GitLab secure capabilities support the decision-makers. Instead of security being a blocker, we want to provide a very simple way to take the right action and learn from it. Keeping it simple is a key value so that security features will not be considered more effort than the perceived benefit. What is a false positive can be very subjective, and risk assessment will be mostly a human process. That's why we believe security features should not automatically block a pipeline or prevent a new version to be released to production.
Support decision makers by giving a very simple way to take the right action, and learn from it. Simplicity is a key value to prevent security features from not being considered due to complexity
Tools are actionable so users can interact with them and provide feedback about their content. When triaging vulnerabilities, users can confirm (creating an issue to solve the problem), or dismiss them (in case they are false positives and there is no further action to take).
Easy to use: Require the minimum amount of effort from users: We don't want to add extra workload on final users.
Shifting Security left: GiLab introduces security into the CI/CD pipeline providing input on ONE application
Security Deep Dive
Static Application Security Testing (SAST): Prevents vulnerabilities early in the development process, allowing to be fixed before deployment
Dynamic Application Security Testing (DAST): Once code is deployed, prevent exposure to your application from a new set of possible attacks as you are running your web applications
Dependency Scanning: Automatically finds security vulnerabilities in your dependencies while you are developing and testing your applications, such as when you are using an external (open source) library with known vulnerabilities
Container Scanning: Analyze your container images for known vulnerabilities
Auto Remediation: Auto remediation aims to automated vulnerability solution flow, and automatically create a fix. The fix is then tested, and if it passes all the tests already defined for the application, it is deployed to production.