May 22, 2021 - Mark Wood

GitLab 13.12 Release

GitLab 13.12 released with On-Demand DAST and Deployment Frequency Chart

GitLab 13.12 released with On-Demand DAST, Deployment Frequency Chart, Visualization of Pipeline Job Dependencies and much more!

This month, we are excited to introduce usability and pipeline management improvements that strive to make your teams more productive, updates to make your deployments more secure, and insights to make your DevOps adoption more mature. These are just a few highlights from the 44 improvements in this release.

Helping you manage security before it manages you

To ensure your production environment is always secure, On-demand DAST scanning is now generally available for all GitLab Ultimate customers. These on-demand scans will allow you to scan an already deployed application or API in any of your configured environments outside of a CI/CD pipeline i.e., without requiring any code changes or merge requests to start a scan.

The Semgrep SAST analyzer for JavaScript, TypeScript, and Python is also generally available. Semgrep's flexible rule syntax is ideal for streamlining the GitLab Custom Rulesets feature for extending and modifying detection rules, a popular request from GitLab SAST customers. It also allows GitLab customers access to Semgrep's community rules. Thanks to the community contribution from @proletarius101, we are also extending the Mobile Application Security Testing to support .ipa (iOS) and .apk (Android) binary files, in addition to Xcode projects and Android manifest files that are already supported.

Many customers integrate their existing scanners into GitLab to benefit from a unified view. The Project Vulnerability Report now gives you the ability to filter by scanner and vendor, allowing you to filter scan results for only third-party scanners or for all scanners including those from GitLab.

Application Security is a key focus area for GitLab for this year and your feedback is important to us. As the preference of web application development shifts rapidly towards building JavaScript-heavy and single-page applications, we have identified a need for a purpose built tool that provides more application testing coverage than a traditional proxy based crawler. We are inviting GitLab Ultimate customers to a public beta for a new browser-based crawler for DAST which is expected to provide significantly better security testing coverage for these modern applications compared to our current proxy-based crawler.

Easier pipeline management for enhanced usability

Pipelines are at the heart of our customers' CI/CD success, and we want to make it easier to use for new and experienced users of GitLab. The pipeline editor will now come with a collapsible panel of guided instructions that will help new CI/CD users create their first pipeline in a breeze.

For experienced CI/CD users that require more flexibility in creating their pipelines, we are now supporting wildcards in the include: keyword that will help you break your .gitlab-ci.yml file into multiple smaller files to improve reusability and readability. We also introduced the ability to define variables within rules, giving you the flexibility to set pipeline variables when certain conditions are met. Defining complex pipelines means there could be dependencies between jobs. The pipeline graph now shows dependencies between jobs, which is helpful to visually track and understand the expected order in which the jobs will be run.

Insights to improve your DevOps maturity

You cannot fix what you cannot measure. In that spirit, we are continuing to natively support DORA4 metrics. We are happy to announce the introduction of a group-level deployment frequency chart, which will help you understand the efficiency of your deployments over time, find bottlenecks, and focus on improvement areas that span across your projects and teams.

Value stream analytics help you identify inefficiencies and identify the root cause of those inefficiencies in your workflow. In 13.12, we have introduced pagination and sorting of workflow items, which allows you to easily visualize and sort items in a specific stage to pinpoint bottlenecks. The Days to Completion chart has been updated to show the average time to completion, which helps identify meaningful trends over time.

In this release, thanks to the community contribution from @leetickett, we introduced the ability to view a time tracking report within an individual issue or merge request to provide visibility into how much time each contributor spent.

For many of our customers, merge requests are the central space for collaboration. We have introduced the ability to see code quality violations and screenshots of failed tests within the merge request to give you necessary context as a part of your normal workflow within GitLab.

And so much more!

We continue to invest in improving the product usability in every release. Some of our favorite quality of life improvements in 13.12 include:

Users' group counts now displayed in Admin Area
Bring your own Elastic Stack
Create incidents via API
Warn administrator when removing an on-call user
Deleting deploy keys will inform the user if in use

Read on for more features, performance enhancements and changes! To preview what's coming in next month’s release, check out our Upcoming Releases page and our 14.0 release kickoff video.

