More security for GitHub and GitLab – New packages and functions
GitHub and GitLab deliver new features to increase the security of their directory services.
(Image: Bild erstellt mit KI in Bing Designer durch heise online / dmk)
- Manuel Masiero
The two software platforms GitHub and GitLab have introduced new security functions and packages: GitHub Secret Protection, GitHub Code Security and GitLab Open Source Security Hub.
Security incidents at the directory services keep occurring, so they are constantly strengthening their security precautions. For GitHub professionals, Secret Protection and Code Security are nothing new in principle, as together they form the well-known security suite GitHub Advanced Security (GHAS). However, their availability is now being reorganized.
GHAS, which is billed at 49 US dollars per month, was previously only available with GitHub Enterprise or the Microsoft Azure DevOps plans. In order to make GHAS more accessible for teams of all sizes, GitHub is distributing the functions across the individual packages Secret Protection (USD 19 per month) and Code Security (USD 30 per month). Those who need both will pay no more than before. The new modules can be booked independently of each other from April 1, 2025 and will also be available for GitHub Team for the first time.
Videos by heise
GitHub Secret Protection helps to prevent the leakage of secrets such as passwords or API keys, using AI-supported detection, customizable scan patterns and a notification function, among other things. Armed with artificial intelligence, Code Security also gets to work. This package relies on Copilot Autofix to detect and fix security vulnerabilities in program code and pull requests.
Already live: GitLab with new security center
The GitLab Open Source Security Hub contains various security tools that users can integrate into their projects. The Software Hub starts with three types of tools: the StORM Templates, the GUARD Framework and the GitLab CIS Benchmark Scanner.
The StORM templates (Security Operational Risk Management Templates) make it possible to standardize risk tracking and reporting. The GUARD framework (GitLab Universal Automated Response and Detection Framework) uses the detection-as-code approach to automatically identify and handle security risks.
The Python CLI tool GitLab CIS Benchmark Scanner checks a GitLab project against the GitLab benchmark of the Center for Internet Security (CIS) and then issues security recommendations that are available as YAML-formatted code. The scanner is available via pypi or via the corresponding release website.
(Image:Â GitLab)
The GitLab CIS Benchmark Scanner is installed with pip install gitlabcis. The command line syntax for a scan is gitlabcis URL OPTIONS and looks like this, for example:
# example: generate a json report
gitlabcis \
https://gitlab.example.com/path/to/project \
-o results.json \
-f json
All command line options for the GitLab CIS Benchmark Scanner can be found in the gitlabcis documentation.
(mack)
