GitLab 11.9 released with secret detection and several rules for Merge Requests
Quick Leak Detection
It would seem a small mistake - accidentally transfer credentials to a common repository. However, the consequences can be serious. As soon as the attacker gets your password or API key, he will seize your account, block you and use fraudulently to use money. In addition, a domino effect is possible: access to one account allows access to others. The stakes are high, so it’s extremely important to find out about leaking secrets as soon as possible.
In this release, we present the option to discover secrets as part of our SAST functionality. Each commit is scanned in the CI / CD job for secrets. There is a secret - and the developer receives a warning in the merge requisition. On the spot, it cancels the leaked credentials and creates new ones.
Ensuring proper change management
As growth and complexity increase, it becomes more and more difficult to maintain consistency between different parts of the organization. The more users of the application and the higher the income, the more serious the consequences of the merge of the wrong or unsafe code. For many organizations, ensuring the correct verification process before the merge code is a strict requirement, since the risks are very high.
In GitLab 11.9, there is more control and a more efficient structure thanks to the rules for allowing Merge Requests . Previously, in order to get permission, it was enough to specify an individual or group (each member of which can grant permission). Now you can add a few rules so that the merge requester requires permission from specific individuals or even from several members of a particular group. In addition, the Code Owners feature is integrated into the permission rules, which makes it easy to identify the person who issued the permit.
This allows organizations to implement complex resolution processes while maintaining the simplicity of a single GitLab application, where tasks, code, pipelines and monitoring data are visible and available to make decisions and speed up the resolution process.
ChatOps is now open source.
GitLab ChatOps is an effective automation tool that allows you to perform any CI / CD job and request its status directly in chat applications such as Slack and Mattermost. Originally introduced in GitLab 10.6 , ChatOps was part of the GitLab Ultimate subscription. Based on the product development strategy and commitment to open source , we sometimes move features down the level and never upwards.
In the case of ChatOps, we realized that this functionality can be useful to everyone, and that community participation can benefit the feature itself.
In GitLab 11.9, we opened ChatOps source code , and thus, it is now available for free to use in the locally installed GitLab Core and on GitLab.com and is open to the community.
And much more!
There are so many great features available in this release: for example, Audit Function Parameters , Eliminating Merge Requests Vulnerabilities, and CI / CD Templates for Security Jobs - that we can not wait to tell about them!
The most valuable employee ( MVP ) of this month is Marcel Amirault .
Marcel constantly helped us improve the documentation of GitLab. He did a lot to improve the quality and usability of our documents. Domo arigato [thank you very much (j.) - approx. lane.] Marcel, we sincerely appreciate it!
Key features added to GitLab 11.9 release
Detection of secrets and credentials in the repository
(ULTIMATE, GOLD)
Developers sometimes inadvertently send secrets and credentials to remote repositories. If other people have access to this source, or if the project is open, then confidential information is disclosed and can be used by attackers to access resources such as deployment environments.
GitLab 11.9 is a new test - “Secret Detection”. It scans the contents of the repository in search of API keys and other information that should not be here. GitLab displays the results in an SAST report in a merge-requesting widget, pipeline reports and security panels.
If you have already connected SAST for your application, then you do not need to do anything, just take advantage of this new feature. It is also included in the default Auto DevOps configuration.
Merge Requests Resolution Rules
(PREMIUM, ULTIMATE, SILVER, GOLD)
Code review is an essential element of every successful project, but it is not always clear who should review the changes. Often, the participation of reviewers from different teams is desirable: development teams, user interaction teams, production teams.
Permission rules allow to improve the process of interaction between the persons participating in the review of the code: the circle of authorized approvers and the minimum number of permissions are determined. The permission rules are displayed in the Merge-Requests widget, and so you can quickly assign the next reviewer.
In GitLab 11.8, permission rules were disabled by default. Starting with GitLab 11.9, they are available by default. In GitLab 11.3, we introduced the Code Owners option to designate team members responsible for individual codes within the project. The Code Owners feature is integrated into the authorization rules, and so you can always quickly find the right people to review changes.
Move ChatOps to Core
(CORE, STARTER, PREMIUM, ULTIMATE, FREE, BRONZE, SILVER, GOLD)
Originally introduced to GitLab Ultimate 10.6, ChatOps moved to GitLab Core. GitLab ChatOps offers the ability to run GitLab CI tasks via Slack using slash commands .
