Get to know the security and governance updates in GitLab 17, 17.1

4 months ago 26
News Banner

Looking for an Interim or Fractional CTO to support your business?

Read more

With every GitLab release we enhance and optimize security and governance solutions to ensure customers have the tools they need to produce secure and compliant software. Our values of iteration and results for customers drive our release cycles, and GitLab 17 is no exception. We have been releasing every month for the past 153 months straight!

In this article, you'll learn my favorite security and governance enhancements released in GitLab 17 and 17.1 and how they can benefit your organization’s security requirements.

SAST analyzer streamlining

GitLab provides static application security testing (SAST) to examine your source code for known vulnerabilities, detecting vulnerabilities such as SQL injections and cross-site scripting. When SAST kicks off, the programming language used is auto-detected and the appropriate scanner is loaded.

In GitLab 17, SAST scans the same languages, but now with fewer analyzers, offering a simpler and more customizable experience. Language-specific analyzers have been replaced with GitLab-managed rules in the Semgrep-based analyzer for the following languages:

  • C/C++
  • Swift (iOS)
  • Java/Kotlin (Android)
  • Node.js
  • PHP
  • Ruby

Having one analyzer for many different languages makes configurations and writing rules easier than ever. See the supported languages and frameworks documentation for more information.

Watch this video to learn more:

<!-- blank line --> <figure class="video_container"> <iframe src="https://www.youtube.com/embed/_80z6mZmzek?si=i9yPQttxuwVcb7Ye" frameborder="0" allowfullscreen="true"> </iframe> </figure> <!-- blank line -->

Android dependency scanning

In modern software development, many applications are built from multiple dependencies that are best at performing their intended function. For example, rather than writing a YAML parser, a developer will use a library that parses YAML. This allows developers to focus on the main goal of their application, rather than spending time on utility functions.

While the use of dependencies speeds up efficiency, they can be difficult to manage and could introduce vulnerabilities to your application. For this, GitLab provides dependency scanning, which analyzes dependencies for known vulnerabilities.

Many organizations are using dependencies even when creating native mobile applications. In GitLab 17, we introduced Android dependency scanning to bridge the gap. Android dependency scanning can be easily added as a CI/CD catalog component – just include the following code in your .gitlab-ci.yml:

include: - component: gitlab.com/components/android-dependency-scanning/[email protected] inputs: stage: test

This job will also generate a CycloneDX software bill of materials (SBOM) report, which may be necessary for compliance. Make sure to scan your Android dependencies as soon as possible, as there are many CVEs out there.

Watch this video to learn more: <!-- blank line --> <figure class="video_container"> <iframe src="https://www.youtube.com/embed/_80z6mZmzek?si=DdB7j4NAenl-UcrJ" frameborder="0" allowfullscreen="true"> </iframe> </figure> <!-- blank line -->

Learn more SBOMs and dependencies with our ultimate guide to SBOMs.

Custom roles and granular security permissions updates

GitLab provides custom roles to allow organizations to create user roles with the precise privileges and permissions to meet their needs. This enables organizations to implement the principle of least privilege to adhere to various compliance standards.

custom roles screenshot

In GitLab 17, managing custom roles has become easier than ever. You can now edit a custom role and its permissions directly from the UI, whereas, in the past, the role needed to be recreated. Also, for those using GitLab self-managed, custom roles are now managed at the instance level, allowing administrators to create the roles, and group owners to assign them.

Watch this video to learn more:

<!-- blank line --> <figure class="video_container"> <iframe src="https://www.youtube.com/embed/glvvCoc2hkc?si=dl_SwQ7tyVdzirH5" frameborder="0" allowfullscreen="true"> </iframe> </figure> <!-- blank line -->

There have also been several UX improvements added to this feature along with the introduction of the following permissions:

  • assign security policy links
  • manage and assign compliance frameworks
  • manage webhooks
  • manage push rules
  • manage merge request settings (17.1)
  • manage integrations (17.1)
  • manage deploy tokens (17.1)
  • read CRM contacts (17.1)

GitLab releases usually include new permissions to further enable the implementation of the principle of least privilege. To learn more about the available granular security permissions, visit the available custom permission documentation.

