The following page may contain information related to upcoming products, features and functionality. It is important to note that the information presented is for informational purposes only, so please do not rely on the information for purchasing or planning purposes. Just like with all projects, the items mentioned on the page are subject to change or delay, and the development, release, and timing of any products, features or functionality remain at the sole discretion of GitLab Inc.
Security scanning that AppSec teams trust, and developers love
The Application Security Testing (AST) stage helps customers find vulnerabilities in applications before they reach production. We focus on developing scanning capabilities to find these vulnerabilities, then we work closely with the Security Risk Management and Software Supply Chain Security stages to ensure that organizations can take action on the vulnerabilities our scanners detect.
GitLab was named as a Challenger in the 2022 Magic Quadrant for Application Security Testing.
The AST stage is made up of five groups:
Customer needs for Application Security Testing (AST) are evolving rapidly, driven by the increasing pace and complexity of modern software development and the growing sophistication of security threats. We see at least two major themes in the AST market today:
In the next 3 years, we expect the AST market will:
As a unified, AI-powered DevSecOps platform, GitLab is well-suited to deliver what the market needs. We will continue to invest in our AST capabilities to enable security teams to scale their impact and achieve their security goals.
The increasing pace of modern software development demands that we push security testing further left than before, integrating it into existing workflows rather than forcing teams to adapt their processes or context-switch to separate tools.
Moving security scanning directly into the IDE and pre-commit stages enables developers to catch vulnerabilities, exposed secrets, and dependency issues before they even enter the codebase, dramatically reducing remediation costs and team overhead.
For this proactive approach to succeed, security tools must provide clear, actionable feedback that developers can understand without deep security expertise, including precise code locations and step-by-step remediation guidance with examples of secure coding patterns.
By making security both approachable and efficient, we help organizations build a true DevSecOps culture where security becomes a natural part of every developer's daily work, transforming how organizations approach application security while significantly reducing the burden on overburdened security specialists.
To achieve this theme, GitLab will pursue capabilities like:
In today's complex security landscape, presenting raw vulnerability data without context can lead teams to work on less impactful tasks or accept risks without realizing the consequences. That doesn't work well for anyone.
By combining multiple security scanning methods and leveraging more advanced techniques like AI and machine learning, we can provide deeper context and more accurate risk assessments for each security finding. This intelligence-driven approach helps teams cut through the noise of security alerts, focusing remediation efforts on vulnerabilities that pose the greatest actual risk to their applications. Integration across different security disciplines creates a comprehensive view of each vulnerability's impact and exploitability, enabling more confident decision-making about when and how to remediate issues.
The power of machine learning transforms security scanning from a simple detection tool into an intelligent advisory system that helps teams make informed, strategic decisions about their security posture and resource allocation.
To achieve this theme, GitLab will pursue capabilities like:
When tools identify vulnerabilities but don't provide a clear path to resolution, organizations end up exposed to security risks for longer than necessary. Worse still, as backlogs of security issues grow, organizations end up accepting risks without realizing it—an untriaged and unresolved vulnerability is one that's tacitly accepted.
Modern security tools must go beyond detection to provide automated remediation pathways that help both developers and security teams efficiently address vulnerabilities.
As applications and security threats grow more complex, effective security programs have to rely on automation to scale up. By transforming security findings into automated actions, intelligent tools help organizations dramatically reduce their mean time to remediation while allowing both development and security teams to focus on strategic work rather than routine maintenance.
To achieve this theme, GitLab will pursue capabilities like:
To see what we're planning, check the individual group or category direction pages.
Application Security Testing pricing and tiering reflects GitLab's overall pricing model.
We focus our efforts primarily on Ultimate. Advanced security is an Ultimate pricing theme and helps customers deliver on organization-wide security and compliance priorities.
Advanced features, including technology developed in-house at GitLab and technology we've acquired, are available only in Ultimate.
We make a subset of our AST scanners available in all tiers (including Free). We typically do this when the scanners are themselves open-source.
We do not specifically focus on Premium.
Scans your application source code and binaries to spot potential vulnerabilities before deployment. SAST supports scanning a variety of different programming languages and automatically chooses the right analyzer even if your project uses more than one language. Vulnerabilities, additional data, and solutions are shown in-line with every merge request. Scanner results are collected and presented as a single report. This category is at the "complete" level of maturity.
Priority: high • Documentation • Direction
Scans your repository to help prevent your secrets from being exposed. Secret Detection scanning works on all text files, regardless of the language or framework used. Code pushed to a remote Git branch can be rejected if a secret is detected. This category is at the "viable" level of maturity.
Priority: medium • Documentation • Direction
Analyzes your source code quality and complexity. This helps keep your project’s code simple, readable, and easier to maintain. This category is at the "minimal" level of maturity.
Runs automated penetration tests to find vulnerabilities in web applications and APIs as they are running. DAST can run live attacks against a Review App, an externally deployed application, or an active API. Scans can be run for every merge request, on a schedule, or even on-demand. DAST supports user inputted HTTP credentials to test private areas of your application. Vulnerabilities, additional data, and solutions are shown in-line with every merge request. Scanner results are presented as a single report. This category is at the "complete" level of maturity.
Priority: high • Documentation • Direction
Secures and protects web Application Programming Interfaces from unauthorized access, misuse, and attacks. Tests for known vulnerabilities by performing penetration testing of APIs with DAST. Finds unknown vulnerabilities by performing Fuzz Testing of web API operation parameters.Users can provide credentials to test authenticated APIs. Vulnerabilities, additional data, and solutions are shown in-line with every merge request.. Scanner results are collected and presented as a single report. This category is at the "complete" level of maturity.
Priority: high • Documentation • Direction
Sends random inputs to an instrumented version of your application in an effort to cause unexpected behavior in order to identify a bug that needs to be addressed. Helps you discover bugs and potential security issues that other QA processes may miss. This category is at the "complete" level of maturity.
Priority: high • Documentation • Direction
Analyzes external dependencies within your application for known vulnerabilities on each CI/CD code commit. Vulnerabilities, additional data, and solutions are shown in-line with every merge request. Scanner results are collected and presented as a single report. Upon code commit, project dependencies are searched for approved and denied licenses defined by per project custom policies. Software licenses are identified if they are not within policy and are shown in-line for every merge request for immediate resolution. This category is at the "viable" level of maturity.
Priority: high • Documentation • Direction
Scans your container images for known vulnerabilities within the application environment. Image contents are analyzed against public vulnerability databases.Security findings, additional data, and solutions reported in-line with every merge request along with additional data including solutions. Results are presented as a single report. Container Scanning is considered part of Software Composition Analysis. This category is at the "viable" level of maturity.
Priority: medium • Documentation • Direction
The GitLab Advisory Database serves as a repository for security advisories related to software dependencies. GitLab integrates the advisory database with its proprietary and open-source application security scanning tools. In order to maintain the efficacy of those scanners, we strive to keep their underlying vulnerability databases up-to-date.
Priority: high • Direction
Continuously assess your applications and services are not vulnerable to security threats through automated, real-world emulated scenarios to identify weaknesses in your attack surface
Priority: low
Last Reviewed: 2025-02-20
Last Updated: 2025-02-20
