Traditionally, deploying an application often requires assistance from production or DevOps engineers. This integration now empowers developers to handle deployments independently. Whether you’re a solo developer or part of a large team, this setup gives everyone the ability to deploy their applications efficiently.

Overview

• Create a new project in GitLab
• Set up your NodeJS application
• Use the Google Cloud integration to create a Service account
• Use the Google Cloud integration to configure Cloud Run via Merge Request
• Enjoy your newly deployed Java Spring Boot app
• Follow the cleanup guide

Prerequisites

• Owner access on a Google Cloud Platform project
• Working knowledge of JavaScript/TypeScript (not playing favorites here!)
• Working knowledge of GitLab CI
• 10 minutes

Step-by-step guide

1. Create a new project in GitLab

We decided to call our project nodejs–express-cloud-run for simplicity.

2. Upload your NodeJS app or use this example to get started.

Demo

Note: Make sure to include the cloud-run CI template within your project.

3. Use the Google Cloud integration to create a Service account.

Navigate to Operate > Google Cloud > Create Service account.

Also configure the region you would like the Cloud Run instance deployed to.

4. Go to the Deployments tab and use the Google Cloud integration to configure Cloud Run via Merge Request.

This will open a merge request – immediately merge it.

Note: GCP_PROJECT_ID, GCP_REGION, GCP_SERVICE_ACCOUNT, and GCP_SERVICE_ACCOUNT_KEY will all be automatically populated from the previous steps.

5. Voila! Check your pipeline and you will see you have successfully deployed to Google Cloud Run using GitLab CI.

Click the Service URL to view your newly deployed Node server.

In addition, you can navigate to Operate > Environments to see a list of deployments for your environments.

By clicking on the environment called main, you’ll be able to view a complete list of deployments specific to that environment.

6. Next steps

To get started with developing your Node application, try adding another endpoint. For instance, in your index.js file, you can add a /bye endpoint as shown below:

app.get('/bye', (req, res) => {
  res.send(`Have a great day! See you!`);
});

Push the changes to the repo, and watch the deploy-to-cloud-run job deploy the updates. Once it’s complete, go back to the Service URL and navigate to the /bye endpoint to see the new functionality in action.

Follow the cleanup guide

To prevent incurring charges on your Google Cloud account for the resources used in this tutorial, you can either delete the specific resources or delete the entire Google Cloud project. For detailed instructions, refer to the cleanup guide here.

Read more of these helpful tutorials from GitLab solutions architects.

Meson build system

For a long time, Git could be built using either a Makefile-based build system or an Autoconf-based build system. Git developers have been using mostly the Makefile-based build system, so the Autoconf-based build system has lagged behind in features and maintenance. Another issue was that a lot of Windows developers use integrated development environments (IDEs) that don’t have good support for Makefile- and Autoconf-based build systems.

In 2020, support for building Git using CMake was added. CMake added better Windows support and IDE integration, especially for Visual Studio. Some modern build system features like out-of-source builds were also included.

Recently, it appeared the CMake support was also lagging behind and that it might never be a good option to replace the two other build systems. So Patrick Steinhardt, GitLab Git Engineering Manager, implemented support for the Meson build system with the goal of eventually replacing the Autoconf-, CMake-, and maybe the Makefile-based build systems.

The new Meson-based build system has the following advantages:

• Allows users to easily find the available build options, something which is difficult with Makefiles and CMake
• Has a simple syntax compared to Autoconf and CMake
• Supports many different operating systems, compilers, and IDEs
• Supports modern build system features like out-of-source builds

Here is an example of how it can actually be used to build Git:

$ cd git             	# go into the root of Git's source code
$ meson setup build/ 	# setup "build" as a build directory
$ cd build           	# go into the "build" directory
$ meson compile      	# actually build Git
$ meson test         	# test the new build
$ meson install      	# install the new build

Multiple build directories can be set up using meson setup <build_dir>, and the configuration of the build inside a build directory can be viewed or changed by running meson configure inside the build directory.

More information on how to build Git using Meson can be found at the top of the meson.build file in the Git code repository. A comparison of the different build systems for Git is available as part of Git's technical documentation.

This project was led by Patrick Steinhardt.

Git is now memory-leak-free (as exercised by the test suite)

In our Git release blog post about the previous Git 2.47.0 release, we talked about our ongoing effort to fix all memory leaks surfaced by existing tests in the project. We said that prior to the Git 2.47.0 release, the project had 223 test files containing memory leaks, and that this had been whittled down to just 60.

We are pleased to report that the memory leaks in all 60 remaining test files have been resolved. As a result, Git, as exercised by the test suite, is now free of memory leaks. This is an important step towards the longstanding goal of “libifying” Git internal components (which means converting those components into internal libraries). It will also help with optimizing Git for memory usage.

Now, any newly added test must be leak-free by default. It's still possible to have leaking tests, but the authors will have to use an escape hatch for that and provide good arguments why their test cannot be made leak free.

This project was led by Patrick Steinhardt.

Improved bundle URI checks

In our Git release blog post about the Git 2.46.0 release, we talked about some bundle URI fixes by Xing Xin. After those fixes, Xing Xin worked on making it possible for fetches using bundles to be fully checked using the fsck mechanism like regular fetches.

When validating regular fetches, it's possible to specify different severities for different fsck issues to have fine-grained handling of what is accepted and what is rejected in a specific repository. This wasn't possible for fetches using bundles previously.

To further increase the usefulness and safety of bundle-uri, we addressed this problem so that the different severities specified for different fsck issues are now used when checking fetches using bundles, too.

This project was led by Justin Tobler.

Add reference consistency checks

In our Git release blog post about the Git 2.47.0 release, we mentioned Jialuo She's work on adding a new 'verify' subcommand to git-refs(1) which was part of the Google Summer of Code 2024 (GSoC 2024).

In that blog post, we said that eventually the goal was to integrate this new subcommand as part of git-fsck(1) to provide a unified way to execute repository consistency checks. Jialuo She has decided to work on that after his GSoC was over.

The result from this effort is that git-fsck(1) can now detect and handle a number of reference-related issues, like when the content of a reference is bad, when a symbolic link is used as a symbolic reference, or when the target of a symbolic reference doesn't point to a valid reference. We still need to call git refs verify as part of git-fsck(1), and have the former perform all non-backend-specific checks that the latter currently does, but we are closer to our end goal of a unified way to execute all refs consistency checks.

This project was led by Jialuo She.

Iterator reuse in reftables

In the Git 2.45.0 release, the 'reftables' format was introduced as a new backend for storing references (mostly branches and tags). If you are not yet familiar with the reftables backend, check out our previous Git release blog post where the feature was introduced and our beginner’s guide to learn more about how reftables work.

Since that release, we continued to improve this backend, and we recently focused on improving its performance by reusing some internal iterators when reading random references. Before these changes, reading a single reference required us to create a whole new iterator, seek it to the correct location in the respective tables, and then read the next value from it, which can be quite inefficient when reading many references in quick succession. After the change we now only create a single iterator and reuse it to read multiple references, thus saving some overhead.

The result of this work is increased performance in a number of reftables-related use cases, especially a 7% speedup when creating many references in a transaction that performs many random reads. Furthermore, this creates the possibility for more optimizations as we can continue to reuse more state kept in the iterators.

This project was led by Patrick Steinhardt.

Support for reflogs in git-refs migrate

After the 'reftables' backend was introduced in Git 2.45.0 (see the section above), we worked on tooling to migrate reference backends in Git 2.46.0, which consisted of adding a new migrate subcommand to git-refs(1).

Our article about Git 2.46.0 talked about this work and mentioned some limitations that still existed. In particular, the article said:

"The reflogs in a repository are a component of a reference backend and would also require migration between formats. Unfortunately, the tooling is not yet capable of converting reflogs between the files and reftables backends."

We are pleased to report that we have lifted this limitation in Git 2.48.0. Reflogs can now also be migrated with git refs migrate. The migration tool is not yet capable of handling a repository with multiple worktrees, but this is the only limitation left. If you don't use worktrees, you can already take advantage of the reftables backend in your existing repositories.

This project was led by Karthik Nayak.

Ref-filter optimization

The 'ref-filter' subsystem is some formatting code used by commands like git for-each-ref, git branch and git tag to sort, filter, format, and display information related to Git references.

As repositories grow, they can contain a huge number of references. This is why there is work not only on improving backends that store references, like the reftables backend (see above), but also on optimizing formatting code, like the 'ref-filter' subsystem.

We recently found a way to avoid temporarily buffering references and iterating several times on them in the ref-filter code when they should be processed in the same sorting order as the order the backends provide them. This results in memory savings and makes certain commands up to 770 times faster in some cases.

This project was led by Patrick Steinhardt.

Read more

This blog post highlighted just a few of the contributions made by GitLab and the wider Git community for this latest release. You can learn about these from the official release announcement of the Git project. Also, check out our previous Git release blog posts to see other past highlights of contributions from GitLab team members.

• What’s new in Git 2.47.0?
• What’s new in Git 2.46.0?
• What’s new in Git 2.45.0
• A beginner's guide to the Git reftable format

Understanding the upcoming regulatory changes

Acknowledging that the regulatory landscape frequently changes, this article will concentrate on key frameworks in the EU poised to shape the future of banking and financial services. These frameworks not only address current industry challenges but also set the foundation for the development of a more secure and resilient financial ecosystem.

Here are several regulations that are demanding the attention of the financial services industry.

European Cyber Resilience Act (CRA)

Implemented as of January 2024, with a grace period extending for two years, the CRA establishes a comprehensive framework to enhance cybersecurity standards for digital products and services within the EU. This regulation seeks to mitigate the risks of vulnerabilities in software and hardware by ensuring that security is integrated throughout the entire product lifecycle, promoting a proactive “shift left” approach to security. By embedding security measures from the design phase onward, the CRA aims to safeguard the digital economy and bolster consumer trust in digital services.

Digital Operational Resilience Act (DORA)

Taking effect on January 17, 2025, the Digital Operations Resilience Act aims to ensure that financial institutions can withstand, respond to, and recover from all types of information and communication technology related disruptions and threats. The goal is to unify and strengthen the resilience of the financial sector across Europe.

European Data Act

Anticipated to become applicable on September 12, 2025, this regulation seeks to provide clearer rules regarding data use and sharing for AI and the internet of things, or IoT, enhancing data access and fostering innovation in various sectors, including finance.

Implications for banks and financial institutions

As financial institutions adapt to these evolving regulatory frameworks, the implications are significant and far-reaching. For instance, PYMNTS reports 59% of bankers see their legacy systems as a major business challenge. These challenges present obstacles in the delivery of modern services, while hindering their ability to both detect and respond to modern cyber threats. According to the 2024 IBM Data Breach Report, the average cost of a data breach in the financial services sector is a staggering $6.08 million, with breaches taking an average of 258 days to identify and contain. Unfortunately for banks, the most common type of data stolen or compromised was customer personally identifiable information, or PII. This highlights the urgent need for organizations to modernize their security practices and infrastructure.

Here are four ways to address this challenge.

1. Increase investment in technology: Banks will need to significantly increase their investments in technology and infrastructure. This involves evaluating current systems and processes to ensure they align with the stringent requirements of CRA, DORA, the European Data Act, and other regulations.

2. Heighten risk management practices: A cultural shift will be necessary within organizations, as teams will need to prioritize risk management and resilience strategies. DORA, in particular, emphasizes not just compliance but the ability to anticipate and recover from disruptions.

3. Enhance data governance: Many of these new regulations will require banks to prepare for new approaches to data sharing and governance. Banks will have to rethink how data is collected, stored, and analyzed, with a strong focus on transparency, accountability, and collaboration across departments.

