What is GitLab and how does it work?

DevOps empowers software teams to collaborate effectively, leading to smoother, faster, and more reliable deliveries. DevOps and DevSecOps tools offer features like integrated testing and security, configurable builds and pipelines, and automated deployment. These features not only boost overall productivity but also decrease time to market.

GitLab is a modern DevSecOps platform that covers all stages of the software development life cycle (SDLC). In this article, we will explore the main GitLab features, learn how to use GitLab for basic tasks, and also compare it with Bitbucket.

What is GitLab?

GitLab provides an all-in-one IT toolchain for developing, testing, securing, packaging, deploying, monitoring, and governing software applications. From the ideation of a project to its deployment and ongoing maintenance, GitLab serves as the central hub for all teams involved in the SDLC.

GitLab marries the principles of Development (Dev), Operations (Ops), and Security (Sec), hence the term “DevSecOps”. This integration is crucial because it bridges the gap between development and operations teams and ensures that security is embedded throughout the development process rather than being an afterthought.

Why do we need software like GitLab?

The software development process is getting increasingly complex. Product teams and developers need to juggle multiple projects and feature requests, whereas security has become a functional requirement. Operations teams are burdened with an ever-expanding workload, which can only be managed efficiently through automation and pipelines. To top it off, customers expect swift updates and bug fixes across all touchpoints.

Navigating this web of demands and expectations can be a daunting task for software teams. This is where GitLab comes in. It simplifies and fast-tracks software development by integrating all the necessary tools and processes inside a single application. Here are some key benefits of using GitLab:

Collaborate on code, issues and projects

GitLab enables a workforce with distributed developers, testers, and operation teams to collaborate on code, issues, and projects using the same platform. This fosters a more cohesive and productive environment for software development.

For example, product owners can create new tickets for developers using GitLab’s Portfolio Management features. Developers can write code using the GitLab web IDE, get it reviewed by creating a merge request, and then merge it to the main repository on GitLab. Testers can generate a GitLab build using the latest commit on the main repository, which can automatically run a suite of tests.

Once the code has successfully passed the different stages of testing, it can be packaged using any supported package manager (e.g., Maven, npm, or Helm) and uploaded to the GitLab Package Registry.

From there, it can be automatically deployed to production using GitLab’s Continuous Integration and Delivery pipelines. For example, you can create pipelines with specific jobs that deploy tested code to the target production servers or clusters, without any manual intervention.

Help software teams shift security left

GitLab helps software teams shift security left. Its built-in security features ensure that security measures are incorporated from the start and remain a central focus throughout all the following stages. For example, developers can use GitLab to scan application containers and dependencies for any known vulnerabilities.

Reduce errors through automated rollouts

GitLab can automate many manual and repetitive tasks through continuous integration (CI) and continuous delivery (CD) pipelines. For example, GitLab pipelines can automatically build and test new changes, which helps identify and fix bugs early in the development process.

It can also automatically deploy code changes to production, which leads to faster and more reliable rollouts. These automation features reduce the risk of errors and allow software teams to focus on more productive tasks, such as writing better code or solving complex business problems.

Add transparency and trackability

GitLab adds transparency and trackability to the development process. Stakeholders can easily track progress, provide feedback, and stay informed about the current status. For example, GitLab allows you to create tasks, define milestones, and track time spent on development and testing.

Save on licensing costs

GitLab is a free and open-source DevOps platform that can help businesses save money on licensing costs. The free plan includes all the essential features like version control, issue tracking, and continuous integration and delivery. However, GitLab also offers premium plans for businesses that need advanced features like dynamic application security testing and value stream management.

GitLab features

GitLab offers an extensive feature set to cover all areas of the software development lifecycle.

For software planning

Here are some of GitLab’s key features related to software planning:

Portfolio management

• Define epics, a way to group related issues and user stories.
• Link different epics together, define epic hierarchies, edit epics in bulk, prioritize items in an epic, and manage sensitive work using confidential epics.
• Manage iterative releases using project milestones. Milestones represent a group of linked tickets and merge requests.
• Use labels to assign tags to a group of epics, issues, or merge requests. Labels make it easy to organize, filter, and track your work.
• Deploy GitLab's issue boards as Scrum or Kanban boards. They offer a user-friendly way to manage and track the progress of multiple issues across projects.
• Create a roadmap for your project. Roadmaps visually represent epics and milestones in the form of timelines. This helps in planning and communicating long-term strategies.

Pages

• Generate static websites for GitLab projects using any static website generator, such as Hugo or Jekyll, or JavaScript, CSS, and HTML.
• Consolidate documentation or share user guides for your projects
• Secure project pages using TLS certificates.
• Free hosting for your project pages, which can be shared publicly if needed.

