Securing the guts of the Gits with GitLab

GitLab is expanding… but what is its position in the total source code repository management universe?

Let’s draw a couple of lines first with a nod to the SESYNC research support community for its clarification.

GitHub is a web-based hosting service for version control using Git used (mostly) for computer code.

GitLab is a web-based Git-repository manager with wiki, issue-tracking and CI/CD pipelines features and it offers a free open source version and a shared source (or “source-available”) paid version and GitLab calls this Open Core.

GitLab has a public issue tracker (for both free and paid versions) anyone can make feature requests and comment on upcoming features.

A load of gits

GitLab provides functionality for the complete software development lifecycle.

According to GitLab product marketing man William Chia, “GitHub is only for source code management and a very lightweight issue tracker. For example, GitLab has built-in CI/CD and GitHub does not – you need another tool to do that. If software development and delivery were a car, GitLab would be the whole car, and GitHub would be the tires.”

GitLab is used by commercial organisations for internal management of their own Git repositories — but, Chia clarifies, both GitLab and GitHub offer self-managed (i.e. internal) and SaaS versions of their product.

Git itself is a source code versioning system in its own right designed to allow developers to track changes and push or pull changes from remote resources.

GitLab exists as one of the most popular services of its kind, although it should be noted that Bitbucket also exists in this space.

Definitions over then, GitLab Inc (the company behind the product) calls itself an integrated product for the entire DevOps lifecycle.

GitLab Inc has now acquired Gemnasium, a company that provides software to help developers mitigate security vulnerabilities in open source code.

GitLab says Gemnasium’s security scanning functionality will fit natively into GitLab’s CI/CD pipelines – as in Continuous Integration / Continuous Delivery – to perform automating application security testing.

Dependency tree [roots]

According to GitLab, as the dependency tree [roots] of open source software go deeper, it can be daunting or even impossible for developers to keep track of which software they are using and what ramifications its use may have on the business.

Sid Sijbrandij, CEO of GitLab has said that GitLab has already begun adding native security functionality, such as the addition of Static Application Security Testing (SAST) in the 10.3 release, along with Dynamic Application Security Testing (DAST) and Container Scanning in the 10.4 release.