4. Strengthen cybersecurity: As cyber threats evolve, the importance of robust cybersecurity measures cannot be overstated. The CRA mandates that financial institutions implement comprehensive security protocols, requiring banks to prioritize cybersecurity investments at every phase of the software development lifecycle.

How GitLab can help

With years of experience working with some of the largest financial organizations in the world, GitLab stands ready to support banks and other financial institutions in their compliance efforts. Our integrated suite of features empowers development teams to streamline their workflows, allowing them to concentrate on software development rather than becoming bogged down by the manual tracking and monitoring of evolving compliance regulations.

GitLab Dedicated, our fully isolated, single-tenant SaaS solution, is designed to meet the complex compliance and data residency requirements of highly regulated industries. Hosted and managed by GitLab, in your chosen cloud region, GitLab Dedicated ensures that sensitive data remains secure and compliant with local regulations. GitLab can help banks navigate these challenges effectively with:

1. Comprehensive application security and compliance features

• Security scanning built into developer workflows: Many financial institutions still rely on disparate tools for security checks, which can lead to gaps in coverage and oversight. GitLab offers built-in security scanning tools that automatically identify vulnerabilities and provide remediation guidance throughout the application lifecycle. By embedding security checks into CI/CD pipelines, banks can detect and resolve issues early in the development process, where they are less costly and less risky to fix, ensuring that they adhere to necessary security protocols. GitLab offers the following security scanner types:

  1. Static Application Security Testing (SAST)

  2. Dynamic Application Security Testing (DAST)

  3. Secret Detection

  4. Infrastructure as Code (IaC) Scanning

  5. Dependency (+ License) Scanning

  6. Coverage-guided Fuzz Testing

  7. Web API Fuzz Testing

  8. Container Scanning

  9. API Security Scanning

• Compliance and enforceable policies: Our platform enables separation of duties, by allowing security and compliance teams to manage security policies independently, allowing developers to focus purely on development. This approach supports the principle of least privilege, where developers access only what they need. For multinational banks or financial institutions who operate globally, GitLab’s policies and compliance dashboards assist in meeting strict geographical and regulatory requirements. These tools help maintain consistent adherence to compliance regulations, giving organizations clear visibility into their security posture across regions, industries, and regulations.

• Software supply chain security: GitLab ensures the security of the entire build, development, and deployment environment through a comprehensive approach to software supply chain security. Our software composition analysis (SCA) provides deep insights into component versions, licenses, and known vulnerabilities in dependencies which can be proactively remediated to reduce enterprise risk. This comprehensive approach also includes software bill of materials (SBOM) generation, ensuring transparency and compliance with industry standards. Finally, as highlighted above, GitLab provides controls to enforce the principle of least privilege to mitigate threats that compromise the software development environment itself.

2. Robust risk management tools

• Issue tracking and management: Within a bank, ineffective risk management can lead to overlooked vulnerabilities and inefficient mitigation strategies. GitLab’s issue tracking capabilities allow security vulnerabilities to appear alongside feature requests in the backlog, creating full visibility across teams. Sensitive issues can also be marked as confidential, so that only those who have sufficient permissions can access. This combination of transparency and controlled access supports a culture of collaboration and accountability, as development, security, and operations teams work together seamlessly on risk management. This cultural shift is crucial; rather than merely purchasing tools or one-off solutions, organizations must embed collaboration into their workflows to ensure security becomes a key part of the development process.

• Automated testing: A common challenge in the financial services industry is centered around the fact that homegrown solutions that were once robust processes become slow and cumbersome over time, leading to reduced agility. So much so that Forbes found that 60% of banking leaders consider legacy infrastructure to be the major factor keeping them from unlocking incremental growth. To compensate, the industry has shifted toward giving developers more freedom, but often at the cost of maintaining high security standards. <br></br> GitLab solves this challenge by automating testing within CI/CD pipelines, enabling financial institutions to maintain both speed and security. Developers can configure pipelines to fit their workflows, while security and compliance teams retain control over policies, ensuring adherence to critical security measures. By automating testing processes, GitLab helps banks remain resilient and functional, reducing the likelihood of disruptions.

3. Enhanced data governance

• Data management and compliance: GitLab’s data management features enable organizations to securely handle sensitive information. With embedded audit logs, banks can track data access and changes, ensuring transparency and accountability in their data practices. These logs can show actions such as who changed the permission level of a particular user for a project, and when.

• Collaboration tools: GitLab promotes collaboration among cross-departmental teams, facilitating communication between IT, compliance, and business units. This integrated approach is essential for effective data governance, allowing banks to align their data practices with organizational goals.

4. Efficient incident reporting and response

• Centralized incident management: GitLab provides centralized project management capabilities for logging and tracking significant incidents. This allows teams to respond quickly and effectively, ensuring that incidents are managed in a timely manner.

• Incident response guides: With GitLab, organizations can develop and maintain incident response plans within the platform. By simulating potential incidents and testing response protocols, banks can ensure preparedness and resilience in the face of unexpected challenges.

5. Documentation and audit readiness

• Continuous compliance documentation: Traditionally, banks have been locked into rigid 12-month audit cycles, preparing documentation to meet stringent regulations like the Bank Secrecy Act (BSA), Automated Clearing House (ACH) rules, and Anti-Money Laundering (AML) requirements. However, as the pace and complexity of threats grow, the financial industry is shifting from reactive, periodic audits to a proactive, continuous compliance model. With GitLab, teams know exactly where they stand at any given moment, leveraging real-time compliance data to their advantage. This continuous insight empowers teams to address issues as they arise, rather than waiting for an audit, creating a more agile and resilient compliance posture.

• Customizable reporting: With GitLab’s customizable reporting features, organizations can generate detailed reports that showcase compliance violations based on severity levels, violation types, and merge request titles. These reports provide valuable insights for both internal stakeholders and external parties, ensuring transparency and accountability.

Connect with GitLab today

As banks and financial institutions embrace these regulatory changes, GitLab not only provides the technology necessary to ensure compliance, but also fosters a culture of continuous improvement. This proactive approach allows financial institutions to release software with confidence, knowing they have the systems in place to mitigate risks and respond quickly to incidents.

GitLab’s commitment to supporting the financial sector through these transitions ensures that organizations are not only compliant but also resilient and prepared for the challenges ahead. Together, we can build a safer and more secure financial future.

Reach out to learn more about how we can help meet your regulatory challenges.

With the release of the CMMC final rule, DoD contractors can begin to assess and align their controls and processes to be compliant with CMMC’s requirements.

This article explains how GitLab customers can leverage the GitLab platform to help satisfy relevant NIST SP 800-171 R2 requirements to achieve CMMC Level 2 compliance.

Access Control

3.1.1, 3.1.2, 3.1.4 - 3.1.8, 3.1.11 - 3.1.13, 3.1.15

GitLab’s access management features broadly support CMMC access control requirements.

GitLab’s role-based access control (RBAC) model enables customers to limit access to authorized users, implement separation of duties, and ensure such users are only granted the permissions they require to perform their responsibilities.

GitLab also supports custom roles enabling organizations to craft roles that more accurately meet their needs.

GitLab’s audit events capture different actions within GitLab, including administrative actions. With RBAC and audit events, organizations can prevent non-privileged users from performing administrative actions and log such actions when they do occur.

To address the National Institute of Standards and Technology (NIST) requirement for limiting unsuccessful logon attempts, GitLab addresses this in a few different ways depending on the particular service offering a customer is subscribed to.

By default, GitLab implements limits on how long user sessions can remain valid without activity. Self-managed customers can configure this setting to meet their organizational needs.

GitLab secures data in transit through encryption and offers options for organizations to limit how their users connect to their GitLab namespace or instance. Organizations can restrict access to their top level group by IP address, and GitLab Dedicated customers can take a step further by using AWS PrivateLink as a connection gateway.

Audit and Accountability

3.3.1, 3.3.2, 3.3.8, 3.3.9

As mentioned, GitLab audit events capture different actions within GitLab, including administrative actions. Audit events in GitLab are associated with an individual user responsible for the event, and the audit events themselves are immutable.

For organizations with a GitLab Ultimate license, audit event streaming enables them to set a streaming destination for their top-level group’s audit events. GitLab Self-managed (Ultimate) and GitLab Dedicated customers can utilize the same functionality for streaming their GitLab instance audit events as well.

Configuration Management

3.4.1 - 3.4.3, 3.4.5

GitLab’s Create stage enables organizations to design, develop, and securely manage code and project data. Configurations for organizational systems can be stored, managed, and deployed leveraging GitLab’s infrastructure as code features.

By managing configuration changes through code, organizations can track the lineage of each change request. Merge request approval rules enable organizations to enforce how many approvals a merge request must receive before it can be merged, and which users are authorized to approve such requests. The history of each request is retained and can be reviewed through git.

<center><i>Multiple approval rules</i></center>

Identification and Authentication

3.5.1 - 3.5.3

GitLab supports SAML SSO integrations for GitLab.com groups, GitLab Dedicated, and Self-managed instances. Organizations can further simplify their GitLab identity and access management (IAM) processes by configuring System for Cross-domain Identity Management (SCIM).

GitLab also supports the use of multi-factor authentication, thereby enabling organizations to choose the IAM controls that fit their organizational needs.

Risk Assessment

3.11.2 - 3.11.3

GitLab supports a powerful suite of scanning features to help create holistic and robust application development and supply chain management processes.

GitLab enables organizations to discover vulnerabilities through Static Application Security Testing (SAST), Infrastructure as Code Security Scanning, Dynamic Application Security Testing (DAST), Container Scanning, and Dependency Scanning.

Discovered vulnerabilities on the default branch can be viewed in aggregate through GitLab’s Vulnerability Report. From there, organizations can dive into each finding’s Vulnerability page to create issues to track and discuss the vulnerability, and resolve the vulnerability, either manually or via a merge request.

Additionally, GitLab Duo’s Vulnerability Explanation feature can be leveraged to better understand discovered vulnerabilities, how they can be exploited, and how to fix them.

To go a step further, AWS recently announced GitLab Duo with Amazon Q. Within a GitLab merge request, Amazon Q developer scans all changes looking for security vulnerabilities, quality issues such as code that doesn’t follow best practices, and any other potential problems with the code. After it’s finished, it will add each finding as a comment that includes a snippet of the problematic code found, a description of the issue, and a severity rating. Amazon Q with GitLab Duo will also recommend a code security fix.

<div style="padding:56.25% 0 0 0;position:relative;"><iframe src="https://player.vimeo.com/video/1033653810?badge=0&autopause=0&player_id=0&app_id=58479" frameborder="0" allow="autoplay; fullscreen; picture-in-picture; clipboard-write" style="position:absolute;top:0;left:0;width:100%;height:100%;" title="GitLab Duo and Amazon Q"></iframe></div><script src="https://player.vimeo.com/api/player.js"></script>

System and Information Integrity

3.14.1

As mentioned above, GitLab provides numerous features to identify vulnerabilities. Organizations can structure scan execution policies to help ensure vulnerabilities are identified expediently when commits are pushed and on a regular schedule. Identified vulnerabilities can be linked to issues for identified software flaws to support a more informed and unified remediation process.

Here is an at-a-glance look at GitLab's companion features for CMMC Level 2:

Learn more

As the most comprehensive AI-powered DevSecOps platform, GitLab enables its customers to meet a broad range of regulatory and compliance requirements through an extensive and rich feature set. You can dig deeper into these features with our library of tutorials.

To help, we’ve introduced several new enhancements to our Software Composition Analysis (SCA) solution. These improvements are available for all GitLab Ultimate customers:

• Static Reachability Analysis identifies the exploitable vulnerabilities from open source components in your applications.
• Known Exploited Vulnerabilities (KEV) Indicator highlights known, actively exploited vulnerabilities.
• Exploit Prediction Scoring System (EPSS) predicts the likelihood of a vulnerability being exploited.