Value Stream Management

• GitLab’s Value Stream Management (VSM) provides a comprehensive view of your software delivery pipeline, which allows you to identify bottlenecks, inefficiencies, and improvement avenues.
• To access VSM, go to Issues -> Boards from the GitLab dashboard and choose Value Stream from the drop-down for your project.
• VSM offers key metrics, including cycle time, lead time, number of bugs, and time to merge. These metrics and KPIs help drive continuous improvement.
• DevOps Research and Assessment (DORA) metrics allow you to gauge the maturity and efficiency of your DevOps program using four key elements: deployment frequency, average time to recover, change failure rate, and lead time for changes.

GitLab features for managing code

GitLab simplifies creating and managing code by offering the following developer-friendly features:

Source code management

• GitLab uses Git for version control, making it easy to create and manage a large number of branches and repositories, as well as perform code reviews.
• GitLab allows you to define checklists for merge requests. This ensures that only the code that passes all checks gets merged.
• It’s also possible to edit merge requests in bulk, add comments, start discussions on merge requests, and define approval rules for reviewing code.
• Use file locking to prevent merge conflicts. File locks work similarly to thread locks, allowing only the user who locked the file to modify it.

GitLab CLI

• The GitLab CLI (glab) is a utility that allows you to perform different GitLab operations directly from the terminal.
• You can use glab to create or approve merge requests, check the progress of a pipeline, and view issues.

Web IDE

• GitLab offers Web IDE, an advanced editor that has numerous built-in features.
• You can open a file or a merge request in the Web IDE directly from the GitLab UI.
• The Web IDE also allows you to view a list of modified files, create branches, commit changes, and create merge requests.
• You can also use the Web IDE for remote development.

For testing

The following testing features ensure that only well-tested code is rolled out to production:

Continuous integration and delivery

• Codify and automate all the steps needed to test code before deploying it to production.
• Use CI pipelines to automatically run regression tests and perform security analyses against each commit or merge request.
• Configure compliance pipelines to test your code for adherence to best practices or regulatory frameworks. This ensures that non-compliant code never gets merged to the main branch.
• Configure GitLab to generate unit test reports as part of your CI/CD pipelines. This will display the reports on the corresponding merge requests, making it easier to review and fix code.

Review apps

• Review apps automatically create temporary environments for each merge request. This allows reviewers to test changes in isolation before the code is merged.
• Review apps can be used to deploy the changes of a merge request in any environment, such as staging, pre-production, and so on.
• Run review apps on different platforms, including Kubernetes and Terraform.
• Different stakeholders can access and interact with the same review app to provide feedback without having to manually deploy the changes themselves.

Merge trains

• Merge trains in GitLab simplify the process of merging multiple merge requests in a controlled manner.
• When you define a merge train, merge requests get merged one after another, reducing the chances of conflicts and improving overall code integrity.
• GitLab creates pipelines for each merge request that’s added to a merge train. These pipelines run on the combined changes of the current merge request, all previous merge requests, and the target branch. This workflow ensures that all changes are collectively verified before getting merged.

GitLab features for shifting security left

GitLab embraces the principle of shifting security left by offering these features:

Analysis

• Use container scanning in GitLab to scan Docker images for known vulnerabilities. For example, if your application container uses a base image that has a known bug, GitLab will detect it and issue an alert.
• Use dependency scanning to scan all the libraries and packages that your application depends on for known vulnerabilities or bugs.
• For dependency scanning, GitLab supports several package managers, including Go, Cradle, Maven, npm, and pip.
• Built-in secret detection helps you detect any accidentally committed secrets to a repository, such as passwords, API keys, and tokens.

Fuzz testing

• GitLab’s fuzz testing features allow you to send random inputs to your application. Fuzz testing is a great way to check application behavior in different situations and detect potential bugs.
• Fuzz testing can be integrated into any CI/CD pipeline.
• GitLab supports fuzz testing for many languages, including: Rust, C/C++, Java, JavaScript, and Python.

API security

• GitLab supports Dynamic Application Security Testing (DAST) of REST-, SOAP-, and GraphQL-based web APIs.
• DAST API scans can be integrated into any CI/CD pipeline.
• You can use OpenAPI specifications to set up DAST API scans. The DAST API parses the OpenAPI specifications to retrieve information about the target APIs.

GitLab features for packaging software

GitLab also provides a handy set of features for packaging software applications.

Package registries

• GitLab’s Package Registry function allows you to create private or public package registries using different package managers, including Maven, npm, Go, RubyGems, and Debian.
• GitLab supports different schemes to authenticate with a package registry, including group deploy tokens, job tokens, and personal access tokens.
• It’s also possible to import packages from an external registry with GitLab’s Package Importer.

Container registries

• GitLab’s Container Registry function allows you to store images for different GitLab projects.
• Both Docker V2 and Open Container Initiative (OCI) images are supported.
• To prevent your container registry from growing too large, you can enable the container registry cleanup policy. This policy automatically removes tags that match a predefined regular expression (regex) pattern.

GitLab features for deploying code

GitLab fast-tracks and automates deployment by offering these features:

Infrastructure as code (IAC)

• GitLab offers out-of-the-box integration with Terraform for codifying infrastructure.
• Define how to provision compute, network, and storage resources.
• You can also scan your Terraform template files for vulnerabilities using GitLab’s IAC scanning features.

