August 2021 Summaries
14 posts from GitLab
Filter
Month:
Year:
Post Summaries
Back to Blog
Recent cyberattacks on companies like SolarWinds, Codecov, and Kaseya highlight vulnerabilities in software build pipelines, as attackers increasingly target development infrastructure rather than just the software itself. This trend underscores the need for enhanced security measures in development, testing, and delivery processes. Companies such as Venafi and GitLab are collaborating to bolster the security of software supply chains by advocating for practices like code signing, which verifies the authenticity and integrity of software artifacts. Code signing, when integrated into existing tools like GitLab, can provide a convenient way for developers to ensure only authorized and verified code is used, thereby reducing the risk of introducing malware into software products. The process, however, must be straightforward to encourage adoption among development teams, and security teams need visibility over the process to enforce security policies effectively. As hackers become more sophisticated, it becomes crucial for engineering teams to adopt a proactive approach to security, such as "sign early, sign often," to safeguard against breaches.
Aug 30, 2021
1,022 words in the original blog post.
Alpine Linux is a minimalistic operating system base for many Linux container images, known for its efficient packaging, frequent updates, and small image size. On June 15, 2021, Alpine Linux released version 3.14, introducing significant updates that require certain components, such as the musl library, to be updated for proper functionality. The update has prompted software products to migrate their container images to this version due to enhancements in network and security use cases. However, this transition has caused issues in CI/CD environments like GitLab, where outdated Docker Engine versions, specifically those older than 20.10.6, have led to execution problems with Alpine 3.14-based images. To address these issues, users are advised to update their Docker Engine and Docker-in-Docker (dind) images to at least version 20.10.6. While temporary workarounds involve using Alpine 3.13 images, the long-term solution requires planning and executing updates to maintain compatibility with Alpine 3.14 and its dependencies.
Aug 26, 2021
932 words in the original blog post.
GitLab CI/CD has evolved with the release of GitLab 14.2, allowing users to create "stageless" pipelines by using the needs command to dictate job execution based solely on dependencies, rather than traditional stages. Historically, GitLab pipelines relied on ordered stages such as build, test, and deploy to manage job execution, with jobs in each stage running in parallel before moving to the next stage. The introduction of the needs keyword, which forms Directed Acyclic Graphs (DAGs), has enabled faster pipelines by permitting jobs to start as soon as their dependencies are met, bypassing the standard stage order. This capability, which addresses a popular user request, offers flexibility by allowing pipelines to be defined entirely through needs dependencies without stages, although stages remain available for those who prefer the traditional workflow. GitLab maintains its commitment to providing flexible, efficient CI/CD solutions, and encourages feedback from its users through issue submissions.
Aug 24, 2021
699 words in the original blog post.
Software development teams implementing agile and DevSecOps practices can enhance security by integrating tools like GrammaTech's CodeSonar into their CI/CD pipelines, particularly in industries where security is critical, such as aerospace, automotive, and medical devices. CodeSonar, a static application security testing (SAST) solution, integrates seamlessly with platforms like GitLab to perform deep static code analysis, identifying defects and vulnerabilities early in the software development life cycle (SDLC) through symbolic execution and theorem-proving technologies. This integration supports continuous security assessment, allowing developers to address potential issues promptly and avoid costly mistakes later in the development process. The collaboration between GrammaTech and GitLab enables teams to maintain high-quality, secure code by providing detailed vulnerability reports directly within the GitLab interface, streamlining the review and resolution of code security warnings. CodeSonar's approach to security testing is distinct in its ability to integrate effortlessly into existing build environments, offering a robust framework for analyzing code paths and ensuring scalability through optimized exploration strategies.
Aug 20, 2021
932 words in the original blog post.
GitLab has introduced Spamcheck, a new anti-spam engine designed to enhance its resilience against spam and abuse, now enabled for all projects on GitLab.com and set for inclusion in the 14.6 release for self-managed customers. Developed through a collaborative effort involving GitLab's Security Automation, Trust and Safety, and Engineering Development teams, Spamcheck's creation involved rigorous testing, prototyping, and leveraging a data-driven approach to identify effective spam-handling methods. The development included a spam testbed to extract and analyze spam, resulting in a prototype that balances stability, flexibility, and performance. The integration with GitLab's existing infrastructure required careful planning and iterative deployment to production, ensuring the service remained performant without disrupting user experience. Although Spamcheck has shown better performance than Akismet during spam waves, it has a slightly higher false positive rate, prompting ongoing improvements in machine learning models and processes. The service's development and deployment were supported by extensive cross-organizational collaboration, and further insights into its technology stack and performance will be detailed in subsequent communications.
