GitLab has announced a number of new security and compliance features and enhancements to its platform that are intended to help organizations secure the software supply chain.
The new capabilities include security policy management, compliance management, events auditing, and vulnerability management. A dependency management capability to help developers track vulnerabilities in dependencies they are using will be available at a later date. Organizations will be able to automatically scan for vulnerabilities in source code, containers, dependencies, and applications in production, GitLab says.
The increased focus on governance will help organizations identify risks by providing them with visibility into their projects and the dependencies in use, security findings, and user activities, GitLab says. The platform will be able to track changes and implement controls to define what goes into production, helping organizations ensure that they are adhering to license compliance and regulatory frameworks.
The new enhancements are designed to provide developers with tools to proactively scan for vulnerabilities and implement controls to secure applications. Developers also have access to actionable and relevant secure coding guidance within the GitLab platform.
"With the recent addition of GraphQL schema support in 15.4, these API security scans help secure applications with minimal configuration compared to prior releases," GitLab says. "Additional application security scanners include static application security testing, secret detection, container scanning, dependency scanning, infrastructure-as-code scanning, and coverage-guided fuzz testing."
GitLab promises upcoming features, such as a mechanism to parse and ingest existing software bill of materials data from third parties to create a comprehensive software bill of materials for the project, as well as the ability to cryptographically sign both the build artifact and attestation file to prove builds have not been altered. Another upcoming feature will allow GitLab administrators and group owners to create new customized roles with granular permissions to help security teams align role-based access control with the organization's policies.
The security of the software supply chain is increasingly top of mind for security professionals. For 70% of all respondents in Dark Reading's "State of Supply Chain Threats" survey in August, supply chain security was among the top five security priorities. In the same vein, GitLab's "2022 Global DevSecOps Survey," released earlier this year, found security was the highest budget priority for organizations.