GitLab Tutorial
- 1. Introduction to GitLab
- 2. Architecture & Self-Hosting
- 3. Groups, Projects & Namespaces
- 4. Issue Tracking & Agile
- 5. GitLab CI/CD Basics
- 6. GitLab Runners & Executors
- 7. Environments & Deployments
- 8. Merge Requests & Code Review
- 9. GitLab Container Registry
- 10. Package & Infra Registry
- 11. Security & Compliance
- 12. Monitoring & Analytics (DORA)
- 13. GitLab Pages Hosting
- 14. APIs, Webhooks & Integrations
- 15. GitLab Workflow & Best Practices
11. Security & Compliance
Traditional security models run audits *after* code is deployed to production. This "late scanning" model is highly risky and expensive to remediate. GitLab pioneered the "Shift Left" Security movement, running complete vulnerability scans directly inside every merge request before the code is ever merged.
Core GitLab Security Scanners
GitLab provides a suite of advanced security scanners that can be easily integrated using official template includes:
- Static Application Security Testing (SAST): Analyzes your source code for known security vulnerabilities (such as SQL injections, Cross-Site Scripting, and buffer overflows) without executing the application.
- Dynamic Application Security Testing (DAST): Scans a running application (often deployed in a Review App environment) by simulating external hacker attacks to find vulnerabilities in live endpoints.
- Secret Detection: Scans commits and repository files to ensure developers have not accidentally committed API credentials, private SSH keys, database passwords, or auth tokens.
- Dependency Scanning: Analyzes imported libraries (like NPM packages or Python packages) to detect if they contain security vulnerabilities and automatically creates patches.
- License Compliance: Audits the software licenses of third-party libraries (e.g., GPL, MIT, Apache) to ensure your project complies with corporate legal policies.
Enabling Security Scans in Pipelines
Activating SAST and Secret Detection is incredibly simple. You don’t need to write complicated scanner scripts; instead, you include the official templates provided by GitLab:
# Include official GitLab Security Templates
include:
- template: Security/SAST.gitlab-ci.yml
- template: Security/Secret-Detection.gitlab-ci.yml
- template: Security/Dependency-Scanning.gitlab-ci.yml
stages:
- test
# GitLab's templates will automatically spawn jobs (e.g. semgrep-sast)
# that run in the 'test' stage!Reviewing Vulnerabilities inside Merge Requests
When a developer pushes changes, the security scan runs in the background. Once completed, a dedicated Security Report Card appears directly inside the Merge Request UI showing:
- New vulnerabilities introduced by this change (segmented by severity: Critical, High, Medium, Low).
- Direct location details (e.g., file path and line number).
- Remediation suggestions (e.g. "Upgrade npm package 'lodash' from 4.17.20 to 4.17.21 to resolve prototype pollution vulnerability").
This allows developers to fix their bugs BEFORE their code is pushed to production!
GitLab Vulnerability & Compliance Dashboards
For security teams, GitLab Ultimate offers central Vulnerability Dashboards at the Group and Instance levels. Security officers can audit the vulnerability trends across hundreds of corporate projects simultaneously, dismiss false positives, create Jiras directly, and monitor licensing compliance in real-time.
