Is GitLab far and away the top tool being used for software scanning and software composition analysis of open source projects? Obviously the answer is no if you include GitHub’s default capabilities in your analysis, but for a long time, GitHub has not figured into many market analyses. That should change going forward.
According to a 2019 survey about open source in the enterprise The New Stack conducted with The Linux Foundation and TODO Group, almost a thousand people said they knew what their organization is using for scanning/composition analysis. Fifty-nine percent named GitLab based on a list of the top 10 providers, which was pulled from a recent was security-focused Forrester report on the subject. Sonatype and JFrog tied for second place, followed by Synopsys, FOSSA and Eclipse Oscano and several other companies.
Although GitHub Action’s dependency management capabilities had not been announced yet, in retrospect GitHub should have been included in the question because code repositories like GitHub can scan for security, software compliance and dependencies. Still, only a few respondents felt strongly that this type of product category should include GitHub; of the 944 respondents, 103 wrote-in an “other” response, of which only six cited GitHub.
We are not saying GitLab is used more often than GitHub. On the contrary, our data shows that GitHub has a big lead in that area. If companies that use GitLab’s scanning capabilities are also using it as a code repository, then it seems self-evident that GitHub’s customers would be doing likewise. For now, it difficult to determine what percentage of GitHub users are using its commercial scanning capabilities in conjunction with other tools such as those available on also using it as a code repository. Yet, if this is the case, they are also probably using either GitHub’s native scanning capability or some offering from GitHub’s marketplace.
We have found that research about scanning-related tooling can be widely affected by the proffered multiple choice answers, as well as the type of person responding to the survey. For example, since Synopsys’s Black Duck has relatively high brand recognition, and may have been named more often if the survey forced someone to answer this question.
Unpublished research we conducted with Tidelift shows how findings can vary dramatically if a question is open-ended. That survey asked about what software or services are used to evaluate the health of open source dependencies. Forty of the 112 respondents mentioned GitHub, with at least a quarter explicitly saying they utilized GitHub’s security alerts. Travis CI and Snyk came in second and third, getting 11 and 10 citations respectively.
The New Stack’s survey also asked about what are used to manage open source repositories. Even more than last year, GitHub’s paid version is being used, going from 30% to 35% of respondents. Homegrown solutions were used less often, going from 21% to 15%, and there was a slight drop for the paid versions from other vendors like GitLab and Bitbucket. It is noteworthy that new research from Smartbear Software reports different results, with GitHub Enterprise’s adoption rising by almost a third to 13% in 2019, while adoption of GitLab’s commercial offering doubled to 8%. Both surveys likely oversample early adopters.
Casual observers may be incredulous. A recent report found that there are 9,680,11 repositories on GitHub, while Bitbucket has 248,217 and GitLab has 56,722. These numbers are deceiving because include empty and inactive repositories. The survey data shows many different results because it is focused on the code repositories being used by teams of professional developers.
No matter how you parse it, both GitHub (and its parent Microsoft) and GitLab are likely to continue converting a portion of their large communities into paying customers. For now, smaller vendors are being used in tandem with code repositories but may be threatened when the bigger companies bundle more security and compliance scanning tools into their offerings.