GitLab 15 Upgrades Address Security, Observability, DataOps
At last week’s KubeCon + Cloud Native Con, EU, speakers explored two paths for the growing adoption of cloud native technologies: a growing interest in specialization and niches (telco, for instance, which got its own day of speakers ahead of the conference) and an all-in-one, golden path toward digital transformation.
The growth of cloud native and the ecosystem that supports it demands both specialization and a “paved road” that can be traveled by a wide variety of organizations, said Brendan O’Leary, a developer evangelist at GitLab.
“We’ll see two very different paths — give people the on-ramp, but also give people very specialized things that they need to go deploy into their specific environment,” he told The New Stack.
The ability to create and analyze SBOMs has become essential for organizations that rely heavily on open source components in its software (in other words, nearly all organizations), especially in the wake of the Log4j debacle of this past winter.
Securing the software supply chain has grown into a global movement, with the Cloud Native Computing Foundation (CNCF) releasing a best practices white paper in 2021. The Linux Foundation’s OpenSSF project also announced new investment of $10 million from vendors during October’s KubeCon in Los Angeles, aimed at efforts to secure the software supply chain.
An advantage of an all-in-one DevOps platform is the ability to have a more holistic view of software throughout its lifecycle, according to O’Leary.
“If you have one platform, one DevOps platform, you’re able to understand what are all the dependencies of the software?” he said. “And what are all the pieces of that supply chain and be able to analyze the entire supply chain rather than just a bit little piece of it.”
In December, GitLab acquired Opstrace, an open source observability distribution. The acquisition, O’Leary said, gives GitLab access to new monitoring and tracing technology that will be integrated into GitLab 15. (GitLab releases new iterations every month.)
Integrating Opstrace’s tool into GitLab is an ongoing, iterative process, O’Leary said: “We’re bringing bits and pieces in.”
He added, “When we acquire companies, we see that as we’re going to bring them into the platform. We think the way to do it is to have one platform where that does everything.”
Security Approval Policies
Another new feature in GitLab 15 is how it handles security approval policies. The latest version allows the security team to apply a single set of centrally managed security policies at the group level, narrowly scope who is allowed to edit security policies, and require a two-step approval process to change approval rules.
This feature can help make developers, who know their applications better than security specialists do, more mindful of how their work affects security, O’Leary said.
“What that really is about is it’s the community — upping the communication between the security team and the development team,” he said. “We want to be able to catch issues, long before they would be getting released. When I make the change to the code, I want to understand that that’s going to have a security implication.”
It’s a big cultural and productivity improvement over the more traditional approach to application security, he said.
“I used to work as a contractor to the federal government and do an eight-week release cycle,” O’Leary recalled. “At the end of eight weeks, they’d run the security scans and they find 195 things. Well, what are we going to do, not ship this to the customer? And the problem is that each of those 195 things is not that big a deal in itself. But what if it had happened at the time we entered the code instead of a month later?
“Now, you can fix it or understand if it’s a false positive because a big part of security is there’ll be false positives. But making that determination at the time you’re making the change, you’re gonna have more information and better information.”
Support for Data Science
GitLab 15 will also have new features that make it easier for organizations to make use of the data they collect, with features aimed at enabling DataOps and Machine Learning Operations (MLOps), which streamlines the creation and deployment of ML models.
The new version of the DevOps platform will enable users to extract, load and transform data, allowing them to easily connect data to GitLab pipelines.
“People are building models, and have all this data,” O’Leary said. “They need to have the best practices of development and a structured environment. That data team is part of the overall product team. So they need to be on the platform as well.”
GitLab is also working on integrating more artificial intelligence (AI) into its platform, such as helping to process and track merge requests, O’Leary said.
The newest iterations of the DevOps platform will also include more support for enterprise Agile planning and workflow automation. “We have the new concept of ‘work items’ so that people can be more specific about what particular tasks that someone needs to perform as a code that needs to be written,” O’Leary said.
Other planning and workflow upgrades expected in the near future include:
- Saved views and queries, which will allow teams to create customized dashboards with aggregated data to quickly check the status of key initiatives.
- Suggested reviewers and labels, which will automatically recommend the correct team members and next workflow step to increase productivity and transparency.
- Enhanced suggestions, which make in-context suggestions to accelerate decision-making and reduce cognitive load on the DevOps team.
The GitLab 15.0 release is now available; information on updating self-managed instances can be found here. GitLab’s Software as a Service is automatically updated by GitLab Inc. The company will host a GitLab 15 webinar on June 23.