Application security testing

  • Tier: Free, Premium, Ultimate
  • Offering: GitLab.com, GitLab Self-Managed, GitLab Dedicated

Build security into your development process with GitLab application security testing capabilities. These features help you identify and address vulnerabilities early in your development lifecycle, before they reach production environments.

GitLab application security testing provides comprehensive coverage of both repository content and deployed applications, enabling you to detect potential security issues throughout your software development lifecycle.

GitLab also helps reduce the risk of vulnerabilities being introduced through several protective mechanisms:

Secret push protection
Blocks secrets such as keys and API tokens from being pushed to GitLab.
Merge request approval policies
Enforce an additional approval on merge requests that would introduce vulnerabilities.

For a click-through demo, see Integrating security to the pipeline.

How application security testing works

GitLab detects security vulnerabilities throughout your code, dependencies, containers, and deployed applications. Your project’s repository and your application’s behavior are scanned for vulnerabilities.

Security findings appear directly in merge requests, providing actionable information before code is merged. This proactive approach reduces the cost and effort of fixing issues later in development.

Application security testing can run in several contexts:

During development
Automated scans run as part of CI/CD pipelines when code is committed or merge requests are created.
Outside development
Security testing can be run manually on demand or scheduled to run at regular intervals.

Vulnerability management lifecycle

GitLab assists in the complete vulnerability management lifecycle through key phases:

Detect
Identify vulnerabilities through automated scanning and security testing.
Triage
Evaluate and prioritize vulnerabilities to determine which need immediate attention and which can be addressed later.
Analyze
Conduct detailed analysis of confirmed vulnerabilities to understand their impact and determine appropriate remediation strategies.
Remediate
Fix the root cause of vulnerabilities or implement appropriate risk mitigation measures.

Vulnerabilities are centralized in the vulnerability report and security dashboard, making prioritization and remediation tracking more straightforward for security teams.

Get started

To get started, see Get started securing your application.