By prioritizing exploitable vulnerabilities, AppSec teams can reduce triage times, accelerate remediation cycles, and improve collaboration with their development counterparts. Powered by our recent acquisitions of Oxeye and Rezilion's intellectual property, these new capabilities align with our vision of providing best-in-class application security solutions, natively built into developer workflows.

What is SCA and why does it matter?

Software Composition Analysis helps organizations identify and manage open source components within their applications. By scanning the codebase, SCA provides insights into the component versions, licenses, and importantly, known vulnerabilities. With 90% of Fortune 500 companies dependent on open source components for their applications, SCA provides much-needed visibility to mitigate software supply chain risk.

High-profile breaches like SolarWinds and Log4Shell highlight how vulnerabilities in third-party components can compromise countless downstream applications. SCA tools act as proactive measures, enabling teams to identify vulnerabilities and enforce compliance early in the software development lifecycle, ensuring software security while maintaining development velocity.

Filter out the noise for targeted remediation

With our latest SCA enhancements, GitLab helps you cut through the noise to prioritize real risks, reduce backlogs, and remediate faster – all within your existing workflows.

Focus on vulnerabilities that pose the greatest risk

• Static Reachability Analysis leverages the proprietary detection engine of our Advanced SAST solution to surface vulnerabilities from dependencies that can actually be exploited in your application.

Reduce triage times

• With KEV indicators and EPSS scoring, GitLab gives security teams actionable insights into vulnerabilities that are actively being exploited or likely to be targeted. Incorporating risk-based scoring helps teams effectively triage their vulnerability backlog.

Faster remediation to mitigate supply chain risk

• Our SCA enhancements are built into developer workflows, providing contextual remediation guidance while maintaining developer productivity.

What’s next for SCA

We’re continuing to integrate Rezilion’s technology into our platform to help teams secure their software supply chains more effectively. Rezilion will be key to powering future innovations, including:

• Supporting faster remediation workflows by automatically opening merge requests with fixes for detected vulnerabilities
• Enriching package metadata using OpenSSF scorecard ratings to provide security teams with more information on dependencies such as authors and end-of-life status
• Improving open-source software license detection to ensure compliance and reduce legal risks

Get started with SCA

If you’re an existing GitLab Ultimate customer and would like to learn more about how Software Composition Analysis can enhance your application security program, visit our documentation. There, you’ll find details on implementation requirements, use cases, and more. Or if you’re not yet a GitLab Ultimate customer, get started with a free trial today to explore how GitLab enhances your ability to write secure software, achieve compliance goals, and improve development velocity.

Disclaimer: This blog contains information related to upcoming products, features, and functionality. It is important to note that the information in this blog post is for informational purposes only. Please do not rely on this information for purchasing or planning purposes. As with all projects, the items mentioned in this blog and linked pages are subject to change or delay. The development, release, and timing of any products, features, or functionality remain at the sole discretion of GitLab.

GitLab Bug Bounty Program by the numbers

• Awarded over US$1 million in bounties across 275 valid reports.
• Received a total of 1,440 reports from 457 researchers in 2024.
• Our busiest month was July, when we paid out over US$193,000!

Note: Data is accurate as of 31st of December, 2024.

You can see program statistics updated daily on our HackerOne program page.

GitLab Bug Bounty Researchers of the Year

It's time to shine a spotlight on the brilliant minds who have contributed to making GitLab more secure. Our bug bounty program continues to be a crucial part of our security strategy, and we're thrilled to recognize the outstanding efforts of our top researchers.

Most Valid Reports: joaxcar

Leading the pack with an impressive 55 valid reports, joaxcar has demonstrated exceptional dedication and skill in identifying potential vulnerabilities. joaxcar’s consistent contributions have played a significant role in enhancing GitLab's security posture, and has risen to our No. 1 contributing researcher.

Newcomer of the Year: a92847865

We're always excited to welcome fresh talent to our bug bounty program. This year, a92847865 caught our attention by submitting 16 valid reports since their first submission on May 10. Their quick impact showcases the importance of new perspectives in security research.

Most Innovative Report: yvvdwf

Innovation is key to staying ahead of potential threats. A report made by yvvdwf stood out for its creative approach to identifying a complex vulnerability. This kind of out-of-the-box thinking is invaluable in our ongoing security efforts.

Most Impactful Finding: ahacker1

Sometimes, a single discovery can have far-reaching implications. One of ahacker1's reports was particularly impactful this year. This finding led to significant improvements in our pipeline security and API access controls.

Best Written Report: matanber

Clearly written communication is crucial in bug bounty reports. This year, matanber provided an exceptionally detailed explanation of a complex Web IDE vulnerability. The report included comprehensive technical diagrams, relevant code snippets, and step-by-step explanations that showcased the issue perfectly. The clarity and thoroughness of the report made it easier for our team to understand, validate, and promptly fix the issue.

Special swag

As a token of our gratitude (in addition to the monetary reward, of course), we are sending our top bug bounty researchers some limited edition swag! Psst, winners, make sure to check your HackerOne emails!

Other highlights

We continued running our 90-day challenges where researchers focused on different areas of GitLab in return for an extra bug bounty bonus payout. We saw a great turnout for these, and it’s something we will look into continuing in 2025.

We also hosted another "Ask a hacker AMA" – this time with @ahacker1. Read the recap blog or watch the interview:

<!-- blank line --> <figure class="video_container"> <iframe src="https://www.youtube.com/embed/EPV0eNOOfv4?si=byNqXWKZzZLXfLfW" title="GitLab Ask a Hacker AMA with Alexander Siyou Tan (@ahacker1)" frameborder="0" allowfullscreen="true"> </iframe> </figure> <!-- blank line -->

Looking ahead

As we move into 2025, we're excited to see the new discoveries of our bug bounty community. Your efforts continue to be a cornerstone of our security strategy, helping us build a more secure platform for developers around the world.

To all our researchers: Thank you for your hard work, creativity, and commitment to security. Here's to another year of smashing bugs!

Learn how to participate in the GitLab 2025 Bug Bounty program.

At its core, CI/CD is about creating a seamless pipeline that takes code from a developer's environment all the way to production and incorporates feedback in real time. CI helps teams catch issues early — before they become costly problems — by ensuring that code changes are frequently merged into a shared repository, automatically tested, and validated. CD extends this by automating deployments, making releases predictable and stress-free.

Rather than relying on manual processes and complex toolchains for software development, teams can use a robust CI/CD pipeline to build, test, and deploy software. And AI can streamline the process even further, automatically engineering CI/CD pipelines for consistent quality, compliance, and security checks.

This guide explains modern CI/CD pipelines, from basic principles to best practices to advanced strategies. You'll also discover how leading organizations use CI/CD for impactful results. What you learn in this guide will help you scale your DevSecOps environment to develop and deliver software in an agile, automated, and efficient manner.

What you'll learn:

• What is continuous integration?
• What is continuous delivery?
• How source code management relates to CI/CD
• The benefits of CI/CD in modern software development
  • Key differences between CI/CD and traditional development
• Understanding CI/CD fundamentals
  • What is a CI/CD pipeline?
• Best practices for CI/CD implementation and management
  • CI best practices
  • CD best practices
• How to get started with CI/CD
• Security, compliance, and CI/CD
• CI/CD and the cloud
• Advanced CI/CD
  • Reuse and automation in CI/CD
  • Troubleshooting pipelines with AI
• How to migrate to GitLab CI/CD
• Lessons from leading organizations
• CI/CD tutorials

What is continuous integration?

Continuous integration (CI) is the practice of integrating all your code changes into the main branch of a shared source code repository early and often, automatically testing changes when you commit or merge them, and automatically kicking off a build. With continuous integration, teams can identify and fix errors and security issues more easily and much earlier in the development process.

What is continuous delivery?

Continuous delivery (CD) – sometimes called continuous deployment – enables organizations to deploy their applications automatically, allowing more time for developers to focus on monitoring deployment status and assure success. With continuous delivery, DevSecOps teams set the criteria for code releases ahead of time and when those criteria are met and validated, the code is deployed into the production environment. This allows organizations to be more nimble and get new features into the hands of users faster.

How source code management relates to CI/CD

Source code management (SCM) and CI/CD form the foundation of modern software development practices. SCM systems like Git provide a centralized way to track changes, manage different versions of code, and facilitate collaboration among team members. When developers work on new features or bug fixes, they create branches from the main codebase, make their changes, and then merge them through merge requests. This branching strategy allows multiple developers to work simultaneously without interfering with each other's code, while maintaining a stable main branch that always contains production-ready code.

CI/CD takes the code managed by SCM systems and automatically builds, tests, and validates it whenever changes are pushed. When a developer submits their code changes, the CI/CD system automatically retrieves the latest code, combines it with the existing codebase, and runs through a series of automated checks. These typically include compiling the code, running unit tests, performing static code analysis, and checking code coverage. If any of these steps fail, the team is immediately notified, allowing them to address issues before they impact other developers or make their way to production. This tight integration between source control and continuous integration creates a feedback loop that helps maintain code quality and prevents integration problems from accumulating.

The benefits of CI/CD in modern software development

CI/CD brings transformative benefits to modern software development by dramatically reducing the time and risk associated with delivering new features and fixes. The continuous feedback loop gives DevSecOps teams confidence their changes are automatically validated against the entire codebase. The result is higher quality software, faster delivery times, and more frequent releases that can quickly respond to user needs and market demands.

Perhaps most importantly, CI/CD fosters a culture of collaboration and transparency within software development teams. When everyone can see the status of builds, tests, and deployments in real time, it becomes easier to identify and resolve bottlenecks in the delivery process. The automation provided by CI/CD also reduces the cognitive load on developers, freeing them to focus on writing code rather than managing manual deployment processes. This leads to improved developer satisfaction and productivity, while also reducing the risk traditionally associated with the entire software release process. Teams can experiment more freely knowing rapid code reviews are part of the process and they can quickly roll back changes if needed, which encourages innovation and continuous improvement.

Get started with GitLab CI/CD. Sign up for GitLab Ultimate and try the AI-powered DevSecOps platform free for 60 days.

Key differences between CI/CD and traditional development

CI/CD differs from traditional software development in many ways, including:

Frequent code commits

Developers often work independently and infrequently upload their code to a main codebase, causing merge conflicts and other time-consuming issues. With CI/CD, developers push commits throughout the day, ensuring that conflicts are caught early and the codebase remains up to date.

Reduced risk

Lengthy testing cycles and extensive pre-release planning are hallmarks of traditional software development. This is done to minimize risk but often hinders the ability to find and fix problems. Risk is managed in CI/CD by applying small, incremental changes that are closely monitored and easily reverted.

Automated and continuous testing

In traditional software development, testing is done once development is complete. However, this causes problems, including delayed delivery and costly bug fixes. CI/CD supports automated testing that occurs continuously throughout development, sparked by each code commit. Developers also receive feedback they can take fast action on.

Automated, repeatable, and frequent deployments

With CI/CD, deployments are automated processes that reduce the typical stress and effort associated with big software rollouts. The same deployment process can be repeated across environments, which saves time and reduces errors and inconsistencies.

Understanding CI/CD fundamentals

CI/CD serves as a framework for building scalable, maintainable delivery processes, so it's critical for DevSecOps teams to firmly grasp its core concepts. A solid understanding of CI/CD principles enables teams to adapt strategies and practices as technology evolves, rather than being tied to legacy approaches. Here are some of the basics.

What is a CI/CD pipeline?

A CI/CD pipeline is a series of steps, such as build, test, and deploy, that automate and streamline the software delivery process. Each stage serves as a quality gate, ensuring that only validated code moves forward. Early stages typically handle basic checks like compilation and unit testing, while later stages may include integration testing, performance testing, compliance testing, and staged deployments to various environments.

