approvals||Require approval from your security team before allowing developers to merge in code that introduces new vulnerabilities.|
|Security Policies||Allow security teams to manage and enforce security policies for GitLab projects and for Kubernetes clusters.|
|Integrated security training||Enable security training from our content partners to see lessons embedded in the vulnerability management experience. Links to training are dynamically provided in merge request security scan results, the pipeline security tab, and vulnerability details pages. We use the type of security issue and project language to provide the best available match for the most relevant, targeted learning experience.|
Ensure your code, deployments, and environments comply with changing regulations and emerging risks. Learn more about Compliance with GitLab.
|License Compliance||Check that licenses of your dependencies are compatible with your application, and approve or deny them. Results are then shown in the Merge Request and in the Pipeline view.|
|Compliance report||View an aggregated list of merge requests for all projects in a group. Easily identify and act on merge requests that are out of compliance or generate and export a chain of custody report for the group's projects.|
|Quality Management||Define and plan test cases, maintain test execution results and create a backlog of work from failed tests.|
|Requirements Management||Gather, document, refine, and track approval of business and system requirements. Define traceability between requirements and other requirements, code, or test cases.|
|Require a Jira issue before merging code||Help teams using both Jira and GitLab better collaborate and stay in sync by requiring that a Jira issue to be linked to each merge request.|
|Compliance pipeline configuration||Ensure projects perform the steps necessary to meet regulatory requirements with a common pipeline definition that will run for all projects which adhere to a given compliance framework.|
|Streaming Audit Events||Send audit events as they occur to a destination of your choosing. Use this to drive custom automation, create backups, or integrate with other data streams. Configure this with the API or GitLab UI.|
|External status checks||Send merge request data to third-party systems for validation before merging.|
|Credentials inventory||Keep track of all the personal access tokens, SSH keys, and GPG keys that can be used for access and verification. See when they expire and manage rotation policies.|
|Chain of custody report||Create a .csv report of all merge commits within the group.|
Manage large scale organization wide projects. Learn more about Portfolio management with GitLab.
|Multi-level Epics||Plan and track strategies, initiatives, and features with multi-level epics. Organize and prioritize work across multiple children epics and their issues within the Epic Tree.|
|Issue and Epic Health Reporting||Report on and quickly respond to the health of individual issues and epics by viewing red, amber, or green health statuses on your Epic Tree.|
|Portfolio-level Roadmaps||Establish product vision and strategy, gain progress insights, organize, govern and shape the effort of multi-disciplinary teams with portfolio-level roadmaps.|
Measure and manage the business value of your DevSecOps lifecycle. Learn more about Value stream management with GitLab.
|Insights||Charts to visualize data such as triage hygiene, issues created/closed in a given period, average time for merge requests to be merged and much more.|
|DORA 4 Metrics: Change Failure Rate||Monitor the change failure rate, improve your uptime, and reduce service impairments on your environments.|
|DORA 4 Metrics: Time To restore Service||Monitor the time to restore service over time, improve your uptime, and reduce service impairments on your environments.|
|DORA-4 metric - Deployment frequency||Monitor the frequency of your deployments over time, find bottlenecks, and make improvements when necessary.|
|DORA-4 metric - Lead time for changes||Lead time for changes measures the time to merge a change to production and helps you understand the efficiency of your deployments over time and find improvement areas.|
|Free guest users||Guest users don't count towards the license count.|
|DevOps Adoption||DevOps Adoption shows you which teams across your organization are using GitLab Issues, Merge Requests, Approvals, Runners, Pipelines, Deploys, and Scanning, and also shows the trend of adoption over time.|
|Satisfy Requirements from CI/CD pipelines||This powerful feature uses the GitLab single-application model to allow testing run in the CI/CD pipelines to satisfy your requirements. This automates the cumbersome task of identifying satisfied requirements, and enables your organization to focus on delivering value.|
|Automated solutions for Dependency Scanning vulnerabilities||Download and apply a patch to fix vulnerabilities affecting your codebase.|
|Site and Scanner profiles for On-demand DAST scans||Reuse configuration profiles quickly with on-demand DAST scans, instead of reconfiguring scans every time you need to run one. Mix different scan profiles with site profiles to quickly conduct scans that cover different areas or depths of your application and API.|
|Automated solutions for Container Scanning vulnerabilities||Download and apply a patch to fix vulnerabilities affecting your codebase.|
|Dynamic API Security Testing (DAST API)||Gain insight into vulnerabilities across your entire running application's attack surface, not just your UI. Leverages Postman collection, HAR files, and OpenAPI specifications to automatically discover and dynamically test URLs and API endpoints.|
|Scheduling On-demand DAST scans||Set on-demand DAST scans to run on ad hoc or recurring schedules.|
|Custom Rulesets for Secret Detection||GitLab Secret Detection allows users to change the vulnerability detection defaults to tailor results to their organization's preferences. Secret Detection now supports disabling existing rules and adding new regex patterns that allow the detection of any type of custom secret.|
|Portfolio Management||Plan and track work at the project and portfolio level. Manage capacity and resources together with Portfolio Management.|
|Status Page||Deploy a static web page to communicate with stakeholders during an incident. Push updates to the Status Page directly from the incident.|
|View deployment status on the Environments page||You can view the deployment status directly from the environment page when there is an upcoming deployment. This shows the build number, author, and status icon, so you can take action immediately without needing to navigate to another location.|
|View alerts on the Environments page||Seeing triggered alerts alongside the status of your environments enable you to take immediate action to remedy the situation.|
|Standalone Vulnerability Objects||Track and manage detected project vulnerabilities like you would an Issue. Link directly to a specific vulnerability occurrence's page, create and link a remediation issue, and see vulnerability information persisted between security scans on the same branch.|
|Code Quality violation notices in MR diffs||Code Quality violations introduced in a merge request are annotated in the merge request diff view to detail how the code quality could decrease if merged.|
|Create test cases from within GitLab||Create and view test cases from within GitLab. This allows for seamless collaboration between contributors.|
|Import & Export Requirements||To better collaborate with external groups and organizations, requirements can be imported and exported in CSV format. This allows teams to use a single interface for development and testing against requirements.|
|Linked Epics||Mark epics as linked to one another.|