GitLab 13.12 released with On-Demand DAST and Deployment Frequency Chart Click to tweet!

Join us for REMOTE by GitLab to explore the future of work, culture, and inclusion.

MVP This month's Most Valuable Person (MVP) is awarded to Lee Tickett

Lee did an excellent job iterating on our existing time tracking functionality by adding a time tracking report feature! This allows you to easily see who has spent time on an issue, and even allows you to add notes!

This contribution is a significant step forward as it not only allows you to view who has spent how much time on an issue, but also allows you to see the total time spent by all contributors. There is even an option to add notes when you log time and view them within the report.

Lee has also contributed two additional merge requests to improve the GraphQL API, one to expose merge request timelogs, and one expand the GraphQL query to find merge requests.

Thank you for all of your amazing work Lee! 🙌

13.12 Key improvements released in GitLab 13.12

On-demand DAST GA launch

On-demand DAST GA launch

SaaS

Self-Managed

After months of work, we are pleased to announce that our on-demand DAST scanning has reached a General Availability (GA) maturity level. It is ready for usage by anyone who needs to scan an already-deployed application or API outside of a CI/CD pipeline job. With the 13.11 release, we added to on-demand DAST Site profiles the ability to specify authentication information, exclude URLs, add additional request headers, and switch between scanning web applications and APIs. This is in addition to the ability to save scans for quick reusability that was added in 13.9, and the ability to select the branch that a scan is associated with that was added in 13.10. We believe this feature set meets the needs of a majority of GitLab customers.

As we continue to add features, such as scan scheduling, we expect on-demand DAST scanning to cover an ever-increasing range of use cases. As always, we would love as much feedback about these features as possible. Please let us know how things are working for you by leaving a comment in issue 327396.

Documentation Issue

Useful GitLab CI/CD information in the pipeline editor

Useful GitLab CI/CD information in the pipeline editor

SaaS

Self-Managed

Creating your first GitLab CI/CD pipeline can be difficult, especially for those new to CI/CD. You might spend time switching back and forth between documentation and GitLab to get your first pipeline configured. In this release we’ve added a drawer with useful information to the pipeline editor to help guide you through the steps of writing your first pipeline.

Documentation Issue

Useful GitLab CI/CD information in the pipeline editor

Support wildcards when including YAML CI/CD configuration files

Support wildcards when including YAML CI/CD configuration files

SaaS

Self-Managed

The includes: keyword for CI/CD pipelines lets you break one long .gitlab-ci.yml file into multiple smaller files to increase readability. It also makes it easier to reuse configuration in multiple places. Frequently there are multiple files included into a single pipeline, and they all might be stored in the same place. In this release, we add support to use the * wildcard with the local includes: keyword. You can now make your includes: sections more dynamic, less verbose, and easier to read, check out how we are dogfooding it in GitLab.

Documentation Issue

Support wildcards when including YAML CI/CD configuration files

Show job dependencies in the pipeline graph

Show job dependencies in the pipeline graph

SaaS

Self-Managed

The full pipeline graph provides a visual representation of all the jobs in your CI/CD pipeline, grouped by stage. This visualization helps you track the progress of your jobs and sets expectations for the order in which jobs will execute.

The introduction of the needs keyword let you create a directed acyclic graph that lets jobs start running earlier than they would if they were configured solely by stage. However, this creates ambiguity when looking at the pipeline graph, as its harder to tell in what order you could expect jobs to run.

In this release, you now have the ability to view pipelines by job dependencies when the job order reflects the needs: relationships between jobs. We’ve also added links between jobs to see exactly which jobs need to complete before a particular job can start. It will be much easier for you to track and understand job dependencies and expected run order when using the needs: keyword.