We open the source code of this feature in accordance with our principle of determining the level focused on the buyer . Using it more often, the community will make a greater contribution.
Audit Function Parameters
(PREMIUM, ULTIMATE, SILVER, GOLD)
Operations such as adding, deleting, or changing function parameters are now logged in the GitLab audit log, so you can see what and when it was changed. There was an accident and you need to see what has changed lately? Or just need to check as part of the audit how the parameters of the functions were changed? Now it is very easy to do.
Elimination of vulnerabilities of merge requests
(ULTIMATE, GOLD)
To quickly eliminate code vulnerabilities, the process should be simple. It is important to simplify security fixes by allowing developers to focus on direct responsibilities. In GitLab 11.7, we proposed a fix file , but it needed to be downloaded, applied at the local level, and then moved to the remote repository.
In GitLab 11.9, this process is automated. Eliminate vulnerabilities without leaving the GitLab web interface. Merj-request is created directly from the vulnerability information window, and this new branch will already contain a fix. After checking if the problem is resolved, add the fix to the original branch if the pipeline is OK.
Displaying container scan results in a group security panel
(ULTIMATE, GOLD)
The group security panel allows professionals to concentrate on the most important issues for the work, providing a clear and detailed overview of all possible vulnerabilities that could affect the applications. That is why it is important that the panel contains all the necessary information in one place and allows users to examine the data in detail before fixing vulnerabilities.
In GitLab 11.9, container scan results are added to the toolbar, in addition to the existing SAST and dependency scan results. Now the whole review - in one place, regardless of the source of the problem.
CI / CD templates for security jobs
(ULTIMATE, GOLD)
The security features of GitLab are developing very quickly and constantly require updates to maintain efficiency and code protection. Changing the job definition is difficult when you manage several projects. And we also understand that nobody wants to risk using the latest version of GitLab without confidence in its full compatibility with the current GitLab instance.
It is for this reason that we have introduced in GitLab 11.7 a new mechanism for defining jobs using templates .
Starting with GitLab 11.9, we will offer built-in templates for all security jobs: for example, sast and dependency_scanning , compatible with the appropriate version of GitLab.
Include them directly in your configuration, and they will be updated along with the system each time you upgrade to a new version of GitLab. Pipeline configurations do not change.
The new way to define security jobs is official and does not support any other previous job definitions or code snippets. You should update the definition as soon as possible to use the new template keyword. Support for any other syntax may be removed in GitLab 12.0 or in other future releases.
Other improvements in GitLab 11.9
Reply to comment
(CORE, STARTER, PREMIUM, ULTIMATE, FREE, BRONZE, SILVER, GOLD)
GitLab has discussions on topics. Until now, the user writing the original comment should have decided from the very beginning whether he needed a discussion.
We have relaxed this restriction. Take any comment in GitLab (for tasks, Merge-Requests and Epic) and respond to it, thus starting the discussion. So teams interact more organized.
Project Templates for .NET, Go, iOS and Pages
(CORE, STARTER, PREMIUM, ULTIMATE, FREE, BRONZE, SILVER, GOLD)
To make it easier for users to create new projects, we offer several new project templates:
- The initial .NET Core project template that includes the base application with CI.
- A ready-to-use template that combines the structure of Go Micro and GitLab CI / CD microservices .
- The iOS app “Hello, world!” , Ready for initial customization in GitLab. Please note that since iOS build requires a dedicated MacOS runner, you will need to provide your own build server, if you want to use it with GitLab CI / CD.
- GitLab Pages templates are configured to work with Netlify.
Request permission from Merge Requests from Code Owners
(PREMIUM, ULTIMATE, SILVER, GOLD)
It is not always obvious who approves the merge rekvest.
GitLab now supports the requirement to approve a merge-request, depending on which files the request changes, using Code Owners . Code owners are assigned using a file called CODEOWNERS , a format similar to gitattributes .
Support for the automatic assignment of Code Owners as persons responsible for approving a merge-requester, added back in GitLab 11.5 .
Moving Files to the Web IDE
(CORE, STARTER, PREMIUM, ULTIMATE, FREE, BRONZE, SILVER, GOLD)
Now, by renaming a file or directory, you can move it from the Web IDE to the repository in a new way.