Aug 19, 2021
1,211 words in the original blog post.
Software supply chain attacks have become a significant cybersecurity concern in 2021, following high-profile incidents like the SolarWinds attack, which affected approximately 18,000 organizations globally. These attacks exploit vulnerabilities in third-party code, allowing attackers to insert malicious payloads into widely-used software, compromising sensitive data across numerous websites. The United States and the UK have responded with initiatives to strengthen software supply chain security, emphasizing the need for robust cybersecurity practices. Web supply chain attacks are a growing threat due to the prevalent use of third-party scripts, which often lack adequate security resources, making them susceptible to breaches. In response, the integration of DevSecOps practices into software development lifecycles is critical, as it embeds security measures, enhances visibility, and controls over software supply chains. Platforms like GitLab, with integrations such as Jscrambler, offer comprehensive security solutions, including automated scanning, source code protection, and real-time monitoring, to mitigate these risks effectively. As companies adopt these tools and strategies, there is optimism that they will enhance their security posture and better protect user data from increasingly sophisticated cyber threats.
Aug 18, 2021
1,073 words in the original blog post.
Managing scalable and highly available compute infrastructures is a fundamental challenge that cloud services like AWS are designed to address. This text explores the automation capabilities of AWS Autoscaling Groups (ASG) in managing GitLab Runners, highlighting a video demonstration of deploying 100 GitLab runners on Amazon EC2 Spot instances in under 10 minutes. It discusses the use of GitLab Private Runners for both self-managed and SaaS accounts, emphasizing the importance of Infrastructure as Code (IaC) for creating production-grade elastic GitLab Runners. The GitLab HA Scaling Runner Vending Machine for AWS is introduced as a tool for efficient cost management and scaling, leveraging Spot compute instances, scheduling, and ARM architecture. It offers significant cost savings and simplifies the deployment process through CloudFormation templates, making it easier for users to manage runner fleets with various configurations. The automation also supports scenarios like OS patching, runner version upgrades, and least privilege security, providing a comprehensive solution for deploying and managing GitLab Runners on AWS.
Aug 17, 2021
2,273 words in the original blog post.
Designers often face the challenge of creating applications for unfamiliar or highly technical domains, such as medical or security technologies, where understanding the intricate details of the application is not always necessary but having a conceptual grasp is crucial. The key is finding a balance in knowledge that allows effective communication with users and the ability to explain the product. The use of analogies can be a powerful tool in translating complex technical concepts into relatable and understandable designs. For instance, security testing methodologies like Static Application Security Testing (SAST), Dynamic Application Security Testing (DAST), and Fuzz Testing are likened to different types of doctors, each with their unique methods of diagnosing and understanding problems within an application. This approach not only aids in demystifying complex systems but also makes the design process more engaging and accessible. Designers are encouraged to create relatable stories to conceptualize these technical challenges and verify their analogies with domain experts to ensure accuracy, thereby reducing the intimidation of working in technically complex spaces.
Aug 13, 2021
919 words in the original blog post.
Phabricator, a web-based application that facilitated code reviews, repository browsing, and bug tracking, inspired several features in GitLab before its end-of-life announcement by Phacility in 2021. GitLab co-founder Sid Sijbrandij acknowledged Phabricator's influence, particularly in review workflows, where GitLab adopted a similar system of merge requests (MRs) as the primary method of tracking changes and review history, akin to Phabricator's "diff tasks." GitLab introduced draft merge requests, inspired by Phabricator's "Draft" state, to manage work-in-progress tasks more effectively. The platform also enhanced its commit history and MR link integrations for faster debugging and added code coverage reports to monitor code quality, although integrating these reports posed challenges due to varied languages and formats. Additionally, GitLab's CI/CD pipeline and issue management features, such as Epic boards and scoped labels, reflect a similar approach to Phabricator's work boards, offering streamlined workflows for project management. Overall, GitLab continues to iterate on its features to improve user experience, drawing inspiration from Phabricator's legacy while fostering innovation in its all-in-one DevOps platform.
Aug 13, 2021
1,675 words in the original blog post.
