GitLab 11.1 Released: Security Control Panel and Advanced Search
In GitLab 11.1, we improved the security mapping with panels, improved the code search to get the right information in a timely manner, made changes to the UX, and more.
Improved visualization for the security team
GitLab is designed to work together. GitLab’s mission is for everyone to contribute, so we’ve created a tool that allows product management, development, testing, operation, and information security specialists to work together. That is why we embed both software development and DevOps in one application. And we believe that merzh-request is one of the most powerful tools for collaboration.
But sometimes a merge request is not exactly what you need.
Merge requests are good when you need to see how individual changes affect the application. But what if you need a higher level of performance? Sometimes it is necessary to look at all the current security issues that affect the branch as a whole. New security control panelallows you to do this. In the panel, you can prioritize to focus on the most important vulnerabilities. Now there is no need to compare reports on all merge-requests - all in one place. We think that this will be especially useful for those who are responsible for information security. GitLab now has a special tool to help them do their work. Working with the security control panel allows security teams to manage the priority of critical vulnerabilities, eliminate some and skip others (when they are irrelevant for a given project) so that when the priority is lowered they do not repeat in the reports.
Reliable code search is one of the core values for the developer. If you are a new developer in the team, or if you are trying to sort out a lot of the previous code before adding a new feature, searching is a good way to get to know key areas.
Search by code was available before, but we made it better. Advanced search syntax allows you to speed up the search for the necessary files due to the ability to filter by file name, path to it and its extension.
And even more!
In addition to new security features, we also improved the UX: remade the merge request widget , added the merge requester panel to the Web IDE , reworked the statistics of contributions to GitLab and not only.
Read on to learn about all the changes in GitLab 11.1.
This month's MVP is Jasper Maes
Jasper's contribution has been and remains an integral part of the work on upgrading GitLab to Rails 5 over the past few months.
Thank you, Jasper, for constantly making GitLab better! As a sign of gratitude, we sent you branded souvenirs, including a handmade sweatshirt, socks and tanuki.
Main new features of GitLab 11.1
Project Security Control Panel (ULTIMATE, GOLD)
Security professionals are focused on preventing threats that can harm the application. Even after the code has been released to a stable branch or has already been released, these people need to monitor and solve problems that may affect security.
To make life easier for them, we added a security control panel to GitLab 11.1, which reports the current security status of the main branch in each project. This makes it easy for the security team to determine that something has gone wrong and to understand whether something needs to be done. The panel can be found in the Project menu . The panel is interactive, it can be used to reject false positive errors or create solutions for existing vulnerabilities.
Filters for advanced search: file name and path to it (CORE, STARTER, PREMIUM, ULTIMATE, FREE, BRONZE, SILVER, GOLD)
Since teams are constantly creating large amounts of code, searching through it is not an easy task. In this case, it is crucial to have a tool for managing the code and, in particular, searching through it.
This release introduces new advanced syntax options that allow you to search by code using three filters. Now you can search by file name ( filename ), paths to it ( path ) and even by extension ( file extension ) - and the search result will be more accurate. These filters are available both in the web interface and in the API.
For Core, these filters are available at the project level.
For Starter and above: if you use Elasticsearch , filters are also available at the group level and globally.
In all plans for a subscription to GitLab.com, filters work only at the project level, since Elasticsearch is not there yet. However, we are working on implementing Elasticsearch at GitLab.com .
Scan containers and DAST reports at the pipeline level (ULTIMATE, GOLD)
Security reports in merge requests are very useful for detecting new problems in the new code, even if the code has not yet entered the branch
master. But since vulnerabilities can occur before the creation of a merge request, sometimes developers need to know the security status for a particular branch at a particular point in time.
In GitLab 11.1, the set of security reports displayed as a pipeline is complemented by dynamic application security testing (Dynamic Application Security Testing, DAST) and container scanning. Just look at the tab
Reportsto get all the security information and take appropriate action.
SAST support for Node.js (ULTIMATE, GOLD)
Static application security testing (Static Application Security Testing, SAST) allows you to detect vulnerabilities in your code as soon as the changes are in the repository. This information is available in merge-request, which allows to fix the found vulnerabilities. Now they will not go into production, since the 'shift to the left' is achieved automatically.
In GitLab 11.1, we added the Node.js language to the list of supported SAST languages. Now you do not need to change the settings in your projects on Node.js, the new language is automatically detected and tested by work
Redesign of the information section and the pipeline section for a merge-request widget (CORE, STARTER, PREMIUM, ULTIMATE, FREE, BRONZE, SILVER, GOLD)
In GitLab, merge requests in general and a merge request widget, and in particular, a powerful feature that displays a large amount of useful information and functions. We constantly evaluate the design and want to be sure that the information is useful and easy to perceive.
In this release, we have finalized the design of the information section and the pipeline section. We separated them from the rest of the content in the widget for easier perception.