Documentation Epic

Failed test screenshots in test report

Failed test screenshots in test report

SaaS

Self-Managed

GitLab makes it easy for teams to set up end-to-end testing with automation tools like Selenium that capture screenshots of failed tests as artifacts. This is great until you have to sort through a huge archive of screenshots looking for the specific one you need to debug a failing test. Eventually, you may give up due to frustration and just re-run the test locally to try and figure out the source of the issue instead of wasting more time.

Now, you can link directly to the captured screenshot from the details screen in the Unit Test report on the pipeline page. This lets you quickly review the captured screenshot alongside the stack trace to identify what failed as fast as possible.

Documentation Issue

Code quality violation notices in MR diffs

Code quality violation notices in MR diffs

SaaS

Self-Managed

During code reviews, you may have wanted to highlight Code Quality violations and how to resolve them. Previously, this involved having a browser window open to see the violations on the Merge Request summary and another window reviewing the changes in the MR or your IDE. You may have found switching between them too difficult and given up.

Now, you can see if the file you are reviewing has new code quality violations that are part of the changes right in the Merge Request diff view. This gives you the necessary context to suggest a fix as part of your normal workflow within GitLab without having to keep additional windows open and context switch back and forth between them.

Documentation Issue

Code quality violation notices in MR diffs

Group-level deployment frequency CI/CD chart

Group-level deployment frequency CI/CD chart

SaaS

Self-Managed

As part of our efforts to natively support DORA4 metrics in GitLab, the group-level deployment frequency chart is now available. This chart will show the aggregated deployment frequency metrics for all the projects that are part of the group, and allow you to get a full picture of the deployment frequency across multiple projects and teams, so that you can comprehend their efficiency more accurately. Monitoring deployment frequency helps you understand the efficiency of your deployments over time, find bottlenecks, and focus on improvement areas that span across your projects and teams.

Documentation Issue

Group-level deployment frequency CI/CD chart

13.12 Other improvements in GitLab 13.12

Enforce delayed project removal for all subgroups

Enforce delayed project removal for all subgroups

SaaS

Self-Managed

Group owners can now enable and enforce delayed project removal for all subgroups and projects in their group. Delayed project removal protects your data by placing deleted projects in a read-only state after deletion and can be restored, if required. We plan to expand our settings model and allow more settings to be inherited and enforced in subgroups and projects in future milestones. Our new settings management model gives group owners a way to ensure that their subgroups and projects settings adhere to their organization’s security and compliance needs.

Documentation Issue

Users’ group counts now displayed in Admin Area

Users’ group counts now displayed in Admin Area

SaaS

Self-Managed

The user list in the Admin Area now shows the total number of groups a given user has access to. The group count is a sum of both group and subgroup membership.

This is incredibly valuable, because you can easily see how much access users have and quickly identify when action is needed. For example, you might use this information to ensure that deactivated accounts no longer have access to any projects or groups in GitLab.

Users' group counts now displayed in Admin Area

Documentation Epic

View average time to complete workflow items

View average time to complete workflow items

SaaS

Self-Managed

The Days to Completion chart in Value Stream Analytics previously showed the sum of days it took to complete all workflow items that were finished on a specific day. If an unusually high number of items was completed on the same day, the chart would show a high number for that day, which isn’t particularly meaningful.

The chart now shows the average time to completion instead, which highlights meaningful trends over time.

View average time to complete workflow items

Documentation Issue

Time tracking reports for issues and merge requests

Time tracking reports for issues and merge requests

SaaS

Self-Managed

Project members can record time spent on an issue or merge request via the /spend quick action, but it hasn’t been easy to understand how much time each person contributed. As a step toward better visibility of time reports in projects and groups, you can now view a time report in an individual issue or merge request. After time is spent against an issue, select the Time tracking report on the sidebar to view a list of all time spent entries for that issue or merge request. Thanks @leetickett for the contribution!

Time tracking reports for issues and merge requests

Documentation Issue

Lock latest pipeline artifact to prevent deletion

Lock latest pipeline artifact to prevent deletion

SaaS

Self-Managed

GitLab now automatically locks the latest artifact produced from a successful pipeline on any active branch, merge request, or tag to prevent it from being deleted based on expiration if it is still the most recent artifact.

