Feeling safe yet? GitLab 14.5 introduces security scanning for infra as code config files

Gitlab Logo
Gitlab Logo

Repo management-cum-DevOps platform GitLab has gotten its monthly update. As part of the release of v14.5 the company decided to make the GitLab Kubernetes Agent available to all users, which is why its core features along with the CI/CD Tunnel are now part of GitLab’s free offering.

Many of the more interesting enhancements included in the release are security related, with one highlight being the newly introduced security scanning feature for infrastructure as code configurations files. It is based on Checkmarx’s open source project KICS and promises to be able to find misconfigurations, compliance issues, and security vulnerabilities in config files for Ansible, AWS CloudFormation, Kubernetes, and HashiCorp’s Terraform.

GitLab’s Secret Detection scanner also learned 47 additional patterns to look out for and ultimate customers can get started with setting more granular vulnerability check rules. GitLab aficionados who have been eyeing GitHub’s option of fitting user profiles with personal information, meanwhile, will be happy to learn that adding personal READMEs to their profile is now officially an option for them, too.

Admins of self-managed installations on the premium or ultimate tier gained a new command to help turn any node of a Geo secondary site into primary which should make failover processes for multi-node sites a bit easier to automate. Options to add, edit and describe project topics have been opened for them as well as part of the 14.5 release, so that users have something to look at when they open the newly available explore topics tab.

The update provides developers with a bit of extra control when writing pipelines, as the include keyword for external configs can now be used with an exists condition. Other additions meant to make the lives of those involved in the software development process a little include a mini pipeline graph in the pipeline editor, the option to configure default merge commit message templates, and a fixed toolbar at the top of the wiki input field.

As usual, there are a couple of things to be aware of with this release, like the renaming of the Task Runner pod to Toolbox to avoid confusion with GitLab Runner and the deprecation of certificate-based integration with Kubernetes that go along with the release. Details can be found on the GitLab website.

Those who have grown to use the free tier of GitLab.com for their public projects and employ the platform’s CI/CD capabilities should check the newly announced usage quotas. The company announced restrictions around available CI/CD minutes per month earlier in November, following “a large uptick in the abuse of free pipeline minutes to mine for cryptocurrencies”. 

Devs will have to make do with 400 free CI pipeline minutes per month with the option of buying additional capacities once that number has been reached. Open source program participants and those making use of a specific runner instead of GitLab shared runners should be unaffected by the change. GitLab isn’t the first project to change its free offering as a result of mining activities — various continuous integration services such TravisCI and Azure Pipelines already took similar steps to make sure resources weren’t drained from more legit customers.