Groups drop-down menu in navigation (CORE, STARTER, PREMIUM, ULTIMATE, FREE, BRONZE, SILVER, GOLD)
Switching between groups should be a simple task that does not interrupt your workflow. To make this step easier, we added a drop-down menu for groups to the top navigation bar for quick access. This will save you from having to switch while working to another screen in order to find a group whose name is hard to remember. As in the Projects menu, Groups will display frequently visited groups.
View description of a merge-request in Web IDE (CORE, STARTER, PREMIUM, ULTIMATE, FREE, BRONZE, SILVER, GOLD)
When you are working on a merge request or review it, it is convenient to return to its description in order to find out for what purpose and in what context the changes were made.
Starting with this release, instead of switching tabs, you can simply open the merge request description next to the code directly in the Web IDE.
Other improvements in GitLab 11.1
Redesign of the development analytics page (STARTER, PREMIUM, ULTIMATE, BRONZE, SILVER, GOLD)
We redesigned the page with analytics input to the development for the sake of increased readability and consistency in the user interface. We focused on ensuring that this page can accommodate a large number of developers to better understand how participants contribute.
Redesign of pages with list of milestones (CORE, STARTER, PREMIUM, ULTIMATE, FREE, BRONZE, SILVER, GOLD)
In this version, we redrawn the list of milestones, including pages with lists of projects, groups and boards, for the sake of consistency in the interface.
This is the first step in simplifying the design. We make it more beautiful and comfortable, which ultimately will allow teams to better manage their Milestones.
GitLab subgroups in the “Development” panel in Jira (PREMIUM, ULTIMATE, SILVER, GOLD)
Teams that use Jira with GitLab gain integration with the Development panel in Jira. This allows Jira users to view merge requests, branches and commits from GitLab in the right development panel in the Jira task. In particular, you configure the integration by pointing the Jira server to a top-level group in GitLab; now all projects of the group will be visible for this server.
With this release, we expand the zone of visibility in such a way that all projects in this top-level group, as well as nested subgroups, will be visible to the Jira server. This enhances the integration capabilities, allowing you to more flexibly structure your projects in the hierarchy by GitLab, without changing task management by Jira.
GitLab Flavored Markdown with CommonMark (CORE, STARTER, PREMIUM, ULTIMATE, FREE, BRONZE, SILVER, GOLD)
GitLab Flavored Markdown (GFM) allows users to quickly and easily format and style text in GitLab, including tasks, merge quotes, epics, comments and other places. Up until now, GitLab for GFM has used Redcarpet, an older implementation of Markdown. This led to a number of problems .
In addition to solving most of the problems mentioned, CommonMark has better performance. In addition, GitHub also uses CommonMark; thus, GitHub users who have switched to GitLab will now use the same Markdown. In the future, when the Markdown files of the repositories will be rendered in CommonMark , importing projects from GitHub to GitLab will process the files from Markdown in the same way.
Thanks to blackst0ne for this feature!
Quick action to transfer tasks to confidential (CORE, STARTER, PREMIUM, ULTIMATE, FREE, BRONZE, SILVER, GOLD)
Now you can quickly make a task confidential right from the comment field; This will allow you to write a comment and transfer the task to confidential, without being distracted from the keyboard.
Thanks to Jan Beckmann for his input!
Autocompletion in epics and labels in epics (ULTIMATE, GOLD)
In this release, we have improved auto-completion in the epic. In particular, when you describe or comment on an epic, you can enter a sign
&, and GitLab will automatically perform a search by epic in this group, and the sign
~will trigger a search by tag, just as it already works in tasks (
#) and merge-requests (
Refactoring merge-requests for Vue.js (CORE, STARTER, PREMIUM, ULTIMATE, FREE, BRONZE, SILVER, GOLD)
Since 2016, when GitLab decided to switch to Vue.js , we used it not only to create new features, but also to refactor existing ones, to improve the interface and improve performance.
In this release, we rewrote the interface for merge requests. This gives us more control over performance - we will deal with it in the next few releases. And also it will help easier and more efficiently create new features using Vue.js. For example, we are already working on batch commenting .
Take a look at the current work with this interface - besides what we have already added to this release.
API for customizing task boards (STARTER, PREMIUM, ULTIMATE, BRONZE, SILVER, GOLD)
Earlier, in GitLab 10.2, we released custom task boards that allow teams to save configuration for the task board. This feature is now available through the GitLab API.
This allows teams to create their workflows, including automatic ones. For example, if you want to use the same task board for each iteration, now you can change the mailstone configuration via the API and automate it with an external script between iterations.
The blocked state of merchandising has been added to the API (CORE, STARTER, PREMIUM, ULTIMATE, FREE, BRONZE, SILVER, GOLD)
In this release, we added a locked state (locked state) for merge-requests in the GitLab API - previously it was an internal state that was not available through the API. The merge request is in this locked state while the source branch merges with the target.
By opening access to this state through the API, we enable external systems to reliably access all merge-requests, even those that are in this transient locked state.
Transferring projects between namespaces using API (CORE, STARTER, PREMIUM, ULTIMATE, FREE, BRONZE, SILVER, GOLD)
In the project settings, owners can transfer an existing project to another namespace (another user or group). This allows you to flexibly organize projects within personal and group name spaces.
