« Blog Home

Code Security and Compliance using GitLab

Besides version control and CI/CD, GitLab also offers a variety of security tests on your proprietary code (code you develop) or external code you use (i.e. open source), as well as code compliance capabilities – to help you ensure that you make proper and legal use of any open source libraries and code snippets.

In fact in GitLab you can also run the tests on the code itself, and then see everything using a central dashboard that shows everything organized.
GitLab’s dashboard also allows you to execute certain actions on the results and findings, and actually share the information among all stakeholders (or whoever is allowed to watch it depending on the permissions).

gitlab security dashboard

GitLab’s Security Dashboard (Group-Level view). Click to enlarge.

The tests can be run from GitLab CI (the build-in CI/CD tool that comes with GitLab) and can also be connected to other CI tools such as Jenkins.

The tests can be run even if the code is in another SCM tool (such as git, GitHub, Bitbucket, etc.).

Some of the tests are dynamic which means they do not run on the code itself but on the application or website that runs the code.

The tests can be run from both a private GitLab server (self-hosted) or from the cloud / SaaS (e.g. gitlab dot com).

Here you can see an overview of the relevant security scan features:

Note: most of the features here require a GitLab Ultimate license. If you need a quote contact us (our details are below).

Feature

Description

Container Scanning Run a security scan to ensure the Docker images for your application do not have any known vulnerabilities in the environment where your code is shipped.
Dependency List Identify components included in your project by accessing the Dependency List (also referred to as Bill of Materials or BOM) ,which is often requested by Security and Compliance teams.
Dependency Scanning Protect your application from vulnerabilities that affect dynamic dependencies by automatically detecting well-known security bugs in your included libraries.
Static Application Security Testing (SAST) Checking for vulnerable source code or well-known security bugs in the libraries that are included by the application. Results are then shown in the Merge Request and in the Pipeline view.
This test supports the following code languages:  C/C++, Apex, .NET, Java, Go, JS, Python, PHP, Swift, TypeScript, NodeJS and more.
Dynamic Application Security Testing (DAST) Ensure you are not exposed to web application vulnerabilities like broken authentication, cross-site scripting, or SQL injection.
Secret Detection Checking for unintentionally committed secrets and credentials in git code and history.
API Fuzzing Test the APIs in your apps to find vulnerabilities and bugs that traditional QA processes miss.
Coverage Fuzzing Find security vulnerabilities and bugs in your app that traditional QA processes miss, supporting
C/C++ , Go, Java, JS, Python and more code languages.
Security Dashboard Gain visibility into top-priority fixes by identifying and tracking trends in security risk across your entire organization.
License Compliance Check that licenses of your dependencies are compatible with your application (e.g. GPL, BSD, Apache, MIT licenses etc.), and approve or deny them.

 

ALM-Toolbox provides GitLab professional services, subscription licenses, managed services and more.
Any questions? Need a quote?
Contact us: gitlab@almtoolbox.com , 866-503-1471 (USA / Canada) or +972-722-405-222

 

Last update: December 2021