GitLab 10.4 Released with Dynamic Application Security Testing and Beta Web IDE

In the first release of 2018, we made improvements to the processes of planning, testing, deployment and working with merge requests. In addition, this release includes new security testing features, as well as the first version of the Web IDE, which is part of our ambitious project Complete DevOps .

Security testing

Part of Complete Devops is maintaining powerful security tools. With the last release, we released static application security testing, and in this we continue to expand our security capabilities by adding static testing for Docker containers and Dynamic Application Security Testing (DAST ).

Faster Editing

The rule of two minutes from Getting Things Done says: if you can do something in two minutes, do it now. Writing a small fix or fixing a typo should not take much time, but this rarely happens when you need to make stash changes and switch to another context.

Excessive time spent working with fixes negatively affects the cycle time, which is especially noticeable in geographically distributed teams - avoidance git stashcan lead to whole days of delay. The new editor , which is the first release of the GitLab Web IDE, simplifies working with such changes from the GitLab interface.

Do not miss new opportunities

Also this month, we made many improvements to epics, merge requests, monitoring, Geo, Runner, Git LFS, SSH and Auto DevOps.

Later in the article we will dwell on these and other innovations of GitLab 10.4.

We invite you to our meetings!

MVP of the Month - George Tsiolis

George joined the work on GitLab only from the previous version and over the past month made a major contribution to improving the interface by adding seven merge requests , including fixes for sidebar icons and list hierarchies in user settings .

Thanks George for his attention and work!

Dynamic Application Security Testing (DAST) (EEU)

Conducting static code checks is the first step to detecting potential vulnerabilities in its security. However, after deployment, your application is at risk of a different category of attacks, such as cross-site scripting or weak authentication.

We continue to work on automatically detecting security problems and add Dynamic Application Security Testing (DAST) to GitLab 10.4. With its help, you can check the live version of the application (for example, Review App, created in a previous work) directly from the CI / CD pipeline. Starting with GitLab 10.4.1 Auto DevOps will automatically launch DAST for Review Apps of your applications.

DAST Documentation .

SAST for Docker Containers (EEU)

When applications are launched from containers, their code is separated from the code of other containers on the same host, which increases their security. However, even in such cases, application security may be compromised due to problems in the environment in which it is running (for example, vulnerable system libraries).

GitLab 10.4 adds the ability to conduct security checks of the image that contains your application before merging changes to a stable branch. If the security problems are found by the results of this check, the corresponding warnings are displayed in the merge request. Such checks are part of Auto DevOps .

SAST documentation for Docker containers .

Web IDE Editor (Beta) (EEU)

In GitLab 10.4, we are introducing a beta version of the new Web IDE editor , with which it will be easier and faster to make small fixes and respond to feedback in merge requests, due to the elimination of the need for a stash of changes and local switching between branches.

In future releases, we plan to strengthen the integration of Web IDE with merge requests , improve the functionality of committing individual files , as well as add a preview and web terminal so that everyone can contribute.

While the Web IDE is in early beta, access to it is optional. To get it, go to your profile, then Settings> Preferences , connect the Web IDE and click Save .

Web IDE documentation .

Relocation and Rewind to CE (CE, EES, EEP)

In GitLab CE, it has become possible to rebase and fast-forward the merge directly from the merge request interface. Now for this you do not need to switch between GitLab and the command line; all this can be done inside GitLab.

Previously, this functionality was only available in EE. We added it to CE as a result of adding GNOME to GitLab CE .

Documentation for rewinding merge requests .

Sorting the Epic Task List (EEU)

Epics allow you to manage a set of tasks related to a common theme. Often the epic is associated with the development of great functionality, divided into several tasks, work on which is carried out in parallel on many milestones.

Sorting the list of tasks in the epic can be performed according to various criteria, depending on the organization’s workflow. Such criteria may be priority, complexity, feasibility, or order of execution.

In some organizations, they prefer to see closed tasks at the top of the list, and in others at the end. In this release, we add the ability to change the order of tasks by simply dragging them in the list to the desired place - just like in task boards.

