We've been working to integrate component intelligence from Sonatype Lifecycle directly into source control management (SCM) systems so that developers can choose the best open source components and build secure applications from the start.
Along with constantly talking to our customers about their needs, we also follow the DevSecOps market carefully, including keeping track of software trends like SCM. Feedback from almost 20,000 developers in the The State of Developer Ecosystem 2020 report, put out annually by JetBrains, shows that the most used SCM platforms are GitHub, GitLab, and Atlassian Bitbucket. Of the 85% of developers who said they use a source code collaboration tool, the "big three" were tops on the list - with Microsoft Azure DevOps a distant fourth."
The Sonatype Platform already adds precise component intelligence and automation into daily developer workflows in GitHub, via Automated pull requests and detailed PR feedback, as well as Atlassian Bitbucket Server and Cloud, through similar Automated pull requests and detailed Code Insights.
Now, developers can leverage the precision of Sonatype Intelligence to provide expert remediation guidance in GitLab as well, rounding out our coverage of the "big three!"
GitLab users can get actionable, real-time insights in their daily workflows. This gives them insight into the best open source components to choose, while understanding if they're introducing risk into applications based on their organization's open source policies.
How GitLab automated merge requests work:
Automated merge requests for GitLab run as part of CI/CD processes to keep libraries up to date and applications secure. Sonatype Lifecycle will automatically scan applications and if there is a policy violation found, it will automatically create a merge request (other platforms use the term "pull request") with details about the violation and, if available, a range of upgrade versions to fix the issue.
Developers can dig deeper into the details to learn more about any of the vulnerabilities and accept the merge request and fix the violation with just a few clicks.
Keep an eye out for even deeper integrations as we work to provide full contextual feedback on development branches so developers using GitLab can catch and fix vulnerabilities in the design stage of a project, before breaking builds or having to re-do their work.