Labels in alphabetical order
(CORE, STARTER, PREMIUM, ULTIMATE, FREE, BRONZE, SILVER, GOLD)
GitLab tags are incredibly versatile, and teams are constantly finding new uses for them. Accordingly, users often add a lot of tags to the task, merge-request or epic.
In GitLab 11.9, we slightly simplified the use of tags. In tasks, merge requisitions and epic tags, the labels displayed on the sidebar are arranged in alphabetical order. This also applies to viewing a list of these objects.
Quick comments when filtering actions by task
(CORE, STARTER, PREMIUM, ULTIMATE, FREE, BRONZE, SILVER, GOLD)
Recently, we introduced a feature that allows users to filter a tape of actions by task, Merge-Requests or Epic, which allows us to concentrate only on comments or system notes. This parameter is saved for each user in the system, and it happens that the user may not understand that, viewing the task several days later, he sees the filtered tape. It seems to him that it is impossible to leave a comment.
We have improved this interaction. Now users can quickly switch to a mode that allows you to leave comments without scrolling back to the very top. This applies to tasks, merge requests and epics.
Changing the order of child epics
(ULTIMATE, GOLD)
Recently, we have released child epics , allowing the use of epic epics (in addition to the child tasks of epics).
Now you can change the order of child epics by simply dragging, as is the case with child tasks. Teams can use order to reflect priority or determine work order.
Custom system headers and footers on the Internet and email
(CORE, STARTER, PREMIUM, ULTIMATE)
Earlier, we added a feature that allows user header and footer messages to appear on every page in GitLab. They met her warmly, and the teams use her to exchange important information: for example, system messages relating to their GitLab instance.
We are happy to introduce this feature into the Core, so now even more people can use it. In addition, we allow users to optionally display the same messages in all emails sent via GitLab, for consistency with another user interaction point with GitLab.
Filter for confidential tasks
(CORE, STARTER, PREMIUM, ULTIMATE, FREE, BRONZE, SILVER, GOLD)
Confidential tasks are a useful tool for teams, allowing open discussions on sensitive topics within an open project. In particular, they are ideal for working on security vulnerabilities. Until now, managing confidential tasks was not too easy.
In GitLab 11.9, the task list of GitLab is now filtered by confidential or non-confidential tasks. This also applies to the search for tasks by API.
Thank you for the contribution of Robert Schilling!
Editing a Knative domain after deployment
(CORE, STARTER, PREMIUM, ULTIMATE, FREE, BRONZE, SILVER, GOLD)
Specifying a custom domain when installing Knative allows you to serve various serverless applications / functions from a unique endpoint.
Now the integration of Kubernetes in GitLab allows you to change / update the user domain after Knative is deployed to the Kubernetes cluster.
Check Kubernetes CA certificate format
(CORE, STARTER, PREMIUM, ULTIMATE, FREE, BRONZE, SILVER, GOLD)
When adding an existing Kubernetes cluster, GitLab now checks that the entered CA certificate has a valid PEM format. This eliminates possible errors with the integration of Kubernetes.
Extension of the merge-requester comparison utility to the entire file
(CORE, STARTER, PREMIUM, ULTIMATE, FREE, BRONZE, SILVER, GOLD)
Looking through the changes in the merge request, you can now extend the comparison utility for each file to show the entire file for a larger context, and leave comments in unchanged lines.
Perform specific jobs on Merge Requests only when certain files are modified.
(CORE, STARTER, PREMIUM, ULTIMATE, FREE, BRONZE, SILVER, GOLD)
In GitLab 11.6, we added the ability to define only: merge_requests for jobs by pipelines, so that users can perform specific tasks only when creating a merge requester.
Now we are expanding this functionality: the connection logic of only: changes added, and users can only perform specific jobs for Merge Requests and only when certain files are changed.
Thanks for the contribution of Hiroyuki Sato!
Automatic monitoring of GitLab with Grafana
(CORE, STARTER, PREMIUM, ULTIMATE)
Grafana is now included in our Omnibus package, which makes it easy to understand how your specimen works.
Configure grafana['enable'] = true in gitlab.rb , and Grafana will be available at: https://your.gitlab.instance/-/grafana . In the near future, we will also introduce the GitLab toolbar out of the box.
