Security and compliance

End-to-end security and compliance, built right into the platform your developers already use.

Contact sales

Try GitLab Ultimate for free

Trusted By

Ship with speed and Security

GitLab is the only platform that has all the security functionality that you need — for applications and APIs.

Strengthen security and compliance with AI

Only GitLab provides AI throughout the software development lifecycle to help developers write more secure code — from AI-powered code suggestions and vulnerability explanations to AI-assisted generation of merge requests containing the changes required to mitigate vulnerabilities.

Learn more

Streamline identity and access management

Create a seamless experience for users to access security capabilities across the software development lifecycle — instead of logging into multiple separate tools, teams can authenticate into one secure platform.

Mitigate risk with secret detection

Empower developers to proactively identify and remove leaked secrets in issue and epic descriptions to prevent credentials and other sensitive information from being visible to potential attackers.

Manage vulnerabilities where developers work

Scan commits for secrets in the IDE before pushing to production and pull security findings into the IDE after pipelines run — so developers don’t have to switch to a different tool to identify and fix vulnerabilities.

Test and protect APIs

Identify and remediate API vulnerabilities before they make it to production to make APIs safer and reduce data breach risks.

Automate scan enforcement and approvals

Use security policies to require specific security scans to run, or to ensure that particular security, legal, or compliance requirements are met before a merge request can be merged into the default branch.

Learn more

Developer-first security. More secure development.

Application & API Security

Access the full breadth of security scanning in a single platform

Pre-build scanning

Check code for security compliance before deployment with secret detection, static application security testing (SAST), infrastructure as code (IaC) scanning, dependency scanning, and license compliance.

Post-build scanning

Simulate hacker inputs and activity in your application with API security testing, operational container scanning, dynamic application security testing (DAST), and fuzz testing.

Software Supply Chain Security

Stay ahead of threats and deliver software faster

Learn more

Dynamic SBOM management

Automatically create a standard software bill of materials (SBOM) with each container or dependency scan, or import an SBOM from your preferred tool — and easily combine multiple CycloneDX SBOMs into one.

Continuous vulnerability scanning

Protect your organization against zero-day attacks by continuously scanning your applications for known open source vulnerabilities, regardless of when your code was last updated.

Compliance & Governance

Enforce compliance at scale

Learn more

Centralized compliance visibility

Get centralized visibility into audit logs, credential security, and how projects adhere to regulatory compliance requirements.

Flexible policy management

Designate specific security scans and CI jobs that developers can't circumvent, and ensure that security, legal, and compliance requirements are met before code is merged.

GitLab had all the features and automation we needed in one application. It simplified our work. With all of the road mapping, issue tracking, and security scanning in one place, it’s hard to even compare it with what we were using before.

Wesley Monroe

Technical Project Manager, CACI

90%

savings in labor/admin

13x

faster security scanning

Read the case study

Explore all security and compliance features

Manage security vulnerabilities, policies, and compliance across your entire organization.

Container Scanning

Scans your container images for known vulnerabilities within the application environment. Image contents are analyzed against public vulnerability databases.Security findings, additional data, and solutions reported in-line with every merge request along with additional data including solutions. Results are presented as a single report. Container Scanning is considered part of Software Composition Analysis.

Security Scanning IDE integration

Container Scanning

Automated solutions for Container Scanning vulnerabilities

Software Composition Analysis

Analyzes external dependencies within your application for known vulnerabilities on each CI/CD code commit. Vulnerabilities, additional data, and solutions are shown in-line with every merge request. Scanner results are collected and presented as a single report. Upon code commit, project dependencies are searched for approved and denied licenses defined by per project custom policies. Software licenses are identified if they are not within policy and are shown in-line for every merge request for immediate resolution.

Security Scanning IDE integration

Dependency Scanning

Automated solutions for Dependency Scanning vulnerabilities

License Compliance

API Security

Secures and protects web Application Programming Interfaces from unauthorized access, misuse, and attacks. Tests for known vulnerabilities by performing penetration testing of APIs with DAST. Finds unknown vulnerabilities by performing Fuzz Testing of web API operation parameters.Users can provide credentials to test authenticated APIs. Vulnerabilities, additional data, and solutions are shown in-line with every merge request.. Scanner results are collected and presented as a single report.

