Announcing GitLab support: Empower developers to secure everything they code in GitLab
Published July 10, 2024.
Today, I’m thrilled to announce Jit’s full support for GitLab, which will significantly expand our ability to execute our mission to empower every developer to secure everything they code. This new integration will provide all of the same benefits that we’ve been delivering to our customers on GitHub for years, including:
Making it easy for developers to consistently and independently resolve security issues before production: Jit provides immediate feedback on the security of every code change for developers within their IDE or SCM, making continuous security easy to adopt into development cycles. Our Context Engine understands how each finding is executed in runtime, which immediately helps developers understand the significance of each issue.
An all-in-one platform for product security: full product security coverage requires implementing many separate tools, like SAST, SCA, secrets detection, IaC scanning, and much more, which can be rolled out across projects in a few clicks. Jit consolidates these code and cloud scanners onto a single platform to reduce costs and make many tools feel like one.
Alignment between security and business objectives: all Jit's Security Plans, tying security controls to business objectives like passing a SOC2 audit or adhering to OWASP ASVS framework, will be fully supported.
Seamlessly adjust tooling and requirements change: easily integrate tools with Jit’s open orchestration framework, which unifies the execution and UX of open-source, commercial, and cloud-native tools.
If you’re on GitLab, check out the guidelines below to quickly realize these benefits.
How to get started with Jit on GitLab
Begin by hitting “Start free” on our website and creating a new account. This will bring you to our Quick Start page, where you can select “GitLab” to configure the integration.
Connect Jit with your GitLab Groups
By installing the Jit app on your GitLab account, this will enable one-click activation for out code security scanning tools. Start by clicking on the GitLab icon, which will take you to GitLab, where you can install the Jit app for your account. This will enable Jit scans to run locally on your GitLab instance, without pulling any code to our cloud.
Next, choose the GitLab groups that contain the resources you want to scan with Jit.
Now choose a dedicated project to store Jit’s config files. You can edit these files directly to manage Jit’s DevSecOps tooling and processes entirely as code. Now we can add the projects we want to scan.
By hitting “Select Projects”, you’ll see the option to select any project within the group you selected. Check the “Group” box to select all the projects within the group. Hit “Update”.
At this point, we’ve set up the configuration with GitLab to enable one-click activation for any security control supported by Jit (and if you have a preferred security control not supported by Jit, we can integrate it into Jit’s orchestration framework for you).
Activate Jit controls to begin scanning
Go to the “Security Plans” tab to begin activating your desired controls. In the example below, you’ll see our application security controls, which include Static Application Security Testing (SAST), Software Composition Analysis (SCA), secrets detection, open source license checks, and Software Bill of Materials (SBOM).
Simply hit “Activate” for each control, which will automatically do two things:
Scan all selected projects: all results will show up in Jit’s Backlog tab, which prioritizes issues based on their runtime context, like whether they’re in production or accessible via the internet.
Enable continuous scanning: Jit will automatically scan every merge request initiated by a developer to the covered repos. Jit knows which code is being merged, and will execute the relevant scanner accordingly (i.e. Jit won’t scan Javascript code with our IaC code scanner). This provides developers with immediate feedback on the security of every code change, entirely within GitLab, so they never need to leave their environment to surface and resolve vulnerabilities.
The example above shows our application security controls, but we also support IaC scanning, K8s manifest file scanning, Cloud Security Posture Management (CSPM), Dynamic Application Security Testing (DAST), Dockerfile scanning, and CI/CD pipeline scanning.
Getting started
With all the enthusiasm for Jit’s unique developer experience and Security Plans for teams on GitHub, we’re happy to now include our friends on GitLab. Stay tuned for support for other Source Code Managers in the future.
Looking to try Jit for GitLab yourself? Check out our free trial or request a demo.