GitLab 14.5 released with infrastructure as code security scanning

Get a free Techzine subscription!

The new release also offers group-level merge request approvals.

This week GitLab released its monthly update, v14.5. With this update, the company has made the GitLab Kubernetes Agent available to all users. This is why its core features along with the CI/CD Tunnel are now part of GitLab’s free offering.

Many of the new features are security related. For example, there is a new security scanning feature for infrastructure as code configurations files. It is based on Checkmarx’s open source project KICS and aims to find misconfigurations, compliance issues, and security vulnerabilities. It will do this for Ansible, AWS CloudFormation, Kubernetes, and HashiCorp’s Terraform, according to GitLab.

Introducing Infrastructure as Code (IaC) security scanning

GitLab detailed the new release in a blog post. “With Gitlab 14.5 we’re introducing security scanning for Infrastructure as Code (IaC) configuration files,” they write. “Like all our SAST scanners, we’ve chosen to make this capability available for all customers for free to encourage secure coding practices with the rise of IaC.”

For users familiar with GitLab SAST, GitLab’s IaC scanning works exactly the same and supports the same features. These includeg a standalone IaC scanning CI configuration file, UI based enablement tool on the Security Configuration Page and support for all our Ultimate tier Vulnerability Management features including Security Dashboards and Merge Request widget.

“With this new IaC scanning template, we’ve also made it easy to extend our IaC scanning with additional scanners and welcome community contributions using our secure scanner integration framework,” they claim.

CI/CD Tunnel

The CI/CD Tunnel for the GitLab Kubernetes Agent enables secure access to the cluster from within GitLab CI/CD, the blog says. Until now, the Tunnel inherited all the permissions of the service account of the installed agent in the cluster. Many users need stricter permission controls, preferably at the user or job level.

“In GitLab 14.5, we are pleased to release a generic access impersonation and a CI/CD job impersonation. These impersonations can be specified in the Agent configuration file, and the impersonated account permissions can be managed using Kubernetes RBAC rules.”

Users can try the new GitLab solutions for 30 days free.