View primary epics on the epic sidebar
(ULTIMATE, GOLD)
Recently, we presented a child epics , allowing the use of epic epic.
In GitLab 11.9, we simplified the mechanism for viewing this relationship. Now not only the maternal epic of the given epic is visible, but the entire epic tree on the right side panel. It can be seen whether these epics are closed or not, and you can even go directly to them.
Link to the new task from the moved and closed task
(CORE, STARTER, PREMIUM, ULTIMATE, FREE, BRONZE, SILVER, GOLD)
In GitLab, you can easily move a task to another project using the sidebar or quick action. Behind the scenes, the existing task is closed, and a new task is created in the target project with all the copied data, including system notes and sidebar attributes. This is a great feature.
Considering that there is a system note on relocation, users, when browsing a closed task, are perplexed: they cannot but understand that the task is closed due to the relocation.
In this release, we are right on the icon at the top of the closed task page, indicating that it has been moved, and also include the built-in link to the new task, so that anyone who got into the old one could quickly move to a new one.
YouTrack Integration
(CORE, STARTER, PREMIUM, ULTIMATE, FREE, BRONZE, SILVER, GOLD)
GitLab integrates with many external task tracking systems, which makes it easier for teams to use GitLab for other functions, while maintaining their task management tool.
In this release, we added the ability to integrate YouTrack from JetBrains.
Thank you for the contribution of Kotov Yauhen Kotova!
Changing the size of the Merge-Request files tree
(CORE, STARTER, PREMIUM, ULTIMATE, FREE, BRONZE, SILVER, GOLD)
When viewing a Merge-Requester change, you can now resize the file tree to display long file names or save space on small screens.
Go to the latest taskbar
(STARTER, PREMIUM, ULTIMATE, BRONZE, SILVER, GOLD)
The taskbar is very convenient, and teams create several panels for each project and group. We recently added a search bar to quickly filter all panels that interest you.
In GitLab 11.9, we also presented the Recent section in a drop-down list. Thus, you can quickly go to the panels with which you recently interacted.
The ability to create developers protected branches
(CORE, STARTER, PREMIUM, ULTIMATE, FREE, BRONZE, SILVER, GOLD)
Protected branches do not allow moving or unregistered code to merge. However, if no one is allowed to move protected branches, then no one can create a new protected branch: for example, a release branch.
In GitLab 11.9, developers can create protected branches from already protected branches via GitLab or an API. Using Git to move a new protected branch is still limited — not to accidentally create new protected branches.
Deduplication of Git Objects for Open Branches (Beta)
(CORE, STARTER, PREMIUM, ULTIMATE)
Branching allows anyone to participate in open source projects: without permission to write, simply copying the repository to a new project. Storing full copies of frequently branched Git repositories is inefficient. With Git alternatives forks now share common objects from the parent project in the object pool to reduce disk storage requirements.
Object pools for branching are created only for open projects if hashed storage is connected. Object pools are object_pools using the object_pools function object_pools .
Filtering the list of merge requests for designated approvers
(STARTER, PREMIUM, ULTIMATE, BRONZE, SILVER, GOLD)
Code reviewing is a common practice for any successful project, but it can be difficult for a reviewer to track merge requests.
In GitLab 11.9, the Merge Requests list is filtered by the designated approver. This way you can find Merge Requests added to you as a reviewer.
Thanks for the contribution of Glavin Wiechert!
Shortcut keys for the next and previous file in the merge requester
(CORE, STARTER, PREMIUM, ULTIMATE, FREE, BRONZE, SILVER, GOLD)
Looking at the changes in the merge requisition, you can quickly switch between files using ] or j to move to the next file and [ or k to move to the previous file.
Simplify .gitlab-ci.yml for serverless projects
(CORE, STARTER, PREMIUM, ULTIMATE, FREE, BRONZE, SILVER, GOLD)
Based on the functionality of the include GitLab CI, the serverless gitlab-ci.yml greatly simplified. To introduce new features in future releases, changes to this file are not necessary.
Ingress host name support
(CORE, STARTER, PREMIUM, ULTIMATE, FREE, BRONZE, SILVER, GOLD)
When Kubernetes Ingress is deployed, some platforms return to an IP address (for example, GKE from Google), and others to a DNS name (for example, EKS from AWS).
Our Kubernetes integration now supports both types of endpoints for display in the project's clusters section.