The pipeline can be configured to require manual approvals at critical points, such as before deploying to production, while automating routine tasks and providing quick feedback to developers about the health of their changes. This structured approach ensures consistency, reduces human error, and provides a clear audit trail of how code changes move from development to production. Modern pipelines are often implemented as code, allowing them to be version controlled, tested, and maintained just like application code.

These are other terms associated with CI/CD that are important to know:

• Commit: a code change
• Job: instructions a runner has to execute
• Runner: an agent or server that executes each job individually that can spin up or down as needed
• Stages: a keyword that defines certain job stages, such as "build" and "deploy." Jobs of the same stage are executed in parallel. Pipelines are configured using a version-controlled YAML file, .gitlab-ci.yml, at the root level of a project.

Best practices for CI/CD implementation and management

How successful you are with CI/CD depends greatly on the best practices you implement.

CI best practices

• Commit early, commit often.
• Optimize pipeline stages.
• Make builds fast and simple.
• Use failures to improve processes.
• Make sure the test environment mirrors production.

CD best practices

• Start where you are – you can always iterate.
• Understand the best continuous delivery is done with minimal tools.
• Track what’s happening so issues and merge requests don't get out of hand.
• Streamline user acceptance testing and staging with automation.
• Manage the release pipeline through automation.
• Implement monitoring for visibility and efficiency.

Bookmark this!

Watch our "Intro to CI/CD" webinar!

<!-- blank line --> <figure class="video_container"> <iframe src="https://www.youtube.com/embed/sQ7Nw3o0izc?si=3HpNqIClrc2ncr7Y" title="Intro to CI/CD webinar" frameborder="0" allowfullscreen="true"> </iframe> </figure> <!-- blank line -->

How to get started with CI/CD

Getting started with CI/CD begins with identifying a simple but representative project to serve as your pilot. Choose a straightforward application with basic testing requirements, as this allows you to focus on learning the pipeline mechanics rather than dealing with complex deployment scenarios. Begin by ensuring your code is in version control and has some basic automated tests — even a few unit tests will suffice. The goal is to create a minimal pipeline that you can gradually enhance as your understanding grows.

For GitLab specifically, the process starts with creating a .gitlab-ci.yml file in your project's root directory. This YAML file defines your pipeline stages (basic ones like build, test, and deploy) and jobs. A simple pipeline might look like this: The build stage compiles your code and creates artifacts, the test stage runs your unit tests, and the deploy stage pushes your application to a staging environment. GitLab will automatically detect this file and start running your pipeline whenever changes are pushed to your repository. The platform provides built-in runners to execute your pipeline jobs, though you can also set up your own runners for more control.

As you become comfortable with the basics, gradually add more sophisticated elements to your pipeline. This might include adding code quality checks, security scanning, or automated deployment to production. GitLab's DevSecOps platform includes features like compliance management, deployment variables, and manual approval gates that you can incorporate as your pipeline matures. Pay attention to pipeline execution time and look for opportunities to run jobs in parallel where possible. Remember to add proper error handling and notifications so team members are promptly alerted of any pipeline failures. Start documenting common issues and solutions as you encounter them — this will become invaluable as your team grows.

Want to learn more about getting started with CI/CD? Register for a free CI/CD course on GitLab University.

Security, compliance, and CI/CD

One of the greatest advantages of CI/CD is the ability to embed security and compliance checks early and often in the software development lifecycle. In GitLab, teams can use the .gitlab-ci.yml configuration to automatically trigger security scans at multiple stages, from initial code commit to production deployment. The platform's container scanning, dependency scanning, and security scanning capabilities (Dynamic Application Security Testing and Advanced SAST) can be configured to run automatically with each code change, checking for vulnerabilities, compliance violations, and security misconfigurations. The platform's API enables integration with external security tools, while the test coverage features ensure security tests meet required thresholds.

GitLab's security test reports provide detailed information about findings, enabling quick remediation of security issues before they reach production. The Security Dashboard provides a centralized view of vulnerabilities across projects, while security policies can be enforced through merge request approvals and pipeline gates. In addition, GitLab provides multiple layers of secrets management to protect sensitive information throughout the CI/CD process, audit logs to track access to secrets, and role-based access control (RBAC) to ensure only authorized users can view or modify sensitive configuration data.

GitLab also supports software bill of materials (SBOM) generation, providing a comprehensive inventory of all software components, dependencies, and licenses in an application and enabling teams to quickly identify and respond to vulnerabilities and comply with regulatory mandates.

CI/CD and the cloud

GitLab's CI/CD platform provides robust integration with major cloud providers including Amazon Web Services, Google Cloud Platform, and Microsoft Azure, enabling teams to automate their cloud deployments directly from their pipelines. Through GitLab's cloud integrations, teams can manage cloud resources, deploy applications, and monitor cloud services all within the GitLab interface. The platform's built-in cloud deployment templates and Auto DevOps features significantly reduce the complexity of cloud deployments, allowing teams to focus on application development rather than infrastructure management. For organizations that want to automate their IT infrastructure using GitOps, GitLab has a Flux CD integration.

GitLab's cloud capabilities extend beyond basic deployment automation. The platform's Kubernetes integration enables teams to manage container orchestration across multiple cloud providers, while the cloud native GitLab installation options allow the platform itself to run in cloud environments. Through GitLab's cloud-native features, teams can implement auto-scaling runners that dynamically provision cloud resources for pipeline execution, optimizing costs and performance. The platform's integration with cloud provider security services ensures that security and compliance requirements are met throughout the deployment process.

For multi-cloud environments, GitLab provides consistent workflows and tooling regardless of the underlying cloud provider. Teams can use GitLab's environment management features to handle different cloud configurations across development, staging, and production environments. The platform's infrastructure as code support, particularly its native integration with Terraform, enables teams to version control and automate their cloud infrastructure provisioning. GitLab's monitoring and observability features integrate with cloud provider metrics, providing comprehensive visibility into application and infrastructure health across cloud environments.

Advanced CI/CD

CI/CD has evolved far beyond simple build and deploy pipelines. In advanced implementations, CI/CD involves sophisticated orchestration of automated testing, security scanning, infrastructure provisioning, AI, and more. Here are a few advanced CI/CD strategies that can help engineering teams scale their pipelines and troubleshoot issues even as architectural complexity grows.

Reuse and automation in CI/CD

GitLab is transforming how development teams create and manage CI/CD pipelines with two major innovations: the CI/CD Catalog and CI/CD steps, a new programming language for DevSecOps automation currently in experimental phase. The CI/CD Catalog is a centralized platform where developers can discover, reuse, and contribute CI/CD components. Components function as reusable, single-purpose building blocks that simplify pipeline configuration — similar to Lego pieces for CI/CD workflows. Meanwhile, CI/CD steps support complex workflows by allowing developers to compose inputs and outputs for a CI/CD job. With the CI/CD Catalog and CI/CD steps, DevSecOps teams can easily standardize CI/CD and its components, simplifying the process of developing and maintaining CI/CD pipelines.

Learn more in our CI/CD Catalog FAQ and CI/CD steps documentation.

Troubleshooting pipelines with AI

While CI/CD pipelines can and do break, troubleshooting the issue quickly can minimize the impact. GitLab Duo Root Cause Analysis, part of a suite of AI-powered features, removes the guesswork by determining the root cause for a failed CI/CD pipeline. When a pipeline fails, GitLab provides detailed job logs, error messages, and execution traces that show exactly where and why the failure occurred. Root Cause Analysis then uses AI to suggest a fix. Watch GitLab Duo Root Cause Analysis in action:

<!-- blank line --> <figure class="video_container"> <iframe src="https://www.youtube.com/embed/sTpSLwX5DIs?si=J6-0Bf6PtYjrHX1K" frameborder="0" allowfullscreen="true"> </iframe> </figure> <!-- blank line -->

How to migrate to GitLab CI/CD

Migrating to the DevSecOps platform and its built-in CI/CD involves a systematic approach of analyzing your existing pipeline configurations, dependencies, and deployment processes to map them to GitLab's equivalent features and syntax. Use these guides to help make the move.

• How to migrate from Bamboo to GitLab CI/CD
• Jenkins to GitLab: The ultimate guide to modernizing your CI/CD environment
• GitHub to GitLab migration the easy way

Lessons from leading organizations

These leading organizations migrated to GitLab and are enjoying the myriad benefits of CI/CD. Read their stories.

• Lockheed Martin
• Indeed
• CARFAX
• HackerOne
• Betstudios
• Thales and Carrefour

CI/CD tutorials

Become a CI/CD expert with these easy-to-follow tutorials.

• Basics of CI: How to run jobs sequentially, in parallel, or out of order
• How to set up your first GitLab CI/CD component
• Building a GitLab CI/CD pipeline for a monorepo the easy way
• Using child pipelines to continuously deploy to five environments
• CI/CD automation: Maximize 'deploy freeze' impact across GitLab groups
• Refactoring a CI/CD template to a CI/CD component
• Annotate container images with build provenance using Cosign in GitLab CI/CD

Get started with GitLab CI/CD. Sign up for GitLab Ultimate and try the AI-powered DevSecOps platform free for 60 days.

If you’re unsure whether you’re ready to upgrade your security, here are a few signs you’ve outgrown your security needs:

• You spend more time managing permissions than writing code.
• Security reviews create development bottlenecks.
• You can't definitively say who changed what and when.
• You're unsure if security policies are consistently followed.

Do any of these signs resonate with you? Let's explore how teams typically mature their security practices as they grow.

1. Your organization requires advanced access controls.

Manual permission management can be tedious and prone to errors. While it’s manageable for a team of three, it becomes much more complex as your team grows to 15, 30, or 100 developers.

The disadvantages of an intricate permission system are two-fold:

1. It becomes more likely that accidental or unauthorized changes are made to critical parts of the codebase.
2. Managing complex permissions takes time that could be spent developing valuable software for the business.

Features that automate permission management

Scaling teams need features that automate permission management. GitLab Premium offers enterprise-grade Agile planning features that provide organizational hierarchies, enabling advanced permissions management at the group or sub-group level.

This, alongside features like Protected Branches and restricted push and merge access, save growing teams time while providing an additional layer of security.

2. You need to build a robust review process.

Many teams have senior developers review security-sensitive code. However, as your codebase expands, it becomes more challenging to ensure the right people are reviewing the right changes. This can lead to an elongated review process or the release of insecure code before it’s been reviewed by the right parties.

When you notice security reviews becoming inconsistent or creating bottlenecks, it’s time to consider solutions that give you tighter control over your merge request pipelines.

Features that enhance the review process

GitLab Premium helps teams mature beyond manual processes with capabilities like Multiple Approvers and push rules. These features improve your code by ensuring it’s reviewed before it is merged, preventing errors from occurring late in the development process. It also requires higher levels of authorization and verification to those who push or commit to a git branch.

3. You need to strengthen compliance adherence.

When your team is small, you know who is working on what projects and when deployments will occur. But, as your team grows it becomes more challenging (if not impossible) to follow all code changes and activities. It’s also easy to lose sight of security policies and whether all team members are consistently following them.

These are signs that you need tools to help you track changes and ensure code quality meets regulatory requirements.

Features that improve compliance efforts

With GitLab Premium’s Audit Events, you can track and review changes, such as who performed certain actions at what time within the repository. At the same time, Code Quality Reports can check for adherence to compliance standards. This can help teams more readily prove compliance while also quickly identifying and fixing problems within the code.

Scale your security efforts with GitLab Premium

If you’re experiencing security-related growing pains as your business scales, consider upleveling your security needs before it’s too late. Empower your team with features that prioritize security and compliance, and accelerate software delivery.

Upgrade to GitLab Premium today!

