Benito ExnerCloud & DevOps Consulting
Strategy Session
Strategy Session
ServicesTechnologiesCase StudiesOur ExpertsCareers

GitLab: DevSecOps in Practice

A detailed look at the challenges and successes of GitLab.

GitLab: DevSecOps in Practice

Key Metrics at a Glance

100+
Deployments/Day

Continuous delivery of changes to production.

Minutes
Security Feedback

Developers receive feedback from automated security scans within minutes in their Merge Request.

The Problem in Detail: How Did It Come to This?

Traditional security workflows, where a separate team tests at the end of the cycle, were too slow for GitLab's rapid, iterative development.

The Solution: A Strategic Approach

GitLab practices DevSecOps by integrating security into every step of its own CI/CD pipeline. Every Merge Request automatically goes through a series of security scans: Static Application Security Testing (SAST), Dynamic Application Security Testing (DAST), dependency scanning, and container scanning. Results are displayed directly in the Merge Request, allowing developers to fix them immediately.

Key Learnings

  • Security must be a shared responsibility, not that of a separate team.
  • Automated, fast feedback in the developer workflow is the most effective way to build secure software.
  • The CI/CD pipeline is the ideal place to enforce security gates.

Essential Questions & Answers

Technologies & Concepts Used:

DevSecOps
CI/CD
GitLab CI
SAST
DAST
SBOM
Policy as Code
Secrets Management