Gitlab hero border pattern left svg Gitlab hero border pattern right svg
Gitlab logo svg

DevSecOps with GitLab

With GitLab, Security is built into the CI/CD process. Every code commit is automatically scanned for security vulnerabilities in your code and its dependencies. Results are delivered to the developer in their native workflow for rapid remediation.

Empower developers to create secure code

Application Security is hard when security is separated from your DevOps workflow. Security has traditionally been the final hurdle in the development life cycle. Iterative development workflows can make security a release bottleneck. Instead of waiting for security at the end of the development process, you can include it seamlessly within your developer's workflow.

How GitLab enables DevSecOps

  • Every piece of code is tested upon commit for security threats, without incremental cost.
  • The developer can remediate now, while they are still working in that code, or create an issue with one click.
  • The dashboard for the security pro shows vulnerabilities remaining that the developer did not resolve on their own.
  • Vulnerabilities can be efficiently captured as a by-product of software development.
  • A single tool also reduces cost over the approach to buy, integrate and maintain point solutions throughout the DevOps pipeline.
CI/CD Overview

What Are The GitLab Advantages?

  • Contextual. Unlike traditional application security tools primarily intended for use by security pros, GitLab secure code capabilities are built into the CI workflow where developers live. We empower developers to identify vulnerabilities and remove them early in the development cycle, while at the same time providing security professionals a dashboard to view items not already resolved by the developer, across projects. This contextual approach helps each role deal with items that are most important and most relevant to their scope of work within the delivery process.
  • Congruent with DevOps processes. GitLab Secure capabilities support decision makers within their natural workflow. Reports are interactive, actionable, iterative, and (most importantly) relevant to recent changes. Developers immediately see the cause and effect of their own specific changes, so they can iteratively address security flaws alongside code flaws.
  • Integrated with DevOps tools. When triaging vulnerabilities, users can confirm (by creating an issue to solve the problem) or dismiss them (in case they are false positives or there are compensating controls). When using GitLab, no additional integration is needed between app sec and ticketing, CI/CD, etc.
  • Efficient and automated. Eliminates mundane work wherever possible. Auto remediation applies patches to vulnerable dependencies and even re-runs the pipeline to evaluate the viability of the patch.

Integrated security conversation

Continuous security testing capabilities

included within GitLab Ultimate/Gold

Static Application Security Testing (SAST)

  • Scan the application to spot potential vulnerabilities before code is merged.
  • Vulnerabilities are shown in-line with every merge request
  • All scan results are collected and presented as a single report.
  • Evaluate vulnerabilities from the GitLab pipeline and dismiss or create an issue with one click.

Dynamic Application Security Testing (DAST)

  • Dynamic scanning earlier in the SDLC than ever possible, by leveraging the review app CI/CD capability of GitLab.
  • Test running web applications for known runtime vulnerabilities.
  • Users can provide HTTP credentials to test private areas.
  • Vulnerabilities are shown in-line with every merge request.

Dependency Scanning

  • Analyze external dependencies (e.g. libraries like Ruby gems) for known vulnerabilities on each code commit with GitLab CI/CD.
  • Identify vulnerable dependencies needing updating.
  • Vulnerabilities are shown in-line with every merge request.

Container Scanning

  • Check Docker images for known vulnerabilities in the application environment.
  • Avoid redistribution of vulnerabilities via container images.
  • Vulnerabilities are shown in-line with every merge request.

License Compliance

  • Automatically search project dependencies for approved and unapproved licenses defined by your policies.
  • Custom license policies per project.
  • License analysis results are shown in-line for every merge request for immediate resolution.

Additional Capabilities

  • Auto Remediation: Auto remediation aims to automated vulnerability solution flow, and automatically create a fix. The fix is then tested, and if it passes all the tests already defined for the application, it is deployed to production.
  • Secret Detection: Prevent secrets from accidently leaking into your Git history. Each commit is scanned for secrets within SAST.
  • Fuzz Testing: Fuzz testing acquisitions are integrating alongside other scanners in the merge request pipeline. See the visions for Fuzzing
Exciting new capabilities!
We welcome your feedback and contribution to our vision and roadmap
Icon data doc
Vulnerability Management
Evaluate vulnerabilities based upon risk and scanning vendor used.
Risk-based Triage Filter by scanner vendor
Icon shift left
Fuzz testing
Integrating Fuzz Testing acquisitions to apply this powerful technology to automatically test for unknown security flaws.
Coverage-guided Fuzz Testing API Fuzz Testing
Icon sheild check
Container Security
Defend the security of cloud-native production applications.
Container Network Policies Container Host Security

Resources

Try all GitLab features - free for 30 days

GitLab is more than just source code management or CI/CD. It is a full software development lifecycle & DevOps tool in a single application.

Try GitLab for Free
Git is a trademark of Software Freedom Conservancy and our use of 'GitLab' is under license
View page source — Edit in Web IDE — please contribute. Creative Commons License