Thank you for the contribution of Aaron Walker!
Access restriction to enter JupyterHub only for members of a group / project
(CORE, STARTER, PREMIUM, ULTIMATE, FREE, BRONZE, SILVER, GOLD)
Deploying JupyterHub using GitLab integration with Kubernetes is a great way to maintain and use Jupyter Notebook in large groups. It is also useful to control access to them when transferring confidential or personal data.
In GitLab 11.9, the ability to log in to JupyterHub instances deployed through Kubernetes is limited to project members with an “developer” access level (through a group or project).
Customizable time ranges for security panel layouts
(ULTIMATE, GOLD)
The group security panel includes a vulnerability map to review the current security status of the group projects. This is very useful for security directors to set up processes and understand how a team works.
In GitLab 11.9, you can now select the time range of this vulnerability scheme. The default is the last 90 days, but you can set the interval to 60 or 30 days, depending on the level of detail required.
This does not affect the data in the counters or in the list, only the data points displayed on the diagram.
Adding Joba on assembly Auto DevOps for tags
(CORE, STARTER, PREMIUM, ULTIMATE, FREE, BRONZE, SILVER, GOLD)
Auto Assembly Auto DevOps creates the assembly of your application using the Dockerfile project or the Heroku build package.
In GitLab 11.9, the resulting Docker image embedded in the tagline pipeline gets its name in the same way as the traditional image names using the tag commit instead of the SHA commit.
Thank you for the contribution of Aaron Walker!
Update Code Climate to version 0.83.0
(STARTER, PREMIUM, ULTIMATE, BRONZE, SILVER, GOLD)
GitLab Code Quality uses the Code Climate engine to check how changes affect the state of your code and project.
In GitLab 11.9, we updated the engine to the latest version ( 0.83.0 ) to provide the advantages of an additional language and static analysis support for GitLab Code Quality.
Thank you for the contribution of a member of the GitLab Core team Takuya Noguchi !
Scaling and scrolling the metrics panel
(CORE, STARTER, PREMIUM, ULTIMATE, FREE, BRONZE, SILVER, GOLD)
When researching performance anomalies, it is often useful to take a closer look at the individual parts of a particular metric.
With GitLab 11.9, users will be able to scale individual time periods on the metrics panel, scroll through the entire time period, and also easily return to the look of the original time interval. This allows you to easily and quickly explore the right events.
SAST for TypeScript
(ULTIMATE, GOLD)
TypeScript is a relatively new JavaScript- based programming language.
In GitLab 11.9, the Static Application Security Test (SAST) feature analyzes and detects TypeScript code vulnerabilities by displaying them in a merge query widget, at the pipeline level, and on a security panel. The current definition of the job sast not necessary to change, and it is also automatically included in Auto DevOps .
SAST for Maven multi-module projects
(ULTIMATE, GOLD)
Maven projects are often organized to combine several modules in a single repository. Previously, GitLab could not properly scan such projects, and developers and security specialists did not receive vulnerability reports.
GitLab 11.9 offers extended support for the SAST feature for this particular project configuration, providing the ability to test them for vulnerabilities in the initial state. Due to the flexibility of the analyzers, the configuration is determined automatically, and you don’t need to change anything to view the results of the multi-module Maven applications. As usual, similar improvements are also available within Auto DevOps .
GitLab Runner 11.9
(CORE, STARTER, PREMIUM, ULTIMATE, FREE, BRONZE, SILVER, GOLD)
Today we also released GitLab Runner 11.9! GitLab Runner is an open source project and is used to run CI / CD jobs and send the results back to GitLab.
Below are some of the changes in GitLab Runner 11.9:
- Upgrading alpine images to alpine 3.9 .
- Adding windows Dockerfiles for gitlab-runner-helper and adding a script to build windows image helper .
- Updating the docker API version . This also excludes support for the Docker executor on CentOS 6 .
- Adding the possibility of masking variables in the log trail to support simple masking of protected variables in logs that appear in GitLab 11.10.
- Adding documentation for obsolete features of the OS, which will appear in 12.0 .
- Update the SNTP command to fix the time synchronization in Parallels executor .
- Moving multiple scripts — including a service wait script and bash caching script — to Go.
- Elimination of commands helper image .
- Extracting code from the provided refspecs .