Many teams experience these challenges as they grow, but how you handle and address these growing pains can save you time, energy, and money in the long run. In this article, we’ll explore the common pitfalls growing teams face and how successful organizations address them.

1. Consistent code quality

One of the challenges growing teams face is maintaining consistent code quality as more developers contribute to the codebase. Quality issues that were once caught quickly now take longer to identify and fix.

Successful teams address these challenges through automated code analysis throughout their development workflow. Instead of relying solely on manual reviews, they implement systems to identify potential issues and enforce consistent standards before code even reaches human reviewers. This approach helps detect complexity issues early and flags potential security vulnerabilities, allowing reviewers to focus on more strategic aspects of code review.

Features that maintain consistent code quality

• Start by automating code analysis in your workflow. With GitLab Premium, you can set up Code Quality Reports in your merge requests. This helps catch issues early by analyzing code complexity and quality before review begins. For example, when a developer submits changes that might increase technical debt, the report will flag these issues automatically.
• Next, establish automated quality standards. Configure Quality Gates to define what "good code" means for your team. This could include test coverage requirements, complexity limits, or specific coding patterns. When code doesn't meet these standards, merges are automatically blocked until issues are addressed.
• Finally, prevent issues before they even reach review. Push Rules let you enforce standards right at commit time. You might start with simple rules like requiring certain commit message formats, then gradually add more sophisticated checks as your team adapts.

2. Improve collaboration and productivity

The priorities for startups are often budget and speed, but as businesses grow, tracking DevSecOps workflows across a patchwork of tools can actually deter productivity.

Disparate tools cause developers to context switch between platforms, decreasing focus time and development speed. Toolchain sprawl also limits visibility among teams, creating operational silos that lead to miscommunication.

To address these challenges, teams often turn to Agile solutions to help with project management, align timelines, and improve cross-team collaboration. When combined with a DevSecOps environment, Agile creates a powerful system for software development that marries the iterative Agile approach with a security-first mindset.

Features that improve collaboration and productivity

• With GitLab Premium, teams can access enterprise-grade Agile tools within their DevSecOps platforms. You can start by creating groups and projects, assigning team members roles, and determining their level of permission.
• Milestones and epics help teams plan large-scale initiatives across multiple projects to track dependencies, progress, and align on deliverables. This gives everyone clear visibility into the process.
• Then, dive deeper into each task with issues. With customizable workflows and multi-assignee capabilities, teams can visualize project progress, dynamically adjust priorities, and collaborate on issue resolution.

3. Increase deployment velocity

In theory, teams should be more productive as they scale. However, if tools aren’t updated to accommodate a growing team, the CI/CD pipeline can feel clunky and inefficient.

Teams turn to tools that help them automate and optimize the CI/CD pipeline. By automating components like code reviews, merge trains, and permissions, teams can streamline the CI/CD pipeline and improve deployment speed.

Features that increase deployment velocity

GitLab Premium offers advanced features that help you build, maintain, deploy, and monitor complex pipelines. Increase the speed of deployment through the CI/CD pipeline with more control over code reviews and merge request processes.

• You can automate the merging of multiple changes in a controlled sequence with Merge Trains. This reduces integration issues and improves deployment efficiency.
• Gain visibility into whether your jobs passed or failed with Multi-Project Pipeline Graphs. Access all related jobs for a single commit and the net result of each stage of your pipeline to quickly see what failed and fix it.
• Team leaders can access comprehensive insights and make data-informed decisions with Code Review Analytics that provide detailed metrics and merge request analytics. This helps teams identify bottlenecks, optimize review cycles, and establish data-driven process improvements.

4. Enhance security and compliance controls

Without rigorous governance policies, inefficient and insecure code may be released. With smaller companies, security reviews are often manual and the reviews often take a backseat to speed. This can lead to teams releasing incorrect or unsafe code to production causing costly delays.

To evolve their security practices, teams turn to stricter access controls, a more refined and delineated review process, as well as features that enable teams to review and track changes.

Features that enhance security and compliance controls

• With stricter access controls, such as Protected Branches and Protected Environments, you can restrict push and merge access, securing those areas from unwanted changes by unauthorized users.
• To strengthen security review processes, implement Multiple Approvers in Merge Requests. This requires team members to review and approve code changes before they’re pushed through.
• Review who performed a certain action within the repository and at what time with Audit Events. By tracking changes, you’re able to stay on top of compliance requirements.

5. Avoid downtime and delays

Without support, teams are left to troubleshoot issues themselves. This can lead to major delays or periods of downtime where the company is unable to deliver value. As companies grow, this downtime becomes more and more detrimental to the business.

It’s important to evaluate what your company’s threshold is for downtime. When the value of the downtime outweighs the cost of support, it’s time to scale your DevSecOps platform to meet those needs.

Support services to avoid downtime and delays

With GitLab Premium, customers of both SaaS and self-managed instances have access to Priority Support. GitLab customer support offers Tiered Support response times, ranging from emergency to low-impact services, and can help you resolve issues quickly, minimizing downtime and disruption to your development cycle.

Plus, for self-managed customers moving to Premium, GitLab offers support for any issues that occur after implementation and upgrade assistance to provide a seamless transition.

Build today, scale for tomorrow with GitLab Premium

Instead of struggling with the challenges that growing teams face, scale your DevSecOps platform with GitLab Premium.

GitLab Premium provides teams with the project management, pipeline tools, security, and support needed to work efficiently and effectively across the software development lifecycle.

Learn more about why you should upgrade to GitLab Premium.

Validation testing results

To validate that our usage of GitLab Duo to generate tests was adding value the way we expected, we challenged ourselves and GitLab Duo to replace and increase test coverage. The team removed all previously written tests to get our test coverage to 0% and then methodically went through the repository and created new test files to store GitLab Duo-generated tests.

From this starting point, the team followed the steps outlined in the first blog to generate tests. Tests and test files were unmodified by humans to provide a stable control group and a Tests Generated by Duo comment at the top of them were suffixed by duo.py to indicate where the tests came from.

All iterations of the tests were only done through interactions with GitLab Duo through the Generate Tests and GitLab Duo Chat window as outlined in the second blog in the series. As we shared, we requested GitLab Duo to make updates based on encountered errors, test failures, and example code snippets for GitLab Duo to use as added context.

At all times. when testing with GitLab Duo, we were running tests and coverage reports so we could see if our GitLab Duo-generated tests were increasing testing coverage and adding value as we expected. Taking advantage of GitLab's test coverage visualization, we were able to continuously monitor the results of our work.

Ultimately, after using GitLab Duo to regenerate tests for code previously covered through our mostly manual testing, we were able to achieve test coverage of 84%. This was a great accomplishment for the team because:

1. It was a significant improvement from prior coverage, which was at 74%.
2. It took approximately two days by one engineer to achieve 84%, compared to the approximately four weeks across multiple engineers that the 74% had taken.

Since this experiment, the team has increased coverage even further to 89% with the help of GitLab Duo, while continuing to introduce new features.

Using GitLab Duo allowed for increased testing efficiency and coverage, and also allowed developers with lower context around existing code to write valuable tests, quickly. This has resulted in increased confidence on the team to develop new features without worrying about introducing errors.

If you'd like to try GitLab Duo, sign up for a free, 60-day trial today!

How does Git Bash work?

Git Bash is an application that you can install on Windows operating systems using Git for Windows. This application acts as an emulator to use the Git version control tool on a Bash command terminal.

Bash is an acronym for Bourne Again SHell. SHell refers to the command terminal application of an operating system (OS). Bourne Again SHell is actually an upgraded version of Bourne SHell (also referred to as shell sh), the command line interface for UNIX developed by Stephen Bourne in 1977.

Bash is the default shell for Linux and MacOS operating systems. With Git Bash, Windows users can install Bash, run Bash commands and use Git commands.

How to install Git Bash

To download Git Bash, it is necessary to install Git for Windows. To do this, go to the official Git for Windows website and click "Download" to install the full Git package. When the download is complete, open the .exe file and begin the installation.

To install Git Bash on Windows, please follow these step-by-step instructions:

1. Open the .exe file and click Next. Select the appropriate folder for the installation.
2. Accept the terms of use and click Next to start the installation.
3. In this step, select the components to install. The pre-selected settings are relevant, but you can change them according to your preferences. Click Next again.
4. Then, choose the editor you prefer to use with Git. The tool recognizes editors already installed on your computer.
5. A window is displayed with three settings of the PATH environment. Depending on your needs, choose whether Git should only be used by Git Bash or if you want to use it from other third-party software.
6. Finally, keep the default settings by clicking Next and install Git Bash by clicking Install.

What are Bash commands?

First of all, the pwd (Print Working Directory) command allows you to view the absolute path. This means that it displays the path of the folder we are in at the time of typing the command.
Remember: When you open the Git Bash terminal, you are in a folder on your computer. Usually, this is the folder with your username.

The ls command gives access to the list of files present in the current folder. You can also add options to the ls command with a dash -. For example, the -l option after ls lists the contents of a folder with more information about each file.

Bash also has a cd (Change Directory) command to move around your computer. To indicate the directory you want to go to, please specify the relative or absolute path after cd. The relative path is the location relative to the current directory while the absolute path is its location relative to the root folder.

How to use Git Bash with GitLab

Using Git Bash with GitLab is like using the terminal emulator with another source code management platform. In order to push and retrieve your changes from GitLab, add the URL of your GitLab remote repository with the command: git remote add origin <repository_url>.

If your project is private, Git Bash asks you to authenticate yourself. Enter your credentials when the terminal requests your username and password. If you're having trouble logging in, check your authorization settings directly in GitLab.

Then use the basic Git commands like git clone, git commit, git push, git branch, as well as git checkout, to name a few. To learn more, visit our Git Cheat Sheet.

Git Bash FAQ

Are Git Bash and GitLab compatible?

Yes. Using Git Bash with GitLab is similar to working with another source code management platform. Be sure to set up GitLab as a remote repository and authenticate yourself during the initial setup.

Why use Git Bash?

Git Bash acts as a terminal emulator to use the Git and Bash commands in a Windows environment.

What's the point of a shell?

Using a shell allows you to automate tasks through scripts, effectively control your computer and benefit from direct access to system functions.

Read more

• What is Git version control?
• What's new in Git 2.47.0?
• Git pull vs. git fetch: What's the difference?

To mitigate risks and drive innovation, organizations must prioritize automated code quality and compliance systems. The financial implications of poor code management are substantial, with technical debt consuming up to 40% of IT budgets (McKinsey Digital: Tech Debt Report) and software vulnerabilities costing an average of $4.88 million per security breach (IBM Cost of a Data Breach Report).

Modern software development requires a strategic approach to code management and compliance that goes beyond traditional review processes. With more robust review systems and compliance controls, organizations can innovate and secure software faster than their competitors.

The power of code review and approval processes

According to the GitLab 2024 Global DevSecOps Report, C-level executives rank code quality as one of the top benefits of DevSecOps. With executives recognizing code quality as a strategic priority, systematic review processes have emerged as a cornerstone of modern development practices.

Code review processes benefit developers through knowledge sharing, the discovery of bugs earlier in the process, and improved security. However, developers say the top changes that could be made to improve job satisfaction are increasing automation and collaboration, according to our survey.

As code quality and code review processes are embedded into the software development lifecycle, focusing on systems that remove manual code review and enhance collaboration across teams will help keep developer workflows running smoothly.

Code review processes increase collaboration and development speed

The improvement in organizational efficiency can be seen in this example with Airbus Intelligence, a leader in the geospatial industry. The development teams at Airbus struggled with inefficient processes and needed tools that could help their team collaborate efficiently across the globe. After adopting GitLab Premium, Airbus quickly noticed the improvement in code quality.

