Amazic helps you speed up your cloud journey. In order to do this, you need a lot of useful tools. One of them is Gitlab. At the end of May, version 13.0 was released. This brand new version contains a lot of improvements which further improves your developer productivity. There is a big focus on security. In this article I’ll explore some of the most important new features.
Gitlab – a short introduction
GitLab is a popular CI (orchestration) tool that helps Development, Security, and Ops teams to collaborate and build great software. Its aim is to reduce the software development lifecycle lead time from business ideas to deployment. By doing so, it reduces process costs as well as decrease the time to market for (new) software applications. GitLab uses the following slogan to emphasize their philosophy:
Manage your toolchain before it manages you
From a solutions’ perspective, GitLab comes as a single application that serves as a complete open-source DevOps Platform. Organizations can host it themselves and start with the free (core) version. As their demand grows, they can choose to migrate to the starter, premium, or even ultimate edition. All come with a different price per user per month and different levels of support. It is no surprise that the ultimate edition has most of the features.
Improved DevSecOps experience
As a developer you demand quick feedback about the feature you are working on. Being able to access your code in a reliable way is crucial. In previous versions of GitLab, NFS (Network File System) was used to store Git repositories. From version 13 onwards, GitLab uses Gitaly Clusters. These clusters support High Availability by improved leader election and asynchronous replication. This also prevents outages since another node can take over when needed. In the future, horizontally distributed reads (of Git repositories) are supported to better utilize CPU and memory resources. Without access to your source code repositories, all processes are interrupted, so fewer outages for developers for this crucial component.
The CI/CD component of GitLab is called “GitLab CI”. This component can now auto-deploy to ECS (Elastic Container Services) on AWS. In previous versions, developers had to figure out a lot by themselves. In version 13.0, you can enable “auto DevOps”. GitLab configures a “ready to use” delivery pipeline. This feature is available in all GitLab flavors from core to ultimate so every organization can start using it.
Big focus on security
As mentioned before: security is not an afterthought in this new release. It’s at the center of all new features.
Perhaps one of the biggest challenges to deal with vulnerabilities is the ability to efficiently manage them. Keeping track of vulnerabilities in all individual components that make up application stacks is a daunting task, and many applications re-use components.
GitLab addresses this with the “Standalone Vulnerability Objects” feature. Major improvements of this new security model include:
- Every vulnerability has it’s own unique URL. It’s not just an entry in a long list of scanning results. By using a unique URL it’s easier to identify duplicates, prioritize and track them. Prioritization is the biggest value-add for security scanning: know what to fix first is important.
- For every vulnerability you can change the status to Detected, Confirmed, Dismissed or Resolved. It greatly helps to analyze the list to see if there is a fix already. This helps to reduce false positives when components are being re-used.
- Trends: the scanning results are persistent now. Previous scan results are not overwritten anymore. Using this feature helps to detect vulnerability trends.
As of now there was no easy way to export a list of vulnerabilities. It is now possible to export it in the CSV format. Exports can be created for a single project or a list of projects. Furthermore, the exported file can be used for compliance reports or acts as a data source for external dashboards. Think of Compliance as Code.
In case you want to get the details of a vulnerability scan, browse the vulnerability database. GitLab also gives you more information about how this database is constructed, what is being scanned, and how often the database is updated. In short, it gives you clarity about what is going on under the hood of vulnerability scanning.
All of these great new features are available in the ultimate edition.
SAST and DAST improvements
Security tests for software components should be performed in multiple stages of the pipeline.
SAST stands for Static Application Security Testing and DAST for Dynamic Application Security Testing.
SAST security scans can now also check .Net Framework projects instead of only .Net Core projects. At the time of writing only Linux Runners (which process these scans) are supported. In a future version, there will be support for Windows Runners.
GitLab 13 gives you the option to scan REST APIs to enable DAST security scans. There is support for running applications that implement the OpenAPI specification for their endpoints. DAST helps to check the attack surface of a running application. You can also view and download the list of components that are scanned.
