Aqua Blog

How GitLab Innovates DevOps Security Using Aqua Trivy

How GitLab Innovates DevOps Security Using Aqua Trivy

Digital leaders must adapt, scale, and fine-tune their operations and the solutions they provide to their customers to keep up with market demands. GitLab provides a complete DevOps platform in a single application to help developers and engineers across all industries to be successful. With many high-profile security breaches putting providers like Codecov into the headlines, GitLab wanted to enhance their platform with top security capabilities that could help organizations to scan containers before being shipped to production, as well as scan environments running in production.

Finding the right scanning solution for DevSecOps container security

When GitLab decided it wanted to offer its users the ability to establish container security in their projects and running workloads, they identified some key criteria which the solution of choice must possess. GitLab recognized the importance of community contributions to the consistent evolution and success of its DevOps platform, so they emphasized open source options.

The solution needed to be supported by an active community of experts with frequent updates to the scan engine and underlying cybersecurity dataset. Accuracy of vulnerability detection and fast scan speeds were important to facilitating agile DevOps and CI/CD workflows across its customer base, including integration capabilities to trigger scans and deliver results. Scanning within pipelines and of containers running in production was paramount, and support for offline scanning was essential for its customers operating in air-gapped environments.

After a thorough evaluation, GitLab found Aqua Trivy and Aqua Starboard to be leaders in the market based on features, accuracy, and the speed at which results could be generated.

“Trivy was a clear leader in the market as far as features, functionality, and capabilities,” said Sam White, Sr. Product Manager at GitLab

twitter_link_icon Share on twitter

Container vulnerability scanning for security in development and production

GitLab selected Aqua Trivy as the default container vulnerability scanner for its Gold and Ultimate customers using version 14.0 and above. This scanning capability is integrated by default for customers using its DevOps lifecycle tool, Auto DevOps, which automates key aspects of pipeline configuration, integration, and testing.

Because Aqua Trivy is part of a family of open source cloud native security tools, GitLab turned to Aqua Starboard for managing vulnerability scanning for containers in production. Aqua Starboard’s ability to automatically detect running containers helped ensure efficient scanning in production, offering scheduled or on-demand scanning atop Kubernetes clusters. Using these two sister products, integrated together, enabled GitLab to ensure scanning, prioritization, and remediation take place even after applications are deployed into production.

GitLab and Aqua work together to evolve container security for DevSecOps

GitLab is already looking ahead at ways to implement Aqua Trivy and Aqua Starboard to extract the full value of their other security capabilities, extending GitLab’s DevSecOps offering to real-time mitigation and compensating controls in production.

GitLab is always focused on building and keeping strong relationships with its partners and its customers. As much as they value community support of its end-to-end DevOps platform, they value giving back to open source projects and providing upstream contributions that not only benefit GitLab customers, but the broader development community in aggregate. In working with Aqua Security, GitLab has found a responsive partner and dedicated cybersecurity advocate that resonates with its customer base and its mission of providing a DevSecOps platform for cloud native applications.

Steven Zimmerman
Steven Zimmerman was a Sr. Product Marketing Manager at Aqua Security, specializing in vulnerability management and dynamic threat analysis. He is focused on deriving a clear vision for efficient DevSecOps among the world’s leading enterprises and organizations adopting security best practices across their cloud native application ecosystem.