GitLab announced a series of upcoming features for GitLab Security and Governance, a shift-left security solution for software development projects.

Prevention is better than cure. More and more organizations are prioritizing cybersecurity during software development projects, also known as shift-left security. In the long term, the approach can be efficient, as the application’s users ultimately incur fewer security costs. In the short term, the approach can be a burden, as developers have to invest more time, energy and funding than traditionally required.

With Security and Governance, GitLab is trying to make shift-left security as accessible as possible. The solution allows users to scan code for vulnerabilities and review application components through software bills of materials (SBOMs). Security and Governance allows organizations to push secure applications to production environments without interrupting the development process. GitLab recently shed light on the solution’s upcoming features.

GitLab Security and Governance

Although the release dates are unknown, the announcement gives an idea of what GitLab’s working on. One of the upcoming features allows third-party SBOM data to be integrated into SBOMs maintained in GitLab Security and Governance. Although are already able to import third-party SBOM data, some data has to be transformed to be usable. The upcoming feature speeds up the process.

Secondly, GitLab is working on a feature that allows users to sign software build artifacts and attestation files. GitLab wants to make it possible to insert an encrypted signature, allowing users to prove that no one has tampered with build artifacts and attestation files.

The third and final upcoming feature makes it possible to configure custom user roles. The solution’s user roles are currently limited to templates. The upcoming feature allows ‘Admins’ and ‘Group Owners’ to compose user roles with permissions of their choice. The flexibility is welcome for companies with strict security policies. GitLab’s current roles are unable to comply with the policies of some organizations.

Tip: Data protection is becoming more workload-specific (and software-defined)