Gitlab hero border pattern left svg Gitlab hero border pattern right svg
Gitlab logo svg

DevSecOps with GitLab

Integrating security into your DevOps lifecyle is easy with GitLab. Security is built in, out of the box, so you can continuously deliver secure software without compromising your DevOps velocity.

Try Ultimate features free for 30 days

End-to-end security with GitLab

  • Application security testing and remediation. With every code commit, GitLab provides actionable vulnerability findings to developers while helping security pros manage remaining vulnerabilities through resolution.
  • Cloud Native Application Protection. GitLab Protect capabilities help you monitor and protect your Cloud Native production software environments.
  • Policy Compliance and Auditability. GitLab’s MR approvals, end-to-end transparency of who changed what, when, and where, along with a compliance dashboard and common controls help you meet your compliance needs.
  • SDLC Platform Security. See how we secure the GitLab software.


Shift left via DevSecOps


Continuous security testing capabilities

included within GitLab Ultimate


Static Application Security Testing (SAST)

  • Scan the application to spot potential vulnerabilities before code is merged.
  • Vulnerabilities are shown in-line with every merge request
  • All scan results are collected and presented as a single report.
  • Evaluate vulnerabilities from the GitLab pipeline and dismiss or create an issue with one click.

Dynamic Application Security Testing (DAST)

  • Dynamic scanning earlier in the SDLC than ever possible, by leveraging the review app CI/CD capability of GitLab.
  • Test running web applications for known runtime vulnerabilities.
  • Users can provide HTTP credentials to test private areas.
  • Vulnerabilities are shown in-line with every merge request.

Dependency Scanning

  • Analyze external dependencies (e.g. libraries like Ruby gems) for known vulnerabilities on each code commit with GitLab CI/CD.
  • Identify vulnerable dependencies needing updating.
  • Vulnerabilities are shown in-line with every merge request.

Container Scanning

  • Check Docker images for known vulnerabilities in the application environment.
  • Avoid redistribution of vulnerabilities via container images.
  • Vulnerabilities are shown in-line with every merge request.

License Compliance

  • Automatically search project dependencies for approved and unapproved licenses defined by your policies.
  • Custom license policies per project.
  • License analysis results are shown in-line for every merge request for immediate resolution.

Additional Capabilities

  • Auto Remediation: Auto remediation aims to automated vulnerability solution flow, and automatically create a fix. The fix is then tested, and if it passes all the tests already defined for the application, it is deployed to production.
  • Secret Detection: Prevent secrets from accidentally leaking into your Git history. Each commit is scanned for secrets within SAST.
  • Fuzz Testing: Fuzz testing acquisitions have been integrated alongside other scanners in the merge request pipeline. Apply this powerful technology to automatically test for unknown security flaws with coverage-guided fuzzing and API fuzzing

Why integration matters for DevSecOps

  • Every piece of code is tested upon commit for security threats, without incremental cost.
  • The developer can remediate now, while they are still working in that code, or create an issue with one click.
  • The security pro can see and manage unresolved vulnerabilities captured as a by-product of software development.
  • Single source of truth can focus collaboration on remediation, eliminating translation and finger pointing.
  • A single tool reduces cost to buy, integrate and maintain point solutions throughout the DevOps pipeline.

Exciting new capabilities!
We welcome your feedback and contribution to our vision and roadmap
Vulnerability Management
Evaluate vulnerabilities based upon risk and scanning vendor used.
Risk-based Triage Filter by scanner vendor
Mobile app testing
Test mobile applications within your CI pipeline including Kotlin, Swift, Objective-C, and Java.
Getting started with SAST for Android
Container Security
Protect cloud-native production applications.
Container Network Policies Container Host Security

Resources
Efficiently manage vulnerabilities and risk using the GitLab Security Dashboards
Use GitLab Application Security Capabilities with Jenkins
See how we compare against other Security tools

Try all GitLab features - free for 30 days

GitLab is more than just source code management or CI/CD. It is a full software development lifecycle & DevOps tool in a single application.

Try GitLab Free
Git is a trademark of Software Freedom Conservancy and our use of 'GitLab' is under license