This makes it easier to set a more aggressive expiration policy to clean up older artifacts, helps reduce disk space consumption, and ensures you have always got a copy of the latest artifact from your pipeline.

Pipeline artifacts, such as those used by the test coverage visualization feature, are not explicitly managed by the .gitlab-ci.yml definitions.

Documentation Issue

Support variables in CI/CD pipeline ‘workflow:rules’

Support variables in CI/CD pipeline ‘workflow:rules’

SaaS

Self-Managed

Previously, the rules keyword was limited in scope and only determined if a job should be included or excluded from pipelines. In 13.8, we added the ability to use the variables keyword with rules to set variable values in a job based on which rule matched. In this release we’ve extended this ability to workflow: rules, so you can set variable values for the whole pipeline if certain conditions match. This helps you make your pipelines even more flexible.

Support variables in CI/CD pipeline 'workflow:rules'

Documentation Issue

Delete associated package files via API

Delete associated package files via API

SaaS

Self-Managed

You use the GitLab Package Registry to publish, install, and share your dependencies. You may do this using a variety of package manager formats, such as Maven or npm. If you do this as part of your CI workflow, you may publish many packages to your registry. When you publish a dependency, it generates several files including the package archive.

Prior to GitLab 13.12, GitLab didn’t provide a way to delete the files from a package. You could only delete the package itself. These extra files can clutter the user interface or result in someone installing an incorrect or outdated dependency.

In GitLab 13.12, you can now use the Packages API to delete files related to a given package, as well as the package itself. You can easily integrate this new endpoint into your CI workflow and start removing old, unused files. To give you another option for managing your registry, future releases will add the ability to delete such files through the user interface.

Documentation Issue

Elastic Stack cluster integration

Elastic Stack cluster integration

SaaS

Self-Managed

Previously, to take full advantage of Gitlab Log Explorer, you had to install the Elastic stack via GitLab Managed Apps. This was problematic because managing and operating the Elastic Stack is important and not something you wished to outsource to GitLab.

With this release, you can integrate your existing Elastic Stack with GitLab. Whilst maintaining control, you can still take advantage of the features offered by GitLab Log Explorer.

Documentation Issue

Migrate GitLab Pages in the background

Migrate GitLab Pages in the background

SaaS

Self-Managed

In preparation for moving GitLab Pages to the new ZIP-storage architecture in 14.0, we introduced an automatic background migration in 13.11. This background migration converted existing sites to the new storage format and run at a very slow speed to avoid having a significantly negative impact on the performance of your instance. In GitLab 13.12, we will add the option to run the same migration with greater speed. You can also run the migration manually. This will allow you to verify the migration result, identify any migration errors, and fix them.

Documentation Issue

Take ownership of existing GitLab Managed Applications

Take ownership of existing GitLab Managed Applications

SaaS

Self-Managed

As previously announced, one-click GitLab Managed Applications were deprecated in GitLab 13.9 and will be definitively removed from GitLab in version 14.0, scheduled for June 22nd. Follow the documentation to learn how to take ownership of your applications and continue using them normally.

Documentation Issue

Create incidents via API

Create incidents via API

SaaS

Self-Managed

The most effective incident management tools enable you to create incidents automatically from different sources. To create incidents automatically, you can integrate your proprietary systems with GitLab via API. GitLab 13.12 introduces the issue_type attribute to the GitLab REST API and the type field to the GitLab GraphQL API. When creating issues with these APIs, you can create incidents by setting issue_type to incident (REST API), or by setting type to INCIDENT (GraphQL API).

Documentation Issue

Configuration tool for Secret Detection

Configuration tool for Secret Detection

SaaS

Self-Managed

Following in the footsteps of the GitLab SAST configuration tool we are adding support for Secret Detection on the Security Configuration page. We believe that security is a team effort and this configuration experience makes it easier for non-CI experts to get started with GitLab Secret Detection. The tool helps a user create a merge request to enable Secret Detection scanning while leveraging best configuration practices like using the GitLab-managed SAST.gitlab-ci.yml template. The Configuration tool can create a new .gitlab-ci.yml file if one does not exist or update existing simple GitLab CI files, allowing the tool to be used with projects that already have GitLab CI setup.