Kubernetes and GitLab

• Benefit from the GitLab–Kubernetes integration to deploy code from a GitLab repository to a Kubernetes cluster.
• Set up canary deployments to deploy new code to a subset of pods in a Kubernetes cluster. A canary deployment is a rollout model in which changes are made to a small part of the users/nodes, before being applied to the entire user base/cluster.

Auto DevOps

• Automate DevOps processes without manual configurations. Developers commit code and GitLab handles everything else.
• Auto DevOps can automatically detect the programming language of the pushed code, generate builds, test code quality, and deploy the application to production.

GitLab features for managing and monitoring code

GitLab comes with different features for managing and monitoring deployed code.

Service desk

• Connect with your customers from within the GitLab interface.
• Configure GitLab to allow customers to send emails for support. For each incoming email, GitLab automatically generates a ticket.
• Any replies added to the issue thread are automatically relayed to the relevant customer via email.

On-call schedule management

• Use GitLab's on-call schedule management to define and manage schedules for on-call respondents.
• It’s also possible to define escalation policies and rotate schedules.

Getting started with GitLab

In the following sections, we will share the steps required to perform some basic tasks with GitLab.

Setting up a repository

Perform these steps to set up your first project/repository on GitLab:

• From the GitLab home screen, choose Create new (+) -> New project/repository.
• Choose Create blank project.
• Specify all the details about the project, including its name, slug, deployment target, and visibility.
• Choose whether you want to include a default README file in the new repository.
• Choose whether you want to enable Static Application Security Testing (SAST).
• Click Create project.

Creating a new branch

Here’s how you can create a branch in GitLab:

• Navigate to the project/repository where you want to create the branch.
• Choose Code -> Branches.
• Select New branch from the top right.
• Specify a name for your branch.
• Select how you want to create the branch: from an existing branch, from a tag, or from a commit hash.
• Click Create branch.

Configuring CI/CD pipelines using YAML files

Follow these steps to define your first CI/CD pipeline in GitLab:

• Check whether you have runners available for the deployment. Runners are GitLab agents that execute your jobs.
  • If you are using GitLab.com, you don’t have to do anything in this step, as you will be leveraging GitLab’s shared runners.
  • If you aren’t using GitLab.com and don’t have a runner, install one by fetching the binary from the official website. You can find binaries for Linux, Windows, macOS, and FreeBSD. Once installed, link the runner with your project.
• Define a .gitlab-ci.yml file at the root level of your project. You will be adding the CI/CD configurations for your project inside this file.
• For example, you can add the following sample code to the file:

build-app-job: 
stage: build 
script: #add build steps here  
  - echo "Will be building here" 
test-app-job: 
  stage: test  
  script: #add test steps here 
   - echo "Testing something here"deploy-app-job:  
  stage: deploy 
  script: #add deployment steps here 
   - echo "Deploy code to the target environment." 
  environment: production 

• Click Commit Changes.

That’s it! We have successfully created our first pipeline in GitLab.

How to set up DAST API analyzer

To integrate DAST API analysis into your CI/CD pipeline, you must define a dast stage. For example, the following code triggers a DAST API run on a test deployment using a JSON file to provide the OpenAPI specification:

stages:  
  - dast  
include:  
  - template: DAST-API.gitlab-ci.yml 
variables:  
  DAST_API_PROFILE: Quick 
  DAST_API_OPENAPI: sample-api-specification.json 
  DAST_API_TARGET_URL: http://sample-deployment/  

Enable unit test reports in merge requests

To enable unit test reports for merge requests, you must add “reports: junit” under the “artifacts” section of the “test” stage, inside your .gitlab-ci.yml file. Consider the following example in which we are enabling the generation of unit test reports for C++ applications:

cpp:  
  stage: test  
  script:  
- gtest.exe --gtest_output="xml:test-report.xml" #run the script and generate the output 
  artifacts:  
when: always  
reports:  
junit: test-report.xml 

GitLab vs. BitBucket

Bitbucket is a version control system (VCS) from Atlassian that integrates with other Atlassian products, such as Jira and Confluence, to offer DevOps capabilities. However, even when used as part of an integrated Atlassian suite, Bitbucket's feature set is limited compared to GitLab.

The following table compares BitBucket and GitLab offerings across various categories:

Conclusion

GitLab is a comprehensive DevSecOps platform designed to streamline software development, boost productivity, foster teamwork, and accelerate delivery. Whether you want to write compliant code faster, ensure conflict-free merges, set up automated testing workflows, automatically package and deploy applications, or perform post-deployment monitoring, GitLab offers you the features to do so.

If you are looking for an all-in-one tool for GitLab monitoring, check out this open-source plugin from Site24x7. It lets you track key performance metrics, including number of milestones, projects, branches, pipelines, merge requests, and application errors.