- Resolving memory allocation error when cloning repositories with LFS objects larger than the amount of available RAM .
A complete list of changes can be found in the GitLab Runner change log: CHANGELOG .
GitLab schema enhancements
(CORE, STARTER, PREMIUM, ULTIMATE)
The following improvements have been made to the GitLab chart:
- Added support for Google Cloud Memorystore.
- Cron job settings are now global , as they are used by several services.
- Registry updated to version 2.7.1.
- A new parameter has been added to ensure that the GitLab registry is compatible with Docker versions up to 1.10. To activate, install
registry.compatibility.schema1.enabled: true.
Performance improvement
(CORE, STARTER, PREMIUM, ULTIMATE, FREE, BRONZE, SILVER, GOLD)
We continue to improve GitLab performance with each release for GitLab instances of any size. Here are some improvements in GitLab 11.9:
- The abbreviation of SQL queries in the todos API endpoint .
- Improving the efficiency of drop-down labels in tasks .
- Optimization of SQL queries used to count the tasks of the group when searching .
- .
Omnibus
(CORE, STARTER, PREMIUM, ULTIMATE)
GitLab 11.9 Omnibus:
- GitLab 11.9 Mattermost 5.8 , Slack , MFA Team Edition, . ; .
- , GitLab Docker 1.10.
registry['compatibility_schema1_enabled'] = true gitlab.rb. - GitLab Prometheus Prometheus .
- Google Cloud Memorystore,
redis_enable_client. openssl1.0.2r,nginx— 1.14.2,python— 3.4.9,jemalloc— 5.1.0,docutils— 0.13.1,gitlab-monitor— 3.2.0.
GitLab Geo GitLab 12.0
GitLab Geo (race condition) . gitlab-ce#40970 .
GitLab 11.5 Geo: gitlab-ee # 8053 .
GitLab 11.6 sudo gitlab-rake gitlab: geo: check , . . gitlab-ee#8289 . Geo, , .
GitLab 11.8 gitlab-ee!8433 Admin Area › Geo › Nodes , .
GitLab 12.0 Geo . . gitlab-ee#8690 .
: 22 2019 .
Hipchat
Hipchat . , 11.9 Hipchat GitLab .
: 22 2019 .
CentOS 6 GitLab Runner Docker executor
GitLab Runner CentOS 6, Docker GitLab 11.9. Docker, CentOS 6. .
: 22 2019 .
legacy GitLab Runner
Gitlab 11.9 GitLab Runner / . GitLab Runner , .
GitLab 11.0 GitLab Runner. metrics_server listen_address GitLab 12.0. . .
11.3 GitLab Runner - , S3 . . .
GitLab 12.0. , , , GitLab 11.9+ GitLab Runner 12.0.
: 22 2019 .
GitLab Runner
11.4 GitLab Runner FF_K8S_USE_ENTRYPOINT_OVER_COMMAND , #2338 #3536 .
: 22 2019 .
Linux, EOL, GitLab Runner
Linux, GitLab Runner, .
GitLab 12.0 GitLab Runner Linux. , , . ( Javier JardĂłn ) !
: 22 2019 .
GitLab Runner Helper
Windows Docker executor , helper image .
GitLab 12.0 GitLab Runner . , helper image . .
: 22 2019 .
Git GitLab 11.10
: 22 2019 .
Prometheus 1.x Omnibus GitLab
GitLab 11.4 , Prometheus 1.0 Omnibus GitLab. Prometheus 2.0 . 1.0. 2.0 , , .
GitLab 12.0 Prometheus 2.0, . Prometheus 1.0 , .. .
: 22 2019 .
TLS v1.1
GitLab 12.0 TLS v1.1 . , Heartbleed, GitLab “ ” PCI DSS 3.1.
TLS v1.1, nginx['ssl_protocols'] = "TLSv1.2" gitlab.rband gitlab-ctl reconfigure .
: 22 2019 .
OpenShift GitLab
gitlab helm chart — GitLab Kubernetes, OpenShift .
OpenShift GitLab GitLab 12.0 .
: 22 2019 .
security jobs
CI/CD security jobs GitLab 12.0 .
, , GitLab.
: 22 2019 .
System Info
GitLab GitLab admin/system_info , .
: 22 2019 .
')
Source: https://habr.com/ru/post/445844/
All Articles