GitLab CI’s built-in security testing meant developers could identify bugs and vulnerabilities before they reached production. Instead of spending a full day setting up for production and doing manual tests, those simple tasks are now automated.

Airbus’ release time dramatically decreased from 24 hours to just 10 minutes.

“What used to happen is we would touch one part of the code and it would break another part. Now, each time a developer pushes code, we can immediately identify problems,” said Logan Weber, Software Automation Engineer at Airbus Defense and Space, Intelligence.

Features that enable higher code quality

Powerful GitLab Premium features like Multiple Approvers for Merge Requests, Code Quality checks, and Protected Branches, enable companies to innovate faster than their competitors.

By reducing review cycle times while strengthening code integrity and compliance, DevSecOps teams address both the technical debt and security vulnerability challenges that plague traditional approaches. These security benefits help teams like AirBus Intelligence develop faster, more secure solutions.

Why enhanced compliance controls matter

The implementation of effective code compliance strategies is constantly evolving due to changing regulations, and keeping up with these regulations is a challenge for most companies.

By developing code compliance strategies and automated control mechanisms, companies ensure that quality and compliance policies are met.

For Airbus Intelligence, security and vulnerability scans built into integration testing enabled teams to catch security and compliance issues earlier in the process.

Continuous integration gives teams visibility into more projects and allows all team members to manage deployments. Expanded access controls improve cross-team collaboration and accountability.

Features that increase accountability

GitLab Premium's advanced compliance controls create an unbroken chain of accountability throughout the development process, enabling organizations to systematically track and validate every code change.

Users have greater auditability of any change and can track commits. This is in addition to strict access controls that provide specific people with the ability to push and merge changes. With audit logs, users can track and review changes and activities within the repository.

Ship software faster with GitLab Premium

“It’s simple. All teams operate around this one tool. Instantly, that made communication easier. We wouldn’t be where we are today if we didn’t have GitLab in our stack,” according to Airbus' Weber.

GitLab Premium represents more than just a tool — it's a comprehensive approach to software engineering that empowers development teams to deliver high-quality, secure, and efficient software solutions.

Discover why customers are upgrading to GitLab Premium.

About Alexander (ahacker1)

Alexander is passionate about hacking complex SaaS applications, with a particular interest in authorization-based vulnerabilities. Currently, he's focusing on SAML and SSO research. His hacking journey began during the Covid-19 pandemic, when he transitioned from gaming to exploring game hacks and easter eggs.

Highlights from the AMA

Here are some of the questions AMA attendees asked Alexander, and his responses.

What are the tools you use in your research?

I use RubyMine as my IDE, as I find it helps with analyzing code. You can jump to different parts of the code, and that helps with efficiency and allows you to search quickly and determine interesting behavior. I used to just use BurpSuite, but not so much anymore. I mainly focus on using JetBrains to review repositories on GitLab.

Have you explored using AI to assist in finding and/or exploiting vulnerabilities?

Yes! When I learn about a new feature or subject, I may ask ChatGPT how it works. It may give some insights or leads – when I do SAML research I use it.

Tell us about moving into SAML and the experience of finding the awesome bugs in that area.

SAML is like a SaaS application within a SaaS application. There's a 100-page document on how SAML works, offering infinite possibilities. I focus on code analysis, reviewing the approximately 20 libraries available. While hacking SAML can be time-consuming due to setup and configuration, the payoff can be significant.

What’s next after SAML? Will you keep digging?

I will fix SAML. I want to fix libraries. Not sure what’s next - maybe SSO stuff!

Alexander's tips for the GitLab Bug Bounty Program

Alexander offered the following advice for those interested in GitLab's Bug Bounty Program:

1. Leverage GitLab's open source nature for code analysis.
2. Study patch releases to learn reverse-engineering techniques.
3. Review GitLab's public issues and disclosed reports for insights.

Getting to know our hacker

What do you do when you don't hack?

I play games, I also go out on walks and explore nature/hike. It’s a nice break from sitting at the computer.

How long do you think you would survive in a zombie apocalypse?

Not long. Without the internet, I don’t think I'd be able to adapt.

Is cereal a type of soup?

It most definitely is. It has both liquid and food in it.

Watch the replay

For those interested in the full AMA, check out the YouTube live playback.

<!-- blank line --> <figure class="video_container"> <iframe src="https://www.youtube.com/embed/EPV0eNOOfv4?si=byNqXWKZzZLXfLfW" title="GitLab Ask a Hacker AMA with Alexander Siyou Tan (@ahacker1)" frameborder="0" allowfullscreen="true"> </iframe> </figure> <!-- blank line -->

We extend our gratitude to all participants and, of course, to Alexander for sharing his insights. Keep up with Alexander's latest activities on his HackerOne profile.

More "Ask a Hacker" AMAs

• Ask a hacker - 0xn3va
• Ask a hacker - ajxchapman
• Ask a hacker - rpadovani

About the GitLab Bug Bounty Program

The GitLab Bug Bounty Program aims to enhance the security of our products and services. Managed by our Application Security team, the program has achieved significant milestones since its public launch in December 2018, including:

• Resolved 1,684 reports
• Awarded over $4.7 million in bounties
• Thanked 655 hackers for their findings

Learn more about the GitLab Bug Bounty Program.

This tutorial focuses on a specific example of modernizing a simple C++ application to Java by refactoring it with the help of GitLab Duo, our suite of AI capabilities, and shows how much time and effort you can save in the migration.

Understanding the simple C++ application

Let’s make the assumption that we have been tasked with the migration of a C++ application to a memory safe language, namely Java. The C++ application can be found in the following project (thank you to @sugaroverflow for contributing this sample application):

https://gitlab.com/gitlab-da/use-cases/ai/ai-applications/refactor-to-java/air-quality-application

Since this is the first time we are seeing this application, let’s invoke GitLab Duo Code explanation to better understand what it does. We open file main.cpp in Visual Studio Code and select the entirety of this file. We then right-click and select GitLab Duo Chat > Explain selected snippet from the popup menu.

The GitLab Duo Chat window opens up and the slash command /explain is executed for the selected code. Chat returns a very thorough and detailed description and explanation in natural language form of what each function does in the file as well as examples on how to run the compiled program.

In short, the simple C++ application takes a U.S. zip code as input and returns the air quality index for that zip code.

Compiling and running the C++ application

To further understand this simple C++ application, we proceed to compile and run it. We could have asked Chat how to do this, however, the project has a README file that provides the commands to compile the project, so we go ahead and use those by entering them in the Terminal window of VS Code.

After the compilation finishes, we change directory to the build subdirectory in the project, which is where the compilation process places the executable file for this application. Then, we run the executable by entering the following command:

./air_quality_app 32836

And we see the response as follows:

Air Quality Index (AQI) for Zip Code 32836: 2 (Fair)

This confirms to us that the application was successfully compiled and it’s executing appropriately.

Refactoring the application to Java

Let’s start migrating this C++ application to Java. We take advantage of GitLab Duo Chat and its refactoring capabilities by using the slack command /refactor. We qualify the slash command with specific instructions on what to do for the refactoring. We enter the following command in the Chat input field:

/refactor this entire application to Java. Provide its associated pom.xml to build and run the Java application. Also, provide the directory structure showing where all the resulting files should reside for the Java application.

Chat returns a set of Java files that basically refactor the entire C++ application to the memory safe language. In addition and per the prompt, Chat returns the pom.xml file, needed by maven for the building and execution of the refactored application as well as its directory structure, indicating where each generated file should reside.

We copy and save all the generated files to our local directory.

Creating the Java project

In VS Code, we now proceed to open an empty project in which we will set up the directory structure of the new Java application and its contents.

We create all the previously generated Java files in their corresponding directories in the new project and paste their contents in each.

Lastly, we save all the files to our local disk.

Asking for help to build and run the Java application

At this point, we have an entire Java application that has been refactored from C++. Now, we need to build it but we don’t quite remember what maven command we need to use to accomplish this.

So we ask GitLab Duo Chat about this. We enter the following prompt in the Chat input field:

How do you build and run this application using maven?

Chat returns with a thorough explanation on how to do this, including examples of the maven command to build and run the newly created Java application.

Building and running the Java application

GitLab Duo Chat understands the application and environment context and responds that we first need to create an environment variable called API_KEY before we can run the application.

It also provides the maven command to execute to build the application, which we enter in the Terminal window:

mvn clean package

Once the build finishes successfully, we copy the generated command to run the application from the Chat window and paste it in the Terminal window:

java -jar target/air-quality-checker-1.0-SNAPSHOT-jar-with-dependencies.jar 90210

The application successfully executes and returns the string:

Air Quality Index (AQI) for Zip Code 90210: 2 (Fair)

We have confirmed that the modernized version of the application, now refactored in Java, runs just like its original C++ version.

Watch this tutorial in action

We have seen that by leveraging the power of GitLab Duo in your modernization activities, you can save a great deal of time and effort, freeing you to spend more time innovating and creating value to your organization.

Here is a video to show you, in action, the tutorial you just read:

<!-- blank line --> <figure class="video_container"> <iframe src="https://www.youtube.com/embed/LJ7GOr_P0xs?si=_ZjF75DAXEQnY2Mn" frameborder="0" allowfullscreen="true"> </iframe> </figure> <!-- blank line -->

Want to get started with GitLab Duo? Start a free, 60-day trial today!

Learn more

• Refactor code into modern languages with AI-powered GitLab Duo
• Secure by Design principles meet DevSecOps innovation in GitLab 17
• How to secure memory-safe vs. manually managed languages

Situations we encountered and how we handled them

Overall, we were pleased with the results using GitLab Duo to generate tests on our code. As is the case with any language generation, some cases required minor adjustments such as fixing import paths or editing contents in datasets. For the more complex cases, we had to remember that AI solutions often lack context. Here's how we handled the more complex testing situations with GitLab Duo.

Updating existing test cases

As is often the case when developing a software product, we encountered instances that required updates to existing tests. Rather than manually making adjustments to a full test suite for a common issue, we took full advantage of the GitLab Duo Chat window in VS Code. For example, to refactor tests, we used the Chat prompt “Please update the provided tests to use unittest rather than pytest” followed by pasting in the tests we wanted GitLab Duo to update.

<br></br>

Note: We copy-and-pasted GitLab Duo's recommendations into our code.

Creating tests for legacy code

Creating tests for legacy code we knew worked was another challenging situation we encountered. In such circumstances, it was valuable to provide error snippets alongside failing tests and ask GitLab Duo to provide new tests. A full copy-and-paste from the terminal window of noted failures and errors to Chat, along with a request to “Please explain and fix this failing test” or similar prompts, yielded a summary of the issues the test was encountering as well as a new test addressing the problem. We did find this sometimes required multiple rounds of refactoring as new test failures were identified. However, the efficiency of GitLab Duo to provide various refactored solutions was fast and a net positive on team and developer efficiency.

Working with complex or abstracted code

In other instances, the modularization or complexity of our code led to variance in GitLab Duo’s results. For instance, when generating tests, GitLab Duo sometimes generated a series of passing and failing tests caused by differences in testing approach (e.g. usage of Mock and which objects were mocked). We provided GitLab Duo its own example of a passing test and asked it to modify individual tests one at a time to match the style of the passing tests to maintain consistency. We also would provide GitLab Duo a file of functioning tests for a similar object or task so it could mirror the structure.

Ensuring generated code follows our standards

While developing a Python module, GitLab Duo generated many tests using Mock and often they required refactoring, particularly around naming standardization. In such cases, we could leverage GitLab Duo Chat to refactor tests with instructions as to which specific test components to update. Prompting GitLab Duo for these changes was immensely faster than refactoring tests individually, as we had previousy done.