Epic documentation .

Epic API (EEU)

Starting with this version, the GitLab API supports epics. Now you can manage individual epics, their lists and all their attributes (name, description and dates) through the API, which will allow your team to create custom and / or automated workflows outside of GitLab.

It also supports the management of epic task lists , including changing the order in which they are displayed.

Epic API documentation .

Bulletin Board Task APIs (EEP)

Starting with this release, it became possible to manage group task boards via the API in the same way as project task boards. This innovation adds new automation capabilities and increases the flexibility of managing your team’s workflows.

For example, some teams have business requirements for automatically moving tasks between rows of boards in response to certain conditions. Now this can also be configured for group task boards via the API.

API documentation for group task boards .

Easy deployment of Prometheus on Kubernetes (CE, EES, EEP)

This release made it possible to deploy Prometheus into a connected Kubernetes cluster in one click, making it easier than ever to start monitoring the performance of your application. System metrics, such as CPU and memory usage, are transferred from Kubernetes automatically, and response metrics such as latency and bandwidth are available through NGINX ingress . To get started, plug in the cluster CI/CD > Clusters.

If GitLab has network access to Prometheus, you can enable integration with Prometheus to analyze and display these metrics directly in GitLab. In the next release, GitLab 10.5, integration will be connected automatically . Also, it will not require direct access to the network, which will make integration even smoother.

Documentation for deploying Prometheus on Kubernetes via GitLab .

Fast SSH key search in CE (CE, EES, EEP)

When authorizing a user, OpenSSH uses a linear search to find the key. This means that SSH operations become slower as the number of users of a GitLab instance grows. For large instances, when executing a request, it may take considerable time and high write speed to disk, which will slow down the use of Git over SSH.

In GitLab 9.3, a quick SSH key lookup has been added to GitLab EE. This allows users to log in using a quick indexed search in the GitLab database instead of the slow linear search, which was the default. GitLab CE is made for small teams, so previous versions did not include this optimization. However, in order to support Cloud Native Helm Charts in GitLab, all parts of the code must support quick SSH key lookups - that's why we added this feature to GitLab CE as well.

SSH Key Finder Documentation in CE .

Status icon for files monitored by LFS (CE, EES, EEP)

Determine which files are tracked by Git LFS using the new LFS tracking status icon. This icon is displayed in blobs and in file lists, including a list of merge request changes. This makes it possible to check whether LFS correctly monitors binary files when viewing a merge request.

Documentation for managing large binary files using Git LFS .

GitLab Geo support for HA is now publicly available (EEP)

In GitLab 10.2, both Geo and Postgres HA separately became publicly available, but Geo could be used with HA only in beta.

Configurations using GitLab Geo with HA are now publicly available. This will allow distributed teams to enjoy the increased speed of Git fetch operations when using GitLab Geo and the redundancy of highly available configurations.

GitLab Geo documentation with HA .

Browser performance testing is now included in Auto DevOps (EEP)

In the previous version, we added browser performance testing to easily determine the impact of changes on web application performance before merging. To use this feature, you had to add additional work
to .gitlab-ci.ymland adapt it to your needs.

In GitLab 10.4, browser performance testing is included in Auto DevOps , which provides automatic root page performance analytics with no configuration required .

If you want to test additional pages, just add the appropriate paths to the file .gitlab-urls.txtin the root directory of the repository.

Documentation for automatically testing browser performance .

Improved environment performance dashboard (CE, EES, EEP)

In GitLab 10.4, we have improved the environment performance panel interface ,
which displays the system metrics obtained with Prometheus.

Previously, when tracking metrics at a certain point in time, they were in the description of the graph. Now these metrics are clearly shown in a hover. In the next release, we will add general metrics to the graph description, displaying statistics like maximum throughput or average delay for a certain period of time.

Tracking documentation .

OpenSUSE Leap 42.3 support (CE, EES, EEP)

With the release of GitLab 10.4, Omnibus packages are now available for openSUSE 42.3 .

