GitLab: Instant, inline, indispensable developer insights

October 01, 2020 By Kevin Miller

4 minute read time

Today we're going to talk about letters, as in the alphabet.

Did you ever see the Friends episode where Joey can't afford an entire set of encyclopedias, so he just buys the one with the letter "V" and tries to steer every conversation to V words? What an awesome episode.

Or maybe, like many of us, your kids have been watching Sesame Street non-stop since being home during the pandemic, which might be starting to affect your work. I’m sitting here thinking "Today's episode of Sonatype has been brought to you by the letter I ..."

In any case, we're going to focus on these six "I words" today, and how they relate to our GitLab integrations.

Instant, inline, indispensable developer insights for improved innovation

  • Instant: Scan your code while actively developing in GitLab merge requests.
  • Inline: Feedback is added directly to the merge request so you don't have to waste time switching contexts or looking anywhere else. Exact violations are identified with the line(s) of code that introduced them.
  • Indispensable: Catch policy violations and vulnerabilities before merging your MR. Block bad components from entering production, and save time while reducing rework, and technical debt.
  • Insights: Component intelligence that you can trust, based on industry leading vulnerability data and our dedicated research team.
  • Improved: Faster, safer, more secure. Standard GitLab MR's do not inform you when security or license issues in your code tripped an internal policy violation. Now integrated with Sonatype, they do.
  • Innovation: With automated security and license checks providing instant feedback, you can spend more time developing innovative new features or products.

Sonatype Lifecycle and GitLab integrations

At Sonatype, we've continued to build integrations into tools that developers use every day. We've enabled Sonatype Lifecycle to push complete OSS component intelligence into three main SCM platforms that your team is most likely using: GitHub, GitLab, and Atlassian Bitbucket.

We bring instant component intelligence right into your source control so developers don't have to look anywhere else to find and fix vulnerabilities. Inline recommendations are made with detailed remediation advice and actionable insights, based on decades of curated, indispensable, trustworthy research.

Sonatype Intelligence Data manifests in GitLab in two ways

Automated merge requests

Automated merge requests are configured as part of continuous monitoring. Sonatype Lifecycle will automatically create a merge request when a newer, non-vulnerable version of a component is available. This can be configured based on policy, severity level, time, etc. You can read more here about Auto MRs for GitLab.

Merge request commenting

Simply run a scan when merging your MR, and Sonatype Lifecycle will add a comment to your merge request with all the information you need to remediate vulnerabilities before they enter your software development life cycle (SDLC). Comments on your Merge Requests happen in real time, and the feedback is contextual to the specific MR that you are working on.

We will show you if the code you're writing will introduce any violations, as well as details about the violations themselves, the exact line(s) of code that brought them in, and our recommendations for how to fix them. All of this makes it easier for developers to incorporate security while writing code, and save tons of time on rework, broken builds, and technical debt later on.

Watch the quick video below to see GitLab Merge Request Commenting in action:

 

Sonatype is an industry leader in OSS governance. As we push ourselves to keep up with the pace of innovation, look for continued expansion and added functionality into our partnerships and integrations, giving developers even more tools, precision, and information they will need to save time, choose the best components, and build secure applications from the start.

Tags: Product, GitLab, merge requests, Sonatype Lifecycle

Written by Kevin Miller

Kevin Miller is a Product Marketing Manager at Sonatype where he works to empower the development community to shift component choice and security left. He believes that putting the right tools and options in the hands of developers will help accelerate software innovation and minimize open source risk.