Addressing uncovered test cases

GitLab Duo generated tests for additional test cases the team had not previously considered, thus increasing coverage. Luckily, we could use GitLab Duo to quickly and efficiently address these edge cases and expand testing coverage, which is a key value-add for our team to build quickly and ensure a robust product.

What we learned

Here are few key lessons that have been important to our success with GitLab Duo:

• Fast and efficient for rapid development and iteration - GitLab Duo’s role in generating automated tests has been a key accelerator in development for our team and allowed us to work faster and with greater confidence in our changes.
• Important to use appropriate prompts - When using GitLab Duo for our use case, we touched on a key topic for machine learning optimization: prompt engineering. Sometimes we needed to modify our question by just a few keywords to lead to the ideal generated answer.
• Need understanding of underlying frameworks and code - When it comes to any AI-generated code that makes it into a product, even if only as testing, it’s critical that we understand how the code functions so we can adequately debug as well as request informed changes.
• Need understanding of desired end state and standards - Similar to following coding standards for formatting and library usage while developing without AI, it’s important to maintain the vision of what the intended outcomes look like and what standards are being adhered to when using AI. GitLab Duo needs the context to understand code standards, so it’s critical for team members using GitLab Duo to provide adequate oversight of its outputs to ensure quality and other expectations are met.
• GitLab Duo is not a replacement for all tests - While we use GitLab Duo significantly for generating automated tests, it does not replace our other tests and human oversight. Functional tests, integration tests, and more still serve a valuable place in the QA process and overall software development lifecycle.

In our next article in this series, we’ll cover a test we ran to validate the impact of GitLab Duo on our team’s automated testing and discuss the impressive results we have achieved thus far.

Whether you own event-driven, long-running services or deploy containerized jobs to process data, Google Cloud Run automatically scales your containers up and down from zero — this means you only pay when your code is running.

If you are a PHP developer who would like to deploy your application with minimal effort to Google Cloud Platform, this guide will show you how using the GitLab Google Cloud Run integration.

Overview

• Create a new project in GitLab
• Set up your PHP application
• Utilizing the Google Cloud integration, create a Service account
• Utilizing the Google Cloud integration, configure Cloud Run via merge request
• Try adding another endpoint
• Clean up

Prerequisites

• Owner access on a Google Cloud Platform project
• Working knowledge of PHP, an open-source, general-purpose scripting language
• Working knowledge of GitLab CI
• 10 minutes

1. Create a new project in GitLab.

We decided to call our project PHP cloud-run for simplicity.

Then, create an index.php apphttps://gitlab.com/demos/templates/php-cloud-run/-/blob/main/index.php.

<?php

$name = getenv('NAME', true) ?: 'World';
echo sprintf('Hello %s!', $name);

2. Utilizing the Google Cloud integration, create a Service account.

Navigate to Operate > Google Cloud > Create Service account.

Then configure the region you would like the Cloud Run instance deployed to.

3. Utilizing the Google Cloud integration, configure Cloud Run via merge request.

This will open a merge request. Immediately merge this merge request.

Note: GCP_PROJECT_ID, GCP_REGION, GCP_SERVICE_ACCOUNT, and GCP_SERVICE_ACCOUNT_KEY will all be automatically populated from the previous steps.

Check your pipeline and you will see you have successfully deployed to Google Cloud Run utilizing GitLab CI.

<br></br>

4. Click the Service URL to view your newly deployed Flask server.

In addition, you can navigate to Operate > Environments to see a list of deployments for your environments.

By clicking on the environment called main, you’ll be able to view a complete list of deployments specific to that environment.

5. Add another endpoint

To get started with developing your PHP application, try adding another endpoint. For example, in your main file, you can add a /bye endpoint like this:

<?php

$name = getenv('NAME', true) ?: 'World';

if ($_SERVER['REQUEST_URI'] == '/bye') {
    echo sprintf('Goodbye %s!', $name);
} else {
    echo sprintf('Hello %s!', $name);
}

Push the changes to the repo, and watch the deploy-to-cloud-run job deploy the updates. Once the job is complete, go back to the Service URL and navigate to the /bye endpoint to see the new functionality in action.

Clean up

To prevent incurring charges on your Google Cloud account for the resources used in this tutorial, you can either delete the specific resources or delete the entire Google Cloud project. For detailed instructions, refer to the cleanup guide here.

Check out more easy-to-follow tutorials from our Solutions Architecture team.

How the GitLab open-core model supports translators

While this community collaboration is powerful, translators often face a crucial challenge: understanding the full context of the text that they are translating.

Great translation isn't just about converting words – it's about preserving meaning, intent, and usability in a target language. Software translation requires a unique blend of skills. Great translators usually specialize in multiple linguistic domains as well as the technical domain of the product itself. They perform myriad translation-adjacent tasks such as:

• ensuring accuracy and consistency of technical terminology
• creating new glossary terms for new concepts
• adhering to the style and tone
• navigating the complexity of CLDR pluralization rules
• understanding the translatability of composite messages and how to provide feedback to improve the source by making it localizable

Translators spend lots of time researching context, asking questions, and reading GitLab product documentation. Without proper context, even simple phrases can be mistranslated, potentially confusing or disrupting user workflows. What sets GitLab apart is its open-core model, which allows translators to access most of the product development context directly at the source. This transparency empowers them to actively contribute as true co-creators of the GitLab global product.

Introducing our new context-enhancement feature

To support these needs and empower translators with context, GitLab has developed a new feature: we now embed into each translatable string a contextual link (more specifically, a link to our global in-product search) that lets translators locate all instances of that string in the codebase. These links allow translators to rely on Git blame to trace every string's history – from its current location in code, through commits in merge requests, and all the way up to the original planning discussions.

For example, when you are translating Rotate, the AccessTokens| namespace suggests that the context is, well, access tokens. However, there is no additional visual context for what Rotate means, and translators are left to wonder, guess, and provide the best possible assumption in a target language.

With the new context enhancement, here is what translators are now able to do:

1. Click the URL in the See where this string is used in code section.

2. Review the result of the code search, and click the View blame icon:

3. Follow the link with the relevant merge request (Introduce rotation of personal tokens in UI):

4. On the Commits page, follow the link to the actual merge request:

5. Watch the screen recording that the software engineer added to the merge request:

6. Research even further by going to:
   a. The linked issue Introduce renew expired token capability in UI or its parent epic Rotate Token through the UI:

b. The related merge request that updates the GitLab product documentation:

All these research steps will lead translators to better understand the technical concept of access token rotation and why the token rotation functionality was added, how it works, and what problem it solves for users.

With this rich research trail, translators get the maximum amount of context that will help provide the technically accurate and linguistically correct translation for the seemingly simple word Rotate.

This approach goes far beyond traditional translation aids like providing screenshots or exploring the product user interface. Translators can now fully understand the context by:

• deriving context from paths and naming conventions used in code
• viewing screenshots or video recordings that are added to original merge requests
• reading original planning and development discussions
• following the engineering, copywriting, and product management decision-making process that has led to specific wording

More AI-powered contextual features coming up

The GitLab Localization team isn't stopping here. We are working on more context-enhancement features, including AI-powered tools to help translators understand string usage and placement. Imagine a system where translators could interact with an agent by asking questions or proactively receiving immediate code-aware responses about where and how strings are used in the product UI.

Join our community on Crowdin as a translator or a proofreader, try these new context features, and let us know how we can make the translation experience and our product even better.

Sid: On today’s earnings call, I announced that I am stepping down as CEO and will remain Executive Chair of the Board. I also introduced GitLab’s new CEO, Bill Staples.

As a Board, we routinely do succession planning. This includes conversations with a number of top executives. We’ve been having these conversations in greater earnest since my cancer returned. Through these discussions, we identified someone uniquely qualified to lead GitLab. I want more time to focus on my cancer treatment and health. My treatments are going well, my cancer is not metastatic, and I'm working towards making a full recovery. Stepping down from a role that I love is not easy, but I believe that it is the right decision for GitLab.

I couldn't be more excited to introduce you to Bill Staples, who will be leading GitLab into its next chapter. Bill will be GitLab’s CEO, effective today. He will also join the GitLab Board as a Director. Bill was most recently a public company CEO at New Relic. During his time there, he significantly increased the value of the company by accelerating revenue and driving increased profitability. He also brings decades of experience in leadership roles at Adobe and Microsoft. When I began speaking with Bill, I was immediately drawn to his customer-centric approach and deep product expertise. As I got to know him further, I knew that his shared value system made him the right person for this role, for our team members, for our customers, and for our shareholders. I feel fortunate that GitLab has found someone with a great leadership track record and strong DevOps expertise to lead GitLab into the future.

We have come so far from the early days when we launched GitLab.com. We have created the DevOps category and are the leader in the Gartner Magic Quadrant for both vision and execution. Millions of people now use GitLab to deliver software faster and more efficiently. We have integrated AI, Security, and Compliance into our platform to offer our enterprise customers the strongest AI-powered DevSecOps solution. We have also built GitLab in collaboration with our contributors. Last quarter, we had an all-time high of an estimated 1,800 code contributions from the wider community. It is incredible that as GitLab grew, our contributor community grew with us. We have done all of this while being a values-driven company, leading in all-remote work, championing transparency through our public handbook and culture, and co-creating with the wider community.

I feel many things today, but more than anything else, I am grateful. I want to thank our customers. Driving results for them has been at the core of GitLab’s values, and I greatly appreciate their trust in us. I want to thank the wider GitLab community for their trust and enthusiasm. Their tens of thousands of contributions have greatly enhanced GitLab and its value for all users. Thank you, GitLab team members. Your contributions are at the core of GitLab’s success and the value we drive for our customers. Thank you, E-Group. You are amazing partners and collaborators in leading GitLab and our team members to achieve our very best. Thank you, GitLab Board. I have appreciated your support throughout my time as CEO and look forward to our ongoing partnership as I continue to serve as Executive Chair. And, thank you, Bill. I am excited for you to lead our next phase of growth. I am here to support you and the company in GitLab’s next chapter!

I couldn't be more thrilled about Bill and what's ahead for GitLab with him at the helm. We have an incredible opportunity in front of us. Software has never mattered more, and GitLab is well-positioned to be the platform that best enables folks to create, secure, and operate it. I look forward to staying part of the company and being actively involved wherever Bill can use me.

Bill: Thanks, Sid, for the warm welcome! I greatly admire you and what you have accomplished. Very few people in the world have built a $10B market-cap technology company, taken it public, and scaled it to $750M in run-rate revenue. You have done incredible things with GitLab, and I’m grateful you will continue to play a meaningful role in the company. I appreciate your trust in me and commit to building upon the successes you and others should rightfully celebrate.

I am so excited about GitLab and the opportunity ahead of us. Over the coming decade, we will see software-driven transformation around the world as AI accelerates and transforms the software revolution already in motion. GitLab and our mission are going to be more important than ever. I look forward to working with this team to scale GitLab well beyond where it is today.

Here are 5 key highlights:

1. AI adoption trends from the field

Our field CTOs shared insights on how organizations are embracing AI across their development workflows. For instance, Field CTO Cherry Han highlighted how financial organizations are thinking beyond individual developer tools.

<div style="padding:56.25% 0 0 0;position:relative;"><iframe src="https://player.vimeo.com/video/1035388263?badge=0&autopause=0&player_id=0&app_id=58479" frameborder="0" allow="autoplay; fullscreen; picture-in-picture; clipboard-write" style="position:absolute;top:0;left:0;width:100%;height:100%;" title="Ai Adoption Trends from the Field"></iframe></div><script src="https://player.vimeo.com/api/player.js"></script>

<br></br> Andrew Hasker, Field CTO for Asia Pacific and Japan, offered valuable perspective on AI adoption.