This release will be the latest with openSUSE 42.2 support , as it is officially discontinued.

Support documentation for openSUSE Leap 42.3 .

Clear Runner Cache (CE, EES, EEP)

GitLab Runner uses a cache to speed up execution by reusing existing data between different jobs. But sometimes this leads to conflicting behavior, for example, when one work changes the local copy of the repository, and these changes affect the work of the next.

In GitLab 10.4, we present a new button on the pipeline page, by clicking on which the existing cache for a specific project is cleared, and the new one starts with a fresh one. This solves the dirty start problem.

Runner cache flushing documentation .

GitLab clusters are now publicly available (CE, EES, EEP)

We are proud to announce that in GitLab 10.4, integration with the Kubernetes cluster has become publicly available. You can join your existing clusters to your project or create new ones using the Google Kubernetes
Engine (GKE) with a couple of mouse clicks on the new cluster page in the CI / CD section.

The old Kubernetes integration service is still available, but it can only be used if it was enabled before updating GitLab to 10.4. In future releases, existing data will be transferred to the new cluster page, and the integration page will eventually be deleted. Service templates accessible from the administrator zone work as before.

GitLab Cluster documentation .

Manual start of a scheduled pipeline (CE, EES, EEP)

Planned conveyors are very convenient for starting repetitive jobs without user intervention. Usually they are used to perform maintenance tasks or to create nightly builds of your software. But sometimes such tasks need to be done immediately and manually, and creating an identical environment (for example, adding custom variables) can be difficult and time consuming.

GitLab 10.4 allows you to start the scheduled pipeline manually, directly from the web interface: you will find the play button in each schedule in the list - and you can start the pipeline with just one click.

Documentation for starting scheduled pipelines manually .

GitLab Runner 10.4 (CE, EES, EEP)

Also in this release we release GitLab Runner 10.4! GitLab Runner is an open source project that is used to run CI / CD jobs and send the results back to GitLab.

The most important changes:

• Added (rewritable) hearth annotations for Kubernetes executor
• docker.allowed_images can now use global syntax in config.toml
• Added support for user-defined docker runtime
• Не используйте git config --local - this setting is not available in Git version 1.7.1

For a complete list of changes, see CHANGELOG GitLab Runner.

GitLab Runner Documentation 10.4 .

Omnibus Enhancements (CE, EES, EEP)

• GitLab Mattermost updated to version 4.5, including the Zoom plugin for video, audio, screen sharing and much more
• CA certificates updated to 2017.09.20
• GitLab Monitor has been updated to 2.4.0.
• Ruby has been updated to 2.3.6.
• Go-based libraries - Registry, Workhorse, and Prometheus - are now compiled with Go version 1.9.2

Omnibus Improvement Documentation .

Performance Improvements (CE, EES, EEP)

With each new release, we are increasingly improving the performance of GitLab. We are trying not only to speed up each GitLab instance, but also to improve the performance of all GitLab.com, which has more than a million users.

In GitLab 10.4, we introduced performance improvements for tasks, merge requests, repositories, and APIs. The most noteworthy of them:

• Dramatically improved performance for filtering tasks by tag
• Improved the performance of the data recovery request for an already adjoined and closed event for the merge request widget
• Improved performance and reduced memory consumption for calculating commit statistics
• Blank lines in markdown markup and HTML no longer appear as cache misses
• We send information about remote tasks and merge requests to the trash , simplifying database queues. Any data deleted in this way will be physically deleted in this release (but you can restore it if you wish)
• We fixed the problem with the "N + 1 request" when displaying the Atom feed project , which reduces the loading time of Atom feeds
• We fixed the problem with the "N + 1 request" in the project assembly API

All performance improvements in our documentation .

Detailed release notes and update / installation instructions can be found in the original English post: GitLab 10.4 released with Dynamic Application Security Testing and Web IDE (beta) .

Translation from English was also done by rishavant and sgnl_05 .