THE DevSecOps platform for end-to-end security

GitLab is known for industry-leading Source Code Management (SCM) and Continuous Integration (CI). Developers want to use GitLab. We make it easy to include security. Focus on apps, not tool maintentnance, while improving collaboration and transparency for one predictable cost.

Application security testing and remediation. With every code commit, GitLab provides actionable vulnerability findings to developers while helping security pros manage remaining vulnerabilities through resolution.
Cloud Native Application Protection. GitLab helps you monitor and protect your deployed applications.
Policy Compliance and Auditability. GitLab’s MR approvals, end-to-end transparency of who changed what, when, and where, along with a compliance dashboard and common controls help you meet your compliance needs.
SDLC Platform Security. See how we secure the GitLab software.

The GitLab difference

Simplicity

One platform, one price, with comprehensive app sec for both dev and sec

Application Security Testing Vulnerability Management Protect deployed apps

Control

Compliance framework for consistency, common controls, policy automation.

Compliance capabilities Compliance features Security policy configuration

Visibility

See who changed what, where, when, end-to-end.

Audit events Audit reports Dependency list (BOM)

Shift left via DevSecOps

Continuous security testing capabilities

Included within all GitLab tiers

Static Application Security Testing (SAST, all tiers)

Scan the application to spot potential vulnerabilities at code commit, before code is merged.
Secret Detection prevent secrets from accidentally leaking into your Git history.

Gitlab Static Application Security Testing

Included within the GitLab Ultimate tier

Gitlab Dynamic Application Security Testing

Dynamic Application Security Testing (DAST)

Dynamic scanning earlier in the SDLC than ever possible, by leveraging the review app CI/CD capability of GitLab.
Test running web applications for known runtime vulnerabilities.
Users can provide HTTP credentials to test private areas.

Dependency Scanning

Analyze external dependencies (e.g. libraries) for known vulnerabilities on each code commit with GitLab CI/CD.
Identify vulnerable dependencies needing updating.
A Dependency List (Bill of Materials) shows all dependencies used in a project.

Container Scanning

Check Docker images for known vulnerabilities in the application environment.
Avoid redistribution of vulnerabilities via container images.

License Compliance

Automatically search project dependencies for approved and unapproved licenses defined by your policies.
Custom license policies per project.
License analysis results are shown in the merge request pipeline alongside security vulnerabilities for immediate resolution.

Additional Capabilities

Auto Remediation: Auto remediation aims to automated vulnerability solution flow, and automatically create a fix. The fix is then tested, and if it passes all the tests already defined for the application, it is deployed to production.
Fuzz Testing: Fuzz testing acquisitions have been integrated alongside other scanners in the merge request pipeline. Apply this powerful technology to automatically test for unknown security flaws with coverage-guided fuzzing and API fuzzing

Why integration matters for DevSecOps

Every piece of code is tested upon commit for security threats, without incremental cost.
The developer can remediate now, while they are still working in that code, or create an issue with one click.
The security pro can see and manage unresolved vulnerabilities captured as a by-product of software development.
Single source of truth can focus collaboration on remediation, eliminating translation and finger pointing.
A single tool reduces cost to buy, integrate and maintain point solutions throughout the DevOps pipeline.

Exciting new capabilities!

We welcome your feedback and contribution to our vision and roadmap

Vulnerability Management

Evaluate vulnerabilities based upon risk and scanning vendor used.

Risk-based Triage Filter by scanner vendor

Mobile app testing

Test mobile applications within your CI pipeline including Kotlin, Swift, Objective-C, and Java.

Getting started with SAST for Android

Container Security

Protect cloud-native production applications.

Container Network Policies Container Host Security

Resources

Learn how to add Security to your CICD Pipeline

Efficiently manage vulnerabilities and risk using the GitLab Security Dashboards

Manage your Application Dependencies

Use GitLab Application Security Capabilities with Jenkins

See how we compare against other Security tools

DevSecOps with GitLab

THE DevSecOps platform for end-to-end security

Shift left via DevSecOps

Continuous security testing capabilities

Included within all GitLab tiers

Static Application Security Testing (SAST, all tiers)

Included within the GitLab Ultimate tier

Dynamic Application Security Testing (DAST)

Dependency Scanning

Container Scanning

License Compliance

Additional Capabilities

Why integration matters for DevSecOps

Try all GitLab features - free for 30 days