GitLab adds security scan policies
GitLab, the web repository manager for Git, has been updated with improvements including project-level security scan execution policies and an improved SAST to reduce Ruby false positives. GitLab provides issue tracking, continuous integration, and deployment pipeline support.
Version 14.3 also adds group level permissions for protected environments and group access for the GitLab Kubernetes agent.
The project level security policy is described by the developers as the first iterative step towards their vision to bring unified security policies to GitLab. Users can now require DAST and Secret Discovery scans to run on a regular basis or as part of project CI pipelines. This can be used by security teams to separately manage these scanning requirements without developers changing the configuration.
The second change to note is the ability to set and use group level permissions for protected environments. This can be used to set permissions based on the deployment level, so that deployments can be locked down for higher levels such as production environments, while still allowing developers to test and modify individual projects.
Another improvement is the GitLab Kubernetes agent. This provides a secure connection between a Kubernetes cluster and GitLab. Until now, you could only push to a cluster in the same project where the Kubernetes agent was registered using the CI / CD tunnel. In GitLab 14.3, the agent can be authorized to access entire groups, which means that each project in the authorized group has access to the cluster without needing to register an agent for each project.
Ruby support has also been improved with the addition of better SAST to reduce Ruby false positives. The GitLab team claims that GitLab’s SAST has so far used more than a dozen open source static analysis security analyzers. The vulnerabilities they can identify range from basic regex pattern matching to abstract tree parsing which can lead to false positive issues. Developers could already dismiss these false positives, but the improvements mean it will now be automated. This first release of GitLab’s proprietary static application security testing engine was developed in-house and maintained by GitLab’s static analysis and vulnerability research groups. Initially, this tool focuses on Ruby and Rails to help reduce false positives, but will be extended in future releases.
GitLab 14.3 is available now.
GitLab 14 offers a DIY DevOps alternative
GitLab becomes serverless
GitLab adds security dashboards
GitLab adds Auto DevOps
InkScape moves to GitLab
or send your comment to: [email protected]