In this release, we add access to these settings through our project APIs, allowing you to move several repositories at once in one step.
Thanks Aram Visser for this feature!
Initialization of README when creating a project (CORE, STARTER, PREMIUM, ULTIMATE, FREE, BRONZE, SILVER, GOLD)
We at GitLab believe that everyone can contribute to the development. An essential step towards this goal is to make the creation of a new project on GitLab as simple and intuitive as possible.
In release 11.1, we introduce a new setting that allows you to initialize the repository by adding a README file when creating a new project. If this feature is enabled, the project repository is initialized with the default branch
master, which you can immediately clone. The README file created contains the name and description of the project.
Improved user experience when configuring SSH keys (CORE, STARTER, PREMIUM, ULTIMATE, FREE, BRONZE, SILVER, GOLD)
Using GitLab, anyone should be able to contribute and push projects without having to learn additional complicated things. Focusing on this ideal, we found that configuring SSH keys, the basic condition for getting started, remains too complicated.
In this release, we are improving the user experience of configuring SSH keys (the “SSH Keys” configuration item) and related documentation.
Improved Web IDE commit (CORE, STARTER, PREMIUM, ULTIMATE, FREE, BRONZE, SILVER, GOLD)
In this release, we have simplified commits in the Web IDE by adding precomplete commit description and the ability to add a commit with one click ( Stage & Commit ). Now, when editing a
masternon-writable branch (for example, a branch ), the Web IDE will by default suggest creating a new branch and meaningfully pre-filling its name so that you can always create a commit in one click.
Previously, the commit description was not prefilled, and the commit button in such cases was blocked. This slowed down the changes and left the user at a loss: “Why can't I create a commit?”.
Link to Contribute to GitLab (CORE, FREE)
GitLab is strong in its community - and nothing inspires us more than the emergence of new people involved in the development!
In this release, we made it easier for users of GitLab Core and GitLab.com to search the “Contribute to GitLab” page: we added a convenient link that is available directly from the user profile menu.
Ability to cancel two-factor authentication in SAML (CORE, STARTER, PREMIUM, ULTIMATE, FREE, BRONZE, SILVER, GOLD)
In many cases, SAML providers already support or even require two-factor authentication to provide a level of security.
Starting with GitLab 11.1, you can disable two-factor authentication on the GitLab side and conduct it on the SAML provider side in order to comply with its requirements. For this, we added a new parameter to the SAML configuration.
Thanks to Roger Rüttimann for this feature!
New HEAD method in file API (CORE, STARTER, PREMIUM, ULTIMATE, FREE, BRONZE, SILVER, GOLD)
Our file API allows you to perform CRUD operations (create, read, update, and delete) on files stored in your GitLab project.
With GitLab 11.1, we add support for the HTTP method to the file API
HEAD, which allows you to read file metadata. You can use this query, for example, to check the file size to decide whether to download it.
Thank you Ahmet Demir for this feature!
Improved Kubernetes Cluster Page Design (CORE, STARTER, PREMIUM, ULTIMATE, FREE, BRONZE, SILVER, GOLD)
We improved the Kubernetes page design to minimize the display of irrelevant information when adding a cluster. To this end, we now use separate tabs for each option.
This is the first step in a series of changes to the design of adding a cluster and managing clusters to make it simpler and easier to understand.
We are trying to simplify the management of clusters and the addition of new ones. Page design is the first step on this path.
Application metrics are now available in the Operations menu (CORE, STARTER, PREMIUM, ULTIMATE, FREE, BRONZE, SILVER, GOLD)
After adding the menu
Operationsit became easier and faster to view the performance metrics of your application. Clicking on Metrics immediately opens the performance panel of your environment
production, if you have one, and also provides a drop-down list to switch to other environments.
In previous releases, the user had to find the desired environment in the Environments menu and press the Monitoring button.
To switch to another environment, it was necessary to go through the whole process again.
Now your production metrics are just a click away.
Manage third-party offers (CORE, STARTER, PREMIUM, ULTIMATE)
Even in release 10.8, we started informing users about third-party offers that they could find valuable for the development of their projects.
There are cases where these sentences do not make sense - or you simply do not want them to be displayed in the application. In GitLab 11.1, you can control the display of third-party offers in the administration area.
Saving the user ID in the sub-query "OpenID Connect" (CORE, STARTER, PREMIUM, ULTIMATE, FREE, BRONZE, SILVER, GOLD)
GitLab can be used as an OpenID Connect Identity Provider (OIDC) for external services. This layer is based on OAuth 2.0.
In the previous version, we stored an OIDC subquery based on the hashed version of the GitLab user ID. This could lead to a potentially unstable API, since the hashing method may change in the future. Now, following the OIDC specification, we store the user ID directly in a subquery (
sub). To enable migration, the previous value is still available in the request
Detailed release notes and instructions for updating / installing can be found in the original English post: GitLab 11.0 released with Auto DevOps and License Management .