Sign in / up

* Posts by whaber

4 publicly visible posts • joined 7 Oct 2020

GitLab scans its customers' source code, finds it's as fragile as you'd expect

whaber
Reply Icon

Re: Public?

A great place to store secrets is Hashicorp Vault which is integrated into GitLab: https://docs.gitlab.com/ee/ci/examples/authenticating-with-hashicorp-vault/

There are other good places too of course.

0 0
whaber
Reply Icon

TLDR: Yes

The maintainers of the projects that were scanned set up the scanning themselves. The vulnerabilites can be viewed by the developers in the security dashboards: https://docs.gitlab.com/ee/user/application_security/security_dashboard/

0 0
whaber
Reply Icon

Re: Public?

Security scans in GitLab are configured by the project maintainers on a per-project basis. https://docs.gitlab.com/ee/user/application_security/

The security scanning features are (for the most part) free for use by open-source projects (and a paid feature for private and customer self-hosted projects).

0 0
whaber
Reply Icon

Re: Public?

"Data sources

The trends report's underlying data is sourced from projects hosted on GitLab.com and does not include data from our self-managed customers. It is comprised of medium or higher severity vulnerabilities appearing in five or more projects that occurred between September 2019 and October 2020. All project-specific data was anonymized."

0 0