Documentation Epic

Mobile application binary scanning support

Mobile application binary scanning support

SaaS

Self-Managed

Since GitLab 13.6, we’ve offered SAST for Android and iOS mobile projects. Initially our Mobile App SAST supported the automatic detection of Xcode projects and Android manifest files. With this release and contribution from community contributor @proletarius101, GitLab SAST now also supports the automatic detection of .ipa (iOS) and .apk (Android) binary files enabling the security scanning of fully built mobile application artifacts. This offers mobile teams more flexibility with how they build and scan their mobile projects with GitLab SAST for security vulnerabilities. Please note that mobile application scanning is still an experimental feature and requires enabling the experimental flag in your CI template. We will make the mobile application scanner generally available without this flag in the near future.

Documentation Epic

Semgrep SAST Analyzer for JavaScript, TypeScript, and Python

Semgrep SAST Analyzer for JavaScript, TypeScript, and Python

SaaS

Self-Managed

In GitLab 13.11 we announced an experimental release of Semgrep, a new SAST analyzer for JavaScript, TypeScript, and Python. This transition has been developed in partnership with r2c, the team behind Semgrep who share our mission to help developers write more secure code. After an extensive beta with hundreds of customers trying out our experimental analyzer, we’re ready to start the transition to Semgrep.

With 13.12, we’re updating our managed SAST.gitlab-ci.yml CI template to automatically run this new analyzer alongside our existing JavaScript and TypeScript analyzer, ESlint. In a future release we will fully disable ESLint, but for now it will work in unison with Semgrep. We’ve done work to deduplicate findings, so you should not notice any difference in findings. If you include our SAST.gitlab-ci.yml, you don’t need to do anything to start benefiting from the Semgrep analyzer, however if you override or manage your own SAST CI configuration, you should update your CI configuration.

Both GitLab and r2c are excited about the future of this transition to bring you fast and wide coverage Static Application Security Testing (SAST). We’ll continue to expand the Semgrep analyzer through new security detection rules as well as expanding coverage to other languages. We’ve created a feedback issue where you can share your experience with this transition or ask questions.

Documentation Epic

Geo replicates LFS files with self-service framework

Geo replicates LFS files with self-service framework

SaaS

Self-Managed

Although Geo already replicates LFS files, moving this functionality to use the Geo self-service framework improves maintainability and performance of LFS file replication. This update will allow us to delete around 200 of lines of code and more easily add support for verification in an upcoming release. LFS file replication and deletion events will also be triggered sooner (up to a minute in some cases). To learn more about the Geo self-service framework, read this blog post about how we are closing the gap on replicating everything in Geo.

Documentation Issue Epic

Geo support for tracking database high-availability

Geo support for tracking database high-availability

SaaS

Self-Managed

Geo secondary sites use a separate PostgreSQL database as a tracking database to keep track of replication status and automatically recover from potential replication issues. Without the tracking database, Geo cannot replicate data to another site. Geo now supports setting up a separate, highly-available PostgreSQL cluster for Geo’s tracking database. This configuration is important when a secondary site is used as part of a disaster recovery strategy because it ensures that replication isn’t impacted even when a single PostgreSQL node running the tracking database fails.

Documentation Issue

GitLab chart improvements

GitLab chart improvements

SaaS

Self-Managed

Users were restricted to using the standard 80/443 port to expose NGINX to the LoadBalancer. However, the new nginx-ingress chart now gives users the ability to set their LoadBalancer service ports to a custom port. You can view the NGINX site configuration docs to learn more.
We have upgraded to PostgreSQL 13 client libraries. This allows us to support backup/restore to PostgreSQL 13, while still retaining support for PostgreSQL 12 and PostgreSQL 11. This has no impact on the version of PostgreSQL we are running in the chart.

