GitLab 14.3 Adds Security Scan Policies
Written by Kay Ewbank   
Thursday, 30 September 2021

GitLab, the web-based repository manager for Git, has been updated with improvements including project-level security scan execution policies and improved SAST to reduce Ruby false positives. GitLab provides issue-tracking, continuous integration, and deployment pipeline support.

Version 14.3 also adds group-level permissions for protected environments and group access for the GitLab Kubernetes Agent.


The project level security policy is described by the developers as being the first iterative step toward their vision of bringing unified security policies to GitLab. Users can now require DAST and secret detection scans to run on a regular schedule or as part of project CI pipelines. This can be used by security teams to separately manage these scan requirements without developers changing the configuration.

The second change of note is the ability to set and use group-level permissions for protected environments. This can be used to set permissions based on the deployment level, so that deployments can be locked down for higher-tiers such as production environments, while still letting developers test and change individual projects.

Another improvement is to the GitLab Kubernetes agent. This provides a secure connection between a Kubernetes cluster and GitLab. Until now, you could only push to a cluster from the same project where the Kubernetes Agent was registered using the CI/CD Tunnel. In GitLab 14.3, the Agent can be authorized to access entire groups, meaning that every project under the authorized group has access to the cluster without the need to register an agent for every project.

Ruby support has also been improved with the addition of better SAST to reduce Ruby false positives.  The GitLab team says that GitLab's SAST has until now used over a dozen open-source static analysis security analyzers. The vulnerabilities they can identify range from basic regex pattern matching to abstract syntax tree parsing which can lead to issues with false positives. Developers could already dismiss these false positives, but the improvements mean this will now be automated. This first version of GitLab's proprietary static application security testing engine has been developed in-house and maintained by GitLab’s Static Analysis and Vulnerability Research groups. Initially, this tool is focused on Ruby and Rails to help reduce false positives, but will be extended in future releases.

GitLab 14.3 is available now.


More Information

GitLab Homepage

Related Articles

GitLab 14 Offers DIY DevOps Alternative

GitLab Goes Serverless

GitLab Adds Security Dashboards

GitLab Adds Auto DevOps

InkScape Moves To GitLab


To be informed about new articles on I Programmer, sign up for our weekly newsletter, subscribe to the RSS feed and follow us on Twitter, Facebook or Linkedin.


Microsoft Launches SharePoint Embedded

Microsoft has launched SharePoint Embedded, a new API-only cloud-based file and document management system that can be used by app developers to make use of the Microsoft 365 file and document storage [ ... ]

GameMaker Free For Non-Commercial Use

GameMaker, for creating 2D platform games and now part of the Opera family, has made a change to its prices and terms and it is good news. GameMaker is now free for non-commercial purposes on all [ ... ]

More News




or email your comment to:

Last Updated ( Thursday, 26 October 2023 )