Security Scanning IDE integration

API Security Testing

API Fuzz Testing

On-demand API Security Testing scans

Fuzz Testing

Sends random inputs to an instrumented version of your application in an effort to cause unexpected behavior in order to identify a bug that needs to be addressed. Helps you discover bugs and potential security issues that other QA processes may miss.

Security Scanning IDE integration

Coverage-guided Fuzz Testing

DAST

Runs automated penetration tests to find vulnerabilities in web applications and APIs as they are running. DAST can run live attacks against a Review App, an externally deployed application, or an active API. Scans can be run for every merge request, on a schedule, or even on-demand. DAST supports user inputted HTTP credentials to test private areas of your application. Vulnerabilities, additional data, and solutions are shown in-line with every merge request. Scanner results are presented as a single report.

Security Scanning IDE integration

Dynamic Application Security Testing

On-demand DAST

Site and Scanner profiles for On-demand DAST scans

DAST Configuration UI

Scheduling On-demand DAST scans

DAST

Code Quality

Analyzes your source code quality and complexity. This helps keep your project’s code simple, readable, and easier to maintain.

Code Quality MR Widget

Code Quality Reports

Code Quality violation notices in MR diffs

Secret Detection

Scans your repository to help prevent your secrets from being exposed. Secret Detection scanning works on all text files, regardless of the language or framework used. Code pushed to a remote Git branch can be rejected if a secret is detected.

Security Scanning IDE integration

Secret Detection

Custom Rulesets for Secret Detection

Full Git History Secret Detection

Automatic Response to Leaked Secrets

Secret Push Protection (Beta)

SAST

Scans your application source code and binaries to spot potential vulnerabilities before deployment. SAST supports scanning a variety of different programming languages and automatically chooses the right analyzer even if your project uses more than one language. Vulnerabilities, additional data, and solutions are shown in-line with every merge request. Scanner results are collected and presented as a single report.

Static Application Security Testing

Configuration UI

Security Scanning IDE integration

Custom Rulesets for SAST

Infrastructure as Code (IaC) Security Scanning

Vulnerability Explanation

Helps you remediate vulnerabilities more efficiently, boost your skills, and write more secure code.

Vulnerability Explanation

Vulnerability Resolution

Generates a merge request containing the changes required to mitigate a vulnerability.

Vulnerability Resolution

Release Evidence

Release Evidence provides assurances and evidence collection that are necessary for you to trust the changes you're delivering. When a release is created, GitLab takes a snapshot of relevant release data as evidence that it occurred.

Release Evidence

Compliance Management

Compliance Management provides customers with the tools necessary to ensure and manage their compliance programs.

Compliance pipeline configuration

Custom compliance frameworks

Compliance frameworks report

Customizable system header and footer messages

Require a Jira issue before merging code

Compliance standards adherence report

Violations report

Enforce merge request approval settings

Audit Events

Compliance Management provides customers with the tools necessary to ensure and manage their compliance programs.

Audit events report

Audit events CSV export

Chain of custody report

Auditor access

Streaming Audit Events

Software Bill of Materials

GitLab allows you to secure your software supply chain including push rules, code scanning, SBOM management, and enforcement of compliance policies.

Software Bill of Materials

Dependency Management

Dependency Management allows users to review project/group dependencies and key details about those dependencies, including their vulnerabilities, licenses, and packager.

Dependency Management

Vulnerability Management

Vulnerability Management enables collaboration between security teams by providing a uniform interface to assess the security posture of their applications. Security teams can view, triage, trend, track, and resolve vulnerabilities detected by the various GitLab scanners.

Security Scanning IDE integration

Vulnerability Management

Standalone Vulnerability Objects

Vulnerability Reports

Security Dashboards

Create Jira issues from vulnerabilities

Security Scan summary in Merge Requests

Integrated security training

Security Policy Management

Unified security policy management provides security and compliance teams with a way to enforce controls across their organization for all of GitLab's scanners and security technologies.

Security Policies

Security Approvals

License Approvals

Merge Request Approval Policies

External status checks

Security Policy Scopes