GitLab Application Security

Continuous security testing within GitLab CI/CD

Try GitLab for Free

Gitlab Security

GitLab secure capabilities support the decision-makers. Instead of security being a blocker, we want to provide a very simple way to take the right action and learn from it. Keeping it simple is a key value so that security features will not be considered more effort than the perceived benefit. What is a false positive can be very subjective, and risk assessment will be mostly a human process. That's why we believe security features should not automatically block a pipeline or prevent a new version to be released to production.

Learn more

What is Application Security?

Application Security is the prevention of attacks to steal information, damage application behavior, and any compromise to the integrity, authentication or availability of an application.

Why is Security needed?

Application Security Benefits

  • Safety: Confidential information assure customers their sensitive informtation is safe
  • Market Reputation: Market reputation is hard to gain, but easy to lose. Prevention of Cyber attacks is prevention of losing market share
  • Better Quality: Testing to be integrated throughout the lifecycle, shifting security left so that there is early insight into security issues
  • Awareness: Gives developer teams immediate visibility into code vulnerabilitites earlier in development and increases awareness for future deployments
  • Faster ROI: Fast product releases and ability to facilitate customer trust and deliver secure features that provide immediate business value
CI/CD Overview

What Are The GitLab Advantages?

  • Supports users in prioritizing, managing, and solving security issues that affect their environment
  • Easy to learn: See our Quick Start guide on setting up GitLab
  • Support decision makers by giving a very simple way to take the right action, and learn from it. Simplicity is a key value to prevent security features from not being considered due to complexity
  • Tools are actionable so users can interact with them and provide feedback about their content. When triaging vulnerabilities, users can confirm (creating an issue to solve the problem), or dismiss them (in case they are false positives and there is no further action to take).
  • Easy to use: Require the minimum amount of effort from users: We don't want to add extra workload on final users.
  • Shifting Security left: GiLab introduces security into the CI/CD pipeline providing input on ONE application

Security Deep Dive

Features

  • Static Application Security Testing (SAST): Prevents vulnerabilities early in the development process, allowing to be fixed before deployment
  • Dynamic Application Security Testing (DAST): Once code is deployed, prevent exposure to your application from a new set of possible attacks as you are running your web applications
  • Dependency Scanning: Automatically finds security vulnerabilities in your dependencies while you are developing and testing your applications, such as when you are using an external (open source) library with known vulnerabilities
  • Container Scanning: Analyze your container images for known vulnerabilities
  • Auto Remediation: Auto remediation aims to automated vulnerability solution flow, and automatically create a fix. The fix is then tested, and if it passes all the tests already defined for the application, it is deployed to production.
  • Secret Detection, IAST and Fuzzing: Future features GitLab will be adding to its Security capabilities, see the visions for Secret Detection, IAST, and Fuzzing

Continuous security testing within CI/CD

Static Application Security Testing (SAST)

  • Scan the application source code and binaries to spot potential vulnerabilities.
  • Because these open source tools are installed as part of GitLab Ultimate, there are no added costs.
  • Vulnerabilities are shown in-line with every merge request and results are collected and presented as a single report.
  • Evaluate vulnerabilities from the GitLab pipeline and dismiss or create an issue with one click.

Dynamic Application Security Testing (DAST)

  • Dynamic scanning earlier in the SDLC than ever possible, by leveraging the review app CI/CD capability of GitLab.
  • Test running web applications for known runtime vulnerabilities.
  • Users can provide HTTP credentials to test private areas.
  • Vulnerabilities are shown in-line with every merge request.

Dependency Scanning

  • Analyze external dependencies (e.g. libraries like Ruby gems) for known vulnerabilities on each code commit with GitLab CI/CD.
  • Identify vulnerable dependencies needing updating.
  • Vulnerabilities are shown in-line with every merge request.

Container Scanning

  • Check Docker images for known vulnerabilities in the application environment.
  • Avoid redistribution of vulnerabilities via container images.
  • Vulnerabilities are shown in-line with every merge request.

License Management

  • Automatically search project dependencies for approved and blacklisted licenses defined by your policies.
  • Custom license policies per project.
  • License analysis results are shown in-line for every merge request for immediate resolution.

Help and More Information

Try all GitLab features - free for 30 days

GitLab is more than just source code management or CI/CD. It is a full software development lifecycle & DevOps tool in a single application.

Try GitLab for Free
Edit this page — please contribute. Creative Commons License