<div style="padding:56.25% 0 0 0;position:relative;"><iframe src="https://player.vimeo.com/video/1035388277?badge=0&autopause=0&player_id=0&app_id=58479" frameborder="0" allow="autoplay; fullscreen; picture-in-picture; clipboard-write" style="position:absolute;top:0;left:0;width:100%;height:100%;" title="From Field CTOs"></iframe></div><script src="https://player.vimeo.com/api/player.js"></script>

2. Security coverage that makes a difference

Staff Developer Advocate Fernando Diaz demonstrated how GitLab's security scanners cover the complete application lifecycle, showing how easy it is to implement comprehensive security scanning with just a few lines of code.

<div style="padding:56.25% 0 0 0;position:relative;"><iframe src="https://player.vimeo.com/video/1035388297?badge=0&autopause=0&player_id=0&app_id=58479" frameborder="0" allow="autoplay; fullscreen; picture-in-picture; clipboard-write" style="position:absolute;top:0;left:0;width:100%;height:100%;" title="Security Coverage"></iframe></div><script src="https://player.vimeo.com/api/player.js"></script>

3. AI-powered language migration made simple

In an impressive demonstration, Senior Technical Marketing Manager Cesar Saavedra showed how GitLab Duo can assist in migrating applications between programming languages.

<div style="padding:56.25% 0 0 0;position:relative;"><iframe src="https://player.vimeo.com/video/1036170482?badge=0&autopause=0&player_id=0&app_id=58479" frameborder="0" allow="autoplay; fullscreen; picture-in-picture; clipboard-write" style="position:absolute;top:0;left:0;width:100%;height:100%;" title="AI-Powered Language Migration Made Simple"></iframe></div><script src="https://player.vimeo.com/api/player.js"></script>

4. Making DevSecOps work smarter

Developer Advocate Abubakar Siddiq Ango showcased how GitLab's triage features can automate routine tasks. <div style="padding:56.25% 0 0 0;position:relative;"><iframe src="https://player.vimeo.com/video/1035388290?badge=0&autopause=0&player_id=0&app_id=58479" frameborder="0" allow="autoplay; fullscreen; picture-in-picture; clipboard-write" style="position:absolute;top:0;left:0;width:100%;height:100%;" title="Making DEvOps Work Smarter"></iframe></div><script src="https://player.vimeo.com/api/player.js"></script>

5. Community contributions making an impact

Director of Contributor Success Nick Veenhof shared how community contributions are shaping GitLab's development: <div style="padding:56.25% 0 0 0;position:relative;"><iframe src="https://player.vimeo.com/video/1035395211?badge=0&autopause=0&player_id=0&app_id=58479" frameborder="0" allow="autoplay; fullscreen; picture-in-picture; clipboard-write" style="position:absolute;top:0;left:0;width:100%;height:100%;" title="Community Contributions Making an Impact"></iframe></div><script src="https://player.vimeo.com/api/player.js"></script>

Watch on-demand

Watch the complete broadcast recording for step-by-step demonstrations and insights from our experts. Also, be sure to follow GitLab on LinkedIn to stay up to date on our monthly broadcasts and get insights into our platform, DevSecOps, and software development.

• managing infrastructure
• maintaining the configuration of resources
• maintaining CI/CD pipelines
• automating processes for efficiency
• maintaining monitoring and alerting systems
• ensuring applications are securely built and deployed
• modernizing applications with containerization

To carry out these tasks, DevOps engineers spend a lot of time reading documentation, writing configuration files, and searching for help in forums, issues boards, and blogs. Time is spent studying and understanding concepts, and how tools and technologies work. When they don't work as expected, a lot more time is spent investigating why. New tools are released regularly to solve niche or existing problems differently, which introduces more things to learn and maintain context for.

GitLab Duo, our AI-powered suite of capabilities, fits into the workflow of DevSecOps engineers, enabling them to reduce time spent solving problems while increasing their efficiency.

Let's explore how GitLab Duo helps streamline workflows.

Collaboration and communication

Discussions or requests for code reviews require spending time reading comments from everyone and carefully reviewing the work shared. GitLab Duo capabilities like Discussion Summary, Code Review Summary, and Merge Request Summary increase the effectiveness of collaboration by reducing the time required to get caught up on activities and comments, with more time spent getting the actual work done.

Merge Request Summary

Writing a detailed and clear summary of the change a merge request introduces is crucial for every stakeholder to understand what, why, and how a change was made. It's more difficult than it sounds to effectively articulate every change made, especially in a large merge request. Merge Request Summary analyzes the change's diff and provides a detailed summary of the changes made.

<!-- blank line --> <figure class="video_container"> <iframe src="https://www.youtube.com/embed/4muvSFuWWL4?si=1i2pkyqXZGn2dSbd" title="GitLab Duo Chat is now aware of Merge Requests" frameborder="0" allowfullscreen="true"> </iframe> </figure> <!-- blank line -->

Discussion Summary

Imagine getting pulled into an issue with more than 100 comments and a lengthy description, with different perspectives and opinions shared. GitLab Duo Discussion Summary summarizes all the conversations in the issue and identifies tasks that need to be done, reducing time spent.

<!-- blank line --> <figure class="video_container"> <iframe src="https://www.youtube.com/embed/IcdxLfTIUgc?si=WXlINow3pLoKHBVM" title="GitLab Duo Dicussion Summary" frameborder="0" allowfullscreen="true"> </iframe> </figure> <!-- blank line -->

Code Review Summary

A merge request has been assigned to a DevOps engineer for review in preparation for deployment, and they have spent time reviewing several parts of the change with multiple comments and suggestions. When submitting a review, a text box is presented to summarize the review, which often requires taking a pause and articulating the review. With Code Review Summary, they get a concise summary automatically drafted leading to efficiency.

Manage infrastructure changes

Part of a DevOps engineer's workflow is managing infrastructure changes. Infrastructure as code (IaC) revolutionized this process, allowing for documentation, consistency, faster recovery, accountability, and collaboration. A challenge with IaC is understanding the requirements and syntax of the chosen tool and provider where the infrastructure will be created. A lot of time is then spent reviewing documentation and tweaking configuration files until they meet expectations.

With GitLab Duo Code Explanation and Code Suggestions, you can prompt GitLab Duo to create configuration files in your tool of choice and learn about the syntax of those tools. With Code Suggestions, you can either leverage code generation, where you prompt GitLab Duo to generate the configuration, or code completion, which provides suggestions as you type while maintaining the context of your existing configurations.

As of the time this article was published, Terraform is supported by default with the right extensions for your IDEs. Other technologies can be supported with additional language support configuration for the GitLab Workflow extension.

Where a technology is not officially supported, GitLab Duo Chat is the powerful AI assistant that can help generate, explain, clarify, and troubleshoot your configuration, while maintaining context from selected text or opened files. Here are two demos where GitLab Duo helped create IaC with Terraform and AWS CloudFormation.

<!-- blank line --> <figure class="video_container"> <iframe src="https://www.youtube.com/embed/saa2JJ57UaQ?si=Bu9jyQWwuSUcw8vr" title="Manage your Infrastructure with Terraform and AI using GitLab Duo" frameborder="0" allowfullscreen="true"> </iframe> </figure> <!-- blank line -->

<br></br>

<!-- blank line --> <figure class="video_container"> <iframe src="https://www.youtube.com/embed/KSLk2twXqiI?si=QDdERjbM0f7X2p23" title="Deploying AWS Lambda function using AWS Cloudformation with help from GitLab Duo" frameborder="0" allowfullscreen="true"> </iframe> </figure> <!-- blank line -->

Configuration management

Once your infrastructure is up, GitLab Duo Chat can also help create configuration files and refactor existing ones. These can be Ansible configurations for infrastructure or cloud-native configurations using Docker, Kubernetes, or Helm resource files. In the videos below, I demonstrate how GitLab Duo helps with Ansible, containerization, and application deployment to Kubernetes.

<!-- blank line --> <figure class="video_container"> <iframe src="https://www.youtube.com/embed/t6ZCq_jkBwY?si=awCUdu1wCgOO21XR" title="Configuring your Infrastructure with Ansible & GitLab Duo" frameborder="0" allowfullscreen="true"> </iframe> </figure> <!-- blank line -->

<br></br>

<!-- blank line --> <figure class="video_container"> <iframe src="https://www.youtube.com/embed/KSLk2twXqiI?si=QDdERjbM0f7X2p23" title="Containerizing your application with GitLab Duo" frameborder="0" allowfullscreen="true"> </iframe> </figure> <!-- blank line -->

<br></br>

<!-- blank line --> <figure class="video_container"> <iframe src="https://www.youtube.com/embed/uroSxvMFqPU?si=GMNC7f2b7i_cjn6F" title="Deploying your application to Kubernetes with Help from GitLab Duo" frameborder="0" allowfullscreen="true"> </iframe> </figure> <!-- blank line -->

<br></br>

<!-- blank line --> <figure class="video_container"> <iframe src="https://www.youtube.com/embed/9yGDM00RlUA?si=kE5JZD_OEFcxeR7E" title="Deploying to Kubernetes using Helm with help from GitLab Duo" frameborder="0" allowfullscreen="true"> </iframe> </figure> <!-- blank line -->

Test, test, test

Writing tests is an important part of building secure software, but it can be a chore and often becomes an afterthought. You can leverage the power of GitLab Duo to generate tests for your code by highlighting your code and typing the /tests in the Chat panel of your IDE.

<!-- blank line --> <figure class="video_container"> <iframe src="https://www.youtube.com/embed/zWhwuixUkYU?si=wI93j90PIiUMyGcV" title="GitLab Duo Test Generation" frameborder="0" allowfullscreen="true"> </iframe> </figure> <!-- blank line -->

CI/CD pipeline troubleshooting

Automation is an essential part of the DevOps engineer's workflow, and Continuous Integration/Deployment (CI/CD) is central to this. You can trigger CI jobs on code push, merge, or on schedule. But, when jobs fail, you spend a lot of time reading through the logs to identify why, and for cryptic errors, it can take more time to figure out. GitLab Duo Root Cause Analysis analyzes your failed job log and errors, and then recommends possible fixes. This reduces the time spent investigating the errors and finding a fix.

<!-- blank line --> <figure class="video_container"> <iframe src="https://www.youtube.com/embed/Sa0UBpMqXgs?si=IyR-skz9wJMBSicE" title="GitLab Duo Root Cause Analysis" frameborder="0" allowfullscreen="true"> </iframe> </figure> <!-- blank line -->

Building secure applications

Part of software development includes discovering vulnerabilities, either in the application or its dependencies. Some vulnerabilities are easy to fix, while others require creating a milestone with planning. GitLab Duo Vulnerability Explanation and Vulnerability Resolution reduce the time spent researching and fixing vulnerabilities. Vulnerability Explanation explains why a vulnerability is happening, its impact, and how to fix it, helping the DevOps engineer to upskill. Vulnerability Resolution takes it further – instead of just suggesting a fix, it creates a merge request with a fix for the vulnerability for you to review.

<!-- blank line --> <figure class="video_container"> <iframe src="https://www.youtube.com/embed/MMVFvGrmMzw?si=Fxc4SeOkCBKwUk_k" title="GitLab Duo Vulnerability Explanation" frameborder="0" allowfullscreen="true"> </iframe> </figure> <!-- blank line -->

<br></br>

<!-- blank line --> <figure class="video_container"> <iframe src="https://www.youtube.com/embed/VJmsw_C125E?si=XT3Qz5SsX-ISfCyq" title="GitLab Duo Vulnerability resolution" frameborder="0" allowfullscreen="true"> </iframe> </figure> <!-- blank line -->

More work done with less stress

With GitLab Duo, DevOps engineers can do more work deploying and maintaining secure applications, while acquiring more skills with the detailed responses from GitLab Duo Chat.

Sign up for a free 60-day trial of GitLab Duo to get started today!