Documentation

Omnibus improvements

Omnibus improvements

SaaS

Self-Managed

GitLab 13.12 includes Mattermost 5.34, an open source Slack-alternative whose newest release includes new CircleCI and Dice Roller plugins, and more.
The etc-backup job, which backs up local GitLab configuration, was not respecting the rotation rules set by gitlab_rails['backup_keep_time']. Due to this, old backups were never pruned. For 13.12, the default will be to leave files in place if no setting has been made. For 14.0, the etc-backup job will respect current settings. Only administrators who modified this setting will see a change, because the default is to keep all backups.

Documentation

Improvements to the deployment metrics in Value Stream Analytics

Improvements to the deployment metrics in Value Stream Analytics

SaaS

Self-Managed

We improved the Deploys and Deployment Frequency metrics in group-level Value Stream Analytics. These metrics now consider only deployments to environments classified as production tier instead of all deployments. The metrics now provide more value, because often deployments to non-production environments are not relevant.

Also, these metrics are now calculated based on the time the deployment finished, instead of the time it was created. This brings improved accuracy of the data in a given time frame.

Improvements to the deployment metrics in Value Stream Analytics

Documentation Issue

View and sort stage items in a value stream

View and sort stage items in a value stream

SaaS

Self-Managed

Previously, Value Stream Analytics only displayed the 20 newest workflow items for each stage in a value stream. This update adds pagination and sorting for workflow items.

You can now view all the items in each stage of your value stream and sort by time spent in a stage to more easily pinpoint bottlenecks in the software development lifecycle. For example, if code changes have been taking longer to merge, sort items in the Code stage to identify the slowest items and investigate possible causes.

View and sort stage items in a value stream

Documentation Issue

View the number of workflow items in a value stream stage

View the number of workflow items in a value stream stage

SaaS

Self-Managed

Value stream analytics shows the median time that workflow items took to complete a stage in a value stream, as well as a list of the items that completed the stage. This release adds an item count so you can easily see how many workflow items completed the stage and were used to calculate the median value.

View the number of workflow items in a value stream stage

Documentation Issue

GitLab Runner 13.12

GitLab Runner 13.12

SaaS

Self-Managed

We’re also releasing GitLab Runner 13.12 today! GitLab Runner is the lightweight, highly-scalable agent that runs your build jobs and sends the results back to a GitLab instance. GitLab Runner works in conjunction with GitLab CI/CD, the open-source continuous integration service included with GitLab.

What’s new:

Bug Fixes:

The list of all changes is in the GitLab Runner CHANGELOG.

SaaS

Self-Managed

Previously, after committing changes using the pipeline editor, you had to navigate to a different page to know the real time status of your pipeline. In this release, we added a pipeline status widget to the pipeline editor so that you can monitor the status of your pipeline without leaving the comfort of the editor.

Pipeline status widget in the pipeline editor

Documentation Issue

Allow or prevent duplicate generic package uploads

Allow or prevent duplicate generic package uploads

SaaS

Self-Managed

You can use the GitLab Package Registry to publish and download your project’s generic packages. By default, you can publish the same package name and version multiple times.

However, many of you have expressed that you want to prevent duplicate uploads, especially for releases. GitLab 13.12 expands the group setting for the Package Registry to allow or prevent duplicate uploads.

You can adjust this setting by using the GitLab API, or from Settings > Packages & Registries in the application. The coming milestones will continue to expand this setting for each package manager format. Please follow along in the epic or consider contributing a change!

Documentation Issue

Deleting deploy keys will inform the user if in use

Deleting deploy keys will inform the user if in use

SaaS

Self-Managed

In this release, we have added an additional safety measure to warn users that a deploy key is in use before deleting the key. This will help prevent accidentally breaking workflows.

Deleting deploy keys will inform the user if in use

Documentation Issue

Filter active deploy tokens

Filter active deploy tokens

SaaS

Self-Managed

Before this milestone, the Deploy Tokens API endpoints for listing tokens would return all database stored entries, including revoked and expired tokens, without a way to filter the list. Now we have added the ability to filter only active tokens from the REST API. A huge thanks to Devin Christensen for a great community contribution!