Easier to use audit events
Incidents happen everywhere. You need to track them to prevent a real problem in the future. Sometimes auditing is needed for this as well. GitLab now supports a filtered search option for instance-level audit events. This helps you to quickly find reasonable events without having to dig into a large stack of nonrelated events. It helps you to speed up troubleshooting. This feature is available in the starter, premium, and ultimate edition.
A small improvement, but an important one: receive an email when a user signs in from a new/different IP address. It helps to detect potentially malicious activity, which in turn further increases the protection of valuable source code. All Gitlab editions ship with this new feature.
Not a real security feature, however an important one to prevent (security-related) issues. You will now get a warning when you close down an issue that has an open blocker (e.g. a security issue) attached to it. Furthermore, you don’t need to manually check the details of the blocking issue, since GitLab provides a direct link to it. One manual step removed.
Do you remember the article Your secrets are (probable) everywhere – and that shouldn’t be? It’s easy and too convenient to commit secrets to source code repositories. However, this is a bad idea. Secrets can easily be removed from a Git repository, but they are still present in the commit history. GitLab is now able to scan the full history of any Git repository for secrets. Organizations that enable secret detection will clearly benefit from it. Be sure to check out the walk-through video which shows you how to do it.
Increased support for Container Network Policies
Container Network Policies help to protect the traffic to and from your running containers. GitLab now offers a way to export the container logs to a SIEM or another central logging solution. This greatly helps to detect, test & fine-tune network policies by giving a better way to evaluate them. It also helps to reduce false positives and to detect anomalies of these rules. Use the “Operations – Kubernetes” menu to enable the SIEM integration.
Web Application Firewall (WAF)
Yet another integration with SIEM. It is now possible to export Web Application Firewall (WAF) logs so developers can better analyze the logs which are produced by the firewall. Besides that, it helps to detect anomalies and reduce false positives. You need to enable Fluentd from the same menu as mentioned before.
More to explore
The list of new features goes on and on. Apart from security-related features and improvements there are several other aspects which are worthwhile to mention:
- GitLab already supported roadmaps to act as a “planning tool”, but now it’s also possible to view the hierarchy of Epics. This makes it easier to get a clear overview of important milestones.
- IaC practitioners who use Terraform will love the new HTTP Terraform state back-end. It frees them from setting up a separate backend for Terraform State files. It’s crucial to handle the Terraform state file in a consistent way, so this reduces conflicts to manage infrastructure resources.
- In addition to the previous issue: it is now possible to view the summary of “Terraform Plan” in merge requests. It helps you to quickly judge the impact of a pending change.
- Filter out large files when cloning a repository. Sometimes a large file ends up in a Git repository. Build times will increase significantly when fetching the source code for every commit. You can now filter out large binary files to speed this up.
- Protect important Docker images. Define policies to prevent the deletion of important Docker images. Use a regular expression to specify which images should be filtered out. Less rework to rebuild the image in case of a mistake.
- Puma is the new default web application server. It also led to a change in the name of the Helm Chart. Puma improves memory and CPU utilization, thus saving on infrastructure costs in the public cloud. If you still prefer to use the previous version of the web application server, you can switch back to Unicorn.
- 26 major bugfixes. To find out all of the details, check the release announcement.
If you are as enthusiastic as I am, be sure to upgrade to version 13. Some important notes:
- Upgrade to version 12.10 first before upgrading to version 13
- You need to use PostgreSQL 11 instead of version 9.6 or 10. Notice that the default timeout period has been temporarily disabled.
- Redis has been updated to version 5.0.9.
- In case of customization of the web application server, manually migrate your configuration changes.
More upgrade considerations are described on the announcement webpage.
GitLab version 13 has brought us a lot of new features. Security minded organizations will definitively embrace all of the security-related improvements. Furthermore developers are in the center of other major improvements. This makes GitLab a very powerful tool not to be missed in a DevOps enabled organization.