Secret detection updates

Developers may accidentally commit secrets like keys or API tokens to Git repositories from time to time. After a sensitive value is pushed to a remote repository, anyone with access to the repository can impersonate the authorized user of the secret and cause mayhem. When this occurs the exposed secrets must be revoked and replaced to address this risk, which can cause system downtime.

GitLab provides secret detection to address this risk, and in GitLab 17 it’s gotten even better with the following enhancements:

In GitLab 17.1, secret push protection is now in Beta. Secret push protection checks the content of each commit pushed to GitLab. If any secrets are detected, the push is blocked and displays information about the commit. Therefore, a developer does not need to do the extra work of removing and rotating secrets, since they are never committed upstream.

Push block eue to detected secret

When push protection occurs, you can see it displays additional information on the commit, including:

  • the commit ID that contains the secret
  • the filename and line number that contains the secret
  • the type of secret

Note: Enabling secret push protection is as easy as flipping a switch in GitLab Security Configuration.

Watch this video to learn more:

<!-- blank line --> <figure class="video_container"> <iframe src="https://www.youtube.com/embed/ZNtwXVj3tA8?si=4xJ1rWdThpVjvebv" frameborder="0" allowfullscreen="true"> </iframe> </figure> <!-- blank line -->

Container registry updates

GitLab provides a built-in container registry, making it easy for developers to store and manage container images for each GitLab project without context switching. GitLab 17.1 includes several features to enhance the security and efficiency of using the registry:

Signed container details

Additionally we’ve introduced container scanning for the registry. The container images being used in your application may themselves be based on other container images that contain known vulnerabilities. Since developers heavily make use of the built-in container registry, it is a no-brainer to introduce container scanning for the registry.

Container scanning for the registry can be easily enabled by flipping a switch in GitLab Security Configuration. Once it’s enabled, whenever a container image is pushed to the container registry in your project, GitLab checks its tag. If the tag is latest, then GitLab creates a new pipeline that scans the image and even produces a CycloneDX SBOM.

Note: At the moment, a vulnerability scan is only performed when a new advisory is published. We are working to detract all vulnerabilities in the registry itself in future iterations.

Watch this video to learn more:

<!-- blank line --> <figure class="video_container"> <iframe src="https://www.youtube.com/embed/Zuk7Axs-CRw?si=odlgT5HWv_KOnBtq" frameborder="0" allowfullscreen="true"> </iframe> </figure> <!-- blank line -->

API security scanning updates

While SAST does a great job of finding vulnerabilities in static source code, there can still be vulnerabilities present in the running application that cannot be detected in source code, such as broken authentication and security misconfigurations. For these reasons, GitLab provides dynamic application security testing (DAST) and Web API fuzzing to help discover bugs and potential security issues that other QA processes may miss.

In GitLab 17, we’ve introduced several enhancements to our dynamic scanners which target Web APIs, including:

  • system environment variables are now passed from the CI runner to the custom Python scripts used for certain advanced scenarios (like request signing)
  • API Security containers now run as a non-root user, which improves flexibility and compliance
  • support for servers that only offer TLSv1.3 ciphers, which enables more customers to adopt API security testing.
  • scanner image upgraded to Alpine 3.19, which addresses security vulnerabilities

In GitLab 17.1, additional configuration variables were added to API security scanning and API fuzzing to allow:

  • creation of a comma-separated list of HTTP success status codes that define whether the job has passed
  • disabling of waiting for the target API to become available before scanning begins
  • specifying the expected status code for the API target availability check

Watch this video to learn more:

<!-- blank line --> <figure class="video_container"> <iframe src="https://www.youtube.com/embed/CcyOoBgSPUU?si=hAMQfmUTlLRKhPSg" frameborder="0" allowfullscreen="true"> </iframe> </figure> <!-- blank line -->

Learn more about other enhancements

GitLab 17 and 17.1 also introduced several other security and governance features and enhancements, too many to cover in this blog. Some of these features include:

These are some of the newest security and compliance enhancements provided in GitLab 17 and 17.1 that can be applied to strengthen your organization's security posture! To learn more about GitLab and the other ways we can strengthen your organization's security throughout all parts of the software development lifecycle, check out the following links:

Read Entire Article