Unlucky for some, GitLab 13.0 is DevSecOps in a box, but will it play nicely with others?
We're trying, says senior dev evangelist
GitLab version 13.0, the company's major release of 2020, is out today.
Rival GitHub is the biggest player in online code repositories, with Atlassian's Bitbucket and GitLab also popular. GitLab is a distinctive proposition, though, aiming to be the only platform you need for DevSecOps, whereas GitHub and Bitbucket have a narrower focus.
GitLab covers a suite of applications including management, planning, source code and issue tracking, continuous integration and continuous delivery, security testing, Kubernetes management, monitoring, and a Kubernetes web application firewall. The core of GitLab is also open source, unlike GitHub or Bitbucket, and the free Community Edition is popular for self-hosting.
The remote-only firm's development process is open, so anyone can track what each team is doing, and is also based on the Agile principle of minimum viable product, which means new features are introduced with basic functionality and then enhanced.
The company is therefore not about big surprises, but rather continuous improvement, and when new stuff does get added, it is flagged well in advance. You can find exhaustive coverage of what's new in 13.0 in the company's "kickoff" videos here or, if you prefer text content, here.
There is a focus on security in this release, including easier responsible disclosure – since GitLab is now a CVE Numbering Authority. It will soon be possible to request a CVE from within the GitLab user interface. There is also new static analysis security testing for .NET Framework code; previously this only covered .NET Core, and DAST (Dynamic Application Security Testing) for REST APIs, a key part of many modern applications.
Users of the Community Edition get a significant new feature in 13.0, which is design management, previously a GitLab Premium feature. "We've considered our users who are designing products as individual contributors," explain the release notes.
Progressive Delivery, the idea of targeting releases at a subset of users rather than rolling out new features to everyone immediately, is another theme. Feature flags lists, a collection of tagged features for inclusion or exclusion from a release, now has API support for creating, editing and deleting them. A/B testing based on feature flags is promised soon, as is the ability to create feature flags from merge requests.
Brendan O'Leary, senior developer evangelist, told The Reg that a key new feature is Gitaly Cluster support. "Git itself can be hard to scale, it is a filesystem-based database," he said. "That works great on NFS but in the cloud world it's a challenge. Our solution has been the open-source product Gitaly, which is a gRPC between Git and a system that's consuming Git. What's coming in 13.0 is Gitaly clusters' which is the ability to have multiple write destinations for that, so you can now shard your data and have it be highly available. It removes the requirement for NFS."
GitLab's ambition to provide everything in one application makes it unpopular with specialist DevOps vendors for whom it is a threat. Does GitLab play nicely with others? "We think that the more you can adopt a single application the more benefits you get, but that's not realistic for an enterprise tomorrow, they're not going to throw everything they have out," said O'Leary. "We have in our handbook that we need to interoperate with others, and we've got a lot better at that recently. We've got an ecosystem team now that's responsible for how we play with others and we didn't used to have that. Another thing we've added is first-class support for other security scanning integrations."
How has lockdown affected GitLab? "There's been a huge uptick in the interest in remote," said O'Leary. "We always believed that remote was the future of work. On the business side we're seeing enterprises struggle but they want to be efficient. We're not seeing a huge negative impact." ®