As software security becomes increasingly important, many companies want to introduce standard code scanning processes into development workflows to find and remediate security vulnerabilities before they get to production. GitLab's DevSecOps Platform allows users to perform security scans in CI/CD pipelines, which can easily be enabled to check applications for security vulnerabilities such as unauthorized access, data leaks, and denial of service (DoS) attacks. While most of what is covered in this blog will pertain to Ultimate features, there are some features available for free and Premium tier users as well. By the end of this blog, you will have a solid starting point for adopting GitLab security scans, with any tier license, and understand the steps to take next to mature your DevSecOps practices.
Prerequisites
To enable security scanning for a project, you must have the following:
- a GitLab project that meets the requirements of the security scan you choose to enable, with CI enabled
- a
.gitlab-ci.yml
file for the project that has at least a build job defined - a Linux-based GitLab Runner with the Docker or Kubernetes executor
Get started: Add a scan template to your pipeline
Here are the first steps to introduce security scanning.
Available security scans
GitLab provides a variety of security scanners, each with its own set of criteria for adoption:
Scan type | Minimum tier | Prerequisites | Application requirements |
---|