Documentation Issue

New Gatsby CI Pages template

New Gatsby CI Pages template

SaaS

Self-Managed

The previous Pages template for Gatsby would not work out of the box. You needed to manually fix your pipelines after using the predefined template. In this milestone, we have provided a new template for you to use that results in a green pipeline upon first run. Thank you Takuya Noguchi for this great contribution that will help additional members of the GitLab wider community to get started with Pages.

Documentation Issue

release: keyword supports asset links

release: keyword supports asset links

SaaS

Self-Managed

Since GitLab 13.2, you’ve been able to use the release: keyword, in conjunction with the release-cli, to create a release. The release: keyword has now been extended to include support for asset links so that you can create releases and attach files to them in a single .gitlab-ci.yml release job.

Documentation Issue

Warn administrator when removing an on-call user

Warn administrator when removing an on-call user

SaaS

Self-Managed

Being on-call is a critical function. It affects the on-call schedule when an administrator removes an on-call user from a project, a group, or the GitLab instance. Administrators are now warned before executing such a removal.

Warn administrator when removing an on-call user

Documentation Issue

Filter Project Vulnerability Report by vendor name

Filter Project Vulnerability Report by vendor name

SaaS

Self-Managed

GitLab strives to play well with others and security is no exception. We provide many security scanners as part of our Secure offering. We also encourage 3rd party vendors to integrate their scanning tools using our open API and data interchange formats. A benefit of using GitLab is managing vulnerabilities from multiple scanners in a unified experience. While you were already able to filter by scanner type (SAST, DAST), it wasn’t possible to drill down by the tool provider.

You now have even more granularity when managing vulnerabilities with the new ability to filter by scanner and vendor. You can look at all results across a single vendor’s scanners or gain confidence in findings from one scan type (e.g. SAST) that are confirmed by both GitLab and the 3rd party tool. The new filtering capability is available now in Project Vulnerability Reports.

Filter Project Vulnerability Report by vendor name

Documentation Issue

New browser-based crawler for DAST in open beta

New browser-based crawler for DAST in open beta

SaaS

Self-Managed

Starting in 13.12, we are extremely excited to announce the beta release of our new browser-based crawler. Since we are in the beta phase, we are actively seeking DAST users who will enable the new crawler and give us feedback. This new crawler is specifically designed to provide better application testing coverage by finding more pages on a JavaScript-heavy app that might be hidden from a traditional proxy-based crawler. As websites and applications continue to be more and more JavaScript-heavy, we have seen the need for a new generation of tools that are purpose-built to address the needs of JavaScript-heavy and single-page applications. This is our first step in the journey to provide better crawl and test coverage for these modern applications.

In our benchmark testing, our browser-based crawler has shown a significant improvement in crawl coverage from our current proxy-based crawler. We want feedback from usage on real-world applications to validate that the new crawler is able to crawl a majority of pages for a majority of apps. The process for enabling this new crawler is documented at DAST browser-based crawler.

Any and all feedback is welcomed and encouraged, as are bug reports. Feel free to comment in issue 327394 or create a new issue and assign it to @derekferguson. We look forward to bringing this feature to GA in the next few months and providing better DAST coverage for modern applications.

Documentation Issue

Static Analysis Analyzer Updates

Static Analysis Analyzer Updates

SaaS

Self-Managed

GitLab Static Analysis is comprised of a set of many security analyzers that the GitLab Static Analysis team actively manages, maintains, and updates. Below are the analyzer updates released during 13.12. These updates bring additional coverage, bug fixes, and improvements.

MobSF updated to version 3.4.3: MR, Changelog
nodejs-scan updated to version 0.2.6: MR, Changelog
GitLeaks updated to version 7.5.0: MR, Changelog
pmd-apex updated to version 6.34.0: MR, Changelog
Spotbugs updated to version 4.2.3: MR, Changelog

If you are including the GitLab managed vendored SAST template (SAST.gitlab-ci.yml) you do not need to do anything to receive these updates. However, if you override or customize your own CI template, you will need to update your CI configurations.

