DevSecOps with GitLab
Integrating security into your DevOps lifecycle is easy with GitLab. Security and compliance are built-in, out of the box, giving you the visibility and control necessary to protect the integrity of your software.
The DevOps platform that simplifies DevSecOps
GitLab is known for industry-leading Source Code Management (SCM) and Continuous Integration (CI). Developers want to use GitLab. We make it easy for them to develop more secure and compliant software. The GitLab DevOps platform shifts both security and compliance earlier in the development process with consistent pipelines that automate scanning and policies. Uniting developers and security pros within one platform streamlines vulnerability management for both and improves collaboration.
-
Application security testing and remediation. With every code commit, GitLab provides actionable vulnerability findings to developers while helping security pros manage remaining vulnerabilities through resolution.
-
Cloud Native Application Protection. GitLab helps you monitor and protect your deployed containerized applications.
-
Policy Compliance and Auditability. GitLab’s MR approvals, end-to-end transparency of who changed what, when, and where, along with a compliance dashboard and common controls help you meet your compliance needs.
-
SDLC Platform Security. See how we secure the GitLab software.
The Gitlab Difference
Simplicity
One platform, one price, with comprehensive application security.
Control
Compliance framework for consistency, common controls, policy automation.
Visibility
See who changed what, where, when, end-to-end.
DevSecOps simplified
Continuous security testing capabilities
Capabilities included within the GitLab Ultimate tier
Comprehensive Application Security Scanning for developers
Shift security left to empower developers to find and fix security flaws as they are created.
-
Automatically include application security testing in your CI pipelines - one tool, one cost, one user interface, one source of truth to unite dev and sec.
-
Provide actionable scan results to the developer to assess and resolve potential vulnerabilities at code commit, before code is merged - even for DAST.
-
Auto Remediation automatically creates a patch to resolve some vulnerabilities.
-
Scanners include SAST , DAST, Dependency scanning, License Compliance, Container scanning, Cluster Image Scanning, web API testing, Infrastructure-as-code](https://docs.gitlab.com/ee/user/application_security/iac_scanning/) (IaC) testing, Secret Detection
Vulnerability Management for security pros
Assess and triage vulnerabilities that remain after code changes are merged.
-
Security pros can manage vulnerabilities across projects and groups to evaluate and triage vulnerabilities.
-
Dynamically test running web applications on demand for known runtime vulnerabilities.
-
Show all dependencies used in a project via a Dependency List (also called a Bill of Materials).
-
Export findings, import findings from their party scanners and bug bounties. Filter by scanner vendor
Security and Compliance Governance
Automate security and compliance policies across your software development lifecycle.
-
Compliant pipelines for consistent use of security policies. Security configuration via check-boxes and granular controls - no need to code pipelines.
-
Security dashboards at the project, group, and instance level, along with a personalized view of specific projects.
-
Policy management for MR approvals, separation of duties and other common controls, including a Compliance Report.
Cloud native security
-
Container scanning, cluster image scanning, Infrastructure-as-code (IaC) scanning , web API fuzzing. All scan results are provided to the developer within their CI pipeline alongside more traditional scan results - no do-it-yourself integration is required.
-
Alerts and protection for applications deployed in connected Kubernetes clusters. At the network layer, Container Network Security filters traffic going in and out of the cluster and traffic between pods inside the cluster. Inside the container, Container Host Security can monitor and block activity inside the containers themselves.
Additional Capabilities within GitLab Ultimate
- Fuzz Testing - Fuzz testing acquisitions have been integrated alongside other scanners in the merge request pipeline. Apply this powerful technology to automatically test for unknown security flaws with coverage-guided fuzzing and API fuzzing
- Offline Environments - self-managed customers can run most of the GitLab security scanners when not connected to the internet
- Mobile app testing - Test mobile applications within your CI pipeline including Kotlin, Swift, Objective-C, and Java.
Capabilities included within all GitLab tiers
Basic Application Security
-
SAST and Secret Detection are automatically includeed in your CI pipelines - with no integration required.
-
Provide basic scan results to the developer at code commit, before code is merged. Results may be downloaded for analysis. Note that use of interactive findings in the Vulnerability Report requires the GitLab Ultimate tier.
-
Container Network Security and Container Host Security to protect applications deployed in connected Kubernetes clusters.
Why integration matters for DevSecOps
- Every piece of code is tested upon commit for security threats, without incremental cost.
- The developer can remediate now, while they are still working in that code, or create an issue with one click.
- The security pro can see and manage unresolved vulnerabilities captured as a by-product of software development.
- Single source of truth can focus collaboration on remediation, eliminating translation and finger pointing.
- A single tool reduces cost to buy, integrate and maintain point solutions throughout the DevOps pipeline.
Meeting your business objectives
We welcome your feedback and contribution to our vision and roadmap
Shift security and compliance left
Empower developers to find and fix flaws.
- Keep it simple. No need to integrate and maintain disparate tools. One tool, one price
- Findings from all scanners within the developer's pipeline.
Consistently compliant pipelines
Easily ensure pipelines consistently meet policy requirements
- Choose your compliance framework and automatically apply it to every pipeline.
- Security configuration for security pros (without coding yml)
Software Supply Chain Security
Protect your applications and their surrounding infrastructure.
- Manage security policies across the software development lifecyle.
- Auditability and traceability to see who changed what, where, from planning through production.
Resources
- Learn how to add Security to your CICD Pipeline
- Efficiently manage vulnerabilities and risk using the GitLab Security Dashboards
- Manage your Application Dependencies
- Use GitLab Application Security Capabilities with Jenkins
- See how we compare against other Security tools