The blog post explores the use of a push-based approach in GitOps, particularly focusing on the integration of Terraform with AWS ECS and EC2 through GitLab, enabling infrastructure management beyond Kubernetes environments. It describes a detailed GitOps flow for provisioning a MySQL database on AWS using Terraform, highlighting the collaborative process within GitLab where developers and administrators use merge requests to manage changes. The process includes executing Terraform plans and incorporating inline suggestions to improve the infrastructure configuration, demonstrating effective collaboration and review mechanisms that enhance productivity and infrastructure stability. Additionally, the post outlines how GitLab's CI/CD pipelines validate and apply infrastructure updates, and it further explains the deployment of applications to AWS ECS and EC2, utilizing templates and automation for streamlined operations. The narrative emphasizes GitLab's flexibility in supporting both agent-based and agentless GitOps workflows across diverse infrastructures, showcasing its capability to accommodate various project needs and infrastructure components.
Aug 10, 2021
1,603 words in the original blog post.
REMOTE by GitLab is a platform designed to explore the future of remote work, offering insights and lessons from leaders in the field. At its core, the initiative underscores the importance of establishing guiding principles for remote transitions, hiring specialized remote work leaders, investing in employee workspaces, promoting a rest ethic, and shifting from a productivity-focused mindset to a purpose-driven one. The event featured sessions from prominent figures, including Coinbase's transition to a virtual-first company, Facebook's Director of Remote Work's strategies, and experts like Ryan Anderson on workspace setup and John Fitch on rest ethics. It encourages organizations to rethink traditional work habits and embrace human-centered approaches, with resources and talks available on GitLab's YouTube channel for those interested in further exploration.
Aug 09, 2021
689 words in the original blog post.
Companies are increasingly investing in digital transformation and enhancing their software development capabilities, with GitLab offering a complete DevOps platform for modern needs. Many organizations choose self-managed GitLab and GitLab Runners, incurring additional costs for infrastructure. Recent cost analysis and performance benchmarks show that deploying GitLab on Arm-based Graviton2 instances can result in up to 23% cost savings and 36% performance improvements compared to x86-based EC2 instances. Arm, a leader in silicon IP for SoC, has collaborated with GitLab to optimize tools for Arm architecture, and AWS is the first major cloud provider to offer Arm-based EC2 instances. The GitLab 10,000 reference architecture provides a framework for hosting GitLab on both Arm64 and x86 environments, with significant cost and performance advantages on Arm64. Performance tests using GitLab's tools indicate substantial gains in CI/CD job execution on Arm-based instances, making it an attractive option for GitLab enterprise customers looking to enhance performance and reduce costs.
Aug 05, 2021
844 words in the original blog post.
UBS, the largest global wealth manager, utilizes GitLab to power DevCloud, a comprehensive DevOps platform that streamlines its cloud-based software development lifecycle. This collaboration was highlighted during the GitLab Virtual Commit 2021, where executives from UBS and GitLab discussed how this integration has enhanced UBS's development velocity, reduced infrastructure costs, and improved global collaboration. The DevCloud platform was soft-launched during the UBS Hackathon, facilitating seamless virtual collaboration among over 500 participants, showcasing its effectiveness in a remote setting. GitLab's open-source collaboration model and its commitment to agile practices have contributed significantly to the project's success, allowing both organizations to learn from each other, particularly in terms of compliance and risk processes unique to the financial sector. The adoption of DevCloud has resulted in increased productivity, with over 12,000 users and a million successful builds within six months, demonstrating its utility for both engineering and non-engineering teams. Additionally, GitLab's acquisition of UnReview aims to enhance machine learning capabilities within its DevOps Platform, further optimizing code review processes and enabling predictive insights into the software development lifecycle.
Aug 04, 2021
773 words in the original blog post.
DevOps has matured significantly over the past decade, transitioning through several phases that mirror human cognitive development, as theorized by Jean Piaget. Initially characterized by "Siloed DevOps," where teams operated independently with their own tools, the field evolved into "Fragmented DevOps," which saw a standardization of tools within organizations but lacked integration across different stages of the DevOps lifecycle. This led to the "DIY DevOps" phase, where organizations attempted to manually integrate various tools, often resulting in inefficiencies and vulnerabilities. The current evolution, termed the "DevOps Platform era," is championed by GitLab and integrates all stages of the DevOps lifecycle into a single application, enhancing collaboration, efficiency, and security. This approach aligns with recent trends emphasizing integrated security and the use of machine learning to streamline workflows. Predictions suggest that by 2023, a significant portion of organizations will adopt a DevOps platform to simplify application delivery, highlighting the growing importance of integrated solutions in the industry.
Aug 03, 2021
1,138 words in the original blog post.