Documentation Issue

Geo support for PostgreSQL high availability in Beta

Geo support for PostgreSQL high availability in Beta

SaaS

Self-Managed

Patroni is a solution for PostgreSQL high availability which also allows the configuration of a highly-available PostgreSQL standby cluster on a Geo secondary. This configuration is important when a secondary is used as part of a disaster recovery strategy because it allows systems administrators to mirror the number of database nodes on the primary and secondary. This means that after a failover, no additional database nodes need to be provisioned to regain high availability.

Geo now provides beta-level support for highly available PostgreSQL configurations using Patroni. We’ve improved upgrades to a Patroni standby cluster, implemented automatic recovery from leader changes on the primary, addressed initial setup issues, and fixed a number of bugs.

Documentation Epic

Geo verifies replicated Terraform state files

Geo verifies replicated Terraform state files

SaaS

Self-Managed

Geo automatically verifies the data integrity of replicated Terraform state files. This ensures that packages are not corrupted in transfer or at rest. If Geo is used as part of a disaster recovery strategy, this protects customers against data loss.

Documentation Issue Epic

Instance-level Federated Learning of Cohorts (FLoC) opt-in

Instance-level Federated Learning of Cohorts (FLoC) opt-in

SaaS

Self-Managed

Federated Learning of Cohorts (FLoC) is a new type of web tracking, intended to replace the use of third-party cookies. It does this by grouping users into cohorts based on their browsing history, for the primary purpose of interest-based advertising. FLoC is being activated in the Chrome browser in some regions.

With GitLab 13.12, FLoC will not incorporate GitLab browsing activity by default. If an instance administrator would like their users’ GitLab instance usage to contribute to FLoC, they can re-enable in instance settings.

Documentation Issue

Obfuscate Elasticsearch password in Admin UI

Obfuscate Elasticsearch password in Admin UI

SaaS

Self-Managed

With the Elasticsearch integration, GitLab administrators could only configure a password-protected Elasticsearch server by using the URL with the format http(s)://<username>:<password>@<elastic_host>:<elastic_port>/. However, the password was displayed in plain text in the GitLab admin UI. Feedback given by our users showed us that this can be a potential liability as not all GitLab instance admins should be able to see that password.

With this release, we provide separate input fields for the Elasticsearch username and password, and the password is obfuscated so that users can’t see the characters in plain text.

Obfuscate Elasticsearch password in Admin UI

Documentation Issue

Bug Fixes

Bug Fixes

Some of the notable bug fixes in 13.12 are:

Bug Fixes

Performance improvements

Performance improvements

In every release, we continue to make great strides improving GitLab’s performance. We’re committed to making every GitLab instance faster. This includes GitLab.com, an instance with over 1 million registered users!

In GitLab 13.12, we’re shipping performance improvements for issues, projects, milestones, and much more! Some improvements in GitLab 13.12 are:

Performance improvements

Usability Improvements

Usability Improvements

In every release, we make great strides in improving the overall effectiveness and usefulness of our product.

We also have a UI Polish gallery to track important updates to our interfaces. These updates, while often small, improve your user experience.

In GitLab 13.12, we’re shipping usability improvements for issues, projects, milestones, and much more! We highlight the following changes in GitLab 13.12:

UX Improvements

Deprecations Deprecations

API fuzzing configuration files moving to .gitlab folder

API fuzzing configuration files moving to .gitlab folder

In GitLab 14.0, API fuzz testing configuration files, such as .gitlab-api-fuzzing.yml, should be placed in your repository’s .gitlab directory. This helps keep your repository organized. Storing these files in your repository’s root will be deprecated.

Your .gitlab-api-fuzzing.yml should also be renamed to .gitlab-api-fuzzing-config.yml in GitLab 14.0. No other changes will be required in the configuration files. You can continue using the existing configuration files, but GitLab 14.0 will require you to move them to the .gitlab directory and rename them. Starting in GitLab 14.0, GitLab will not check the old location for configuration files.