With GitLab 14, we saw deep emphasis on modernizing our DevOps capabilities. This modernization enabled enhanced application security and strenghtened collaboration between developers and security professionals.
We saw enhancments such as:
- global rule registry and customization for policy requriements with support for separation of duties
- a newly developed browser-based Dynamic Application Security Testing (DAST) scanner used to test and secure modern APIs and Single Page
- more support for different languages using Semgrep
- new vulnerability management capabilities to increase visibility
With the GitLab 15 release, we can see how our commitment to enhancing application security across the board is stronger than ever. In this blog post, I will provide details on how GitLab is commited to enhancing not only security, but efficiency.
Discover how GitLab 15 can help your team deliver secure software, while maintaining compliance and automating manual processes.
Save the date for our GitLab 15 launch event on June 23rd!
GitLab 15 security features
We see that with every GitLab release, there are plenty of enhancements to our security tools.
GitLab 15 is no exception! We can see a boatload ? of security enhacements released in GitLab 15 below:
These features run across different stages of the software development lifecycle. I have created a video showing some of the coolest new security features
in GitLab 15:
Scanners moved to GitLab Free Tier
A lot of our scanners were only part of GitLab Ultimate in the past. However, over time, certain scanners
have been moved over to GitLab Free Tier, enabling you to enhance the security of your application
no matter what tier of GitLab you are using.
|Scanner||Introduced||Moved to Free|
Within the free tier, you are able to download the reports generated by the security scanners.
This allows developers to see what vulnerabilites were detected within their source code and
However, there are benefits to upgrading to Ultimate, which are described below.
Benefits of upgrading to Ultimate
Some organizations have multiple groups and projects they are working on, as well as a the security team,
which manages all the detected vulnerabilities. While having security scan reports ready for download
is useful, it is not exactly scalable across an organization. This is where Ultimate assists in enhancing
While the GitLab Free Tier includes SAST, Secret Detection, and Container Scanning to find vulnerabilities
in your source code, when you upgrade to Ultimate, you are provided with even more scanners. Here are some
of the additional scanners provided in Ultimate:
In Ultimate, there is enhanced functionality within the developer lifecycle. The merge request a developer creates will
contain a security widget which displays a summary of the new security scan results. New results are determined by
comparing the current findings against existing findings in the default branch.
The results contain not only detailed information on the vulnerability and how it affects the system, but also
solutions to mitigating or resolving the issue. These vulnerabilities are also actionable, meaning that a comment
can be added in order to notify the security team, so they may review – enhancing developer and appsec collaboration.
A confidential issue can also be created so that developers and security professionals can work together towards a
resolution safely and efficiently.
While these features were avaliable in Ultimate on older versions of GitLab, within release 14 this feature was heightened
to include developer training within the vulnerability, helping to educate developers and make them more security-aware. GitLab 15
will provide even more enhancements to the developer lifecycle.
Security team lifecycle
There are also several features which greatly benefit members of a security team.
The security team is able to effectively manage and triage vulnerabilities using the Vulnerability Reports.
The security dashboard allows the security team to assess the security posture
of a project or group of projects. This is helpful to see how many vulnerabilities were introduced/resolved over time, as well as which projects require more
attention than others
These are just some of the features GitLab has to offer in terms of security. For even more features, please see
the GitLab application security documentation.
“Learn how @GitLab 15 commits to enhanced application security in the modern Devops world” – Fernando Diaz
Click to tweet