GitLab
vs
Synopsys
vs
Decision Kit
Decision Kit
Summary
Synopsys owns a portfolio of several scanning tools, including Coverity (SAST), Black Duck (SCA), Seeker (IAST), Defensics (Fuzzing), and recently acquired Tinfoil (DAST).
-
BlackDuck does Software Composition Analysis (SCA) including dependency scanning, container scanning, and license management.
-
Coverity for SAST includes spell-checker-like capability with an IDE plug-in that alerts the developer to vulnerable phrases as they code. It also has a dashboard that pulls in IAST from Seeker for a unified view. Coverity covers 20 programming languages. Our research indicates that Coverity costs around $12k USD per year for 5 users.
-
Seeker for IAST employs an agent to test the application for vulnerabilities. It is used during functional testing so that security tests are done in the normal course of other testing. Seekers has an API to integrate with Dev IDEs. Seeker works with Java/all JVM languages. Seeker is only available on premise.
Comparison to GitLab
Although Synopsys can integrate with IDE’s and DevOps tools via the API, complete testing coverage requires multiple software licenses and a heavy integration and maintenance effort. GitLab Ultimate automatically includes a full suite of broad security scanning with every code commit. GitLab’s scan results are provided to the developer inline in their Merge Requests with no integration required.
GitLab security scanning includes not only SAST but also DAST, Container and Dependency scanning, License Compliance scanning, and Secrets detection. All of these are included in GitLab Ultimate and integrated directly into the developer’s workflow. Finding vulnerabilities is only the beginning. Delivering those findings to the developer for immediate remediation is key to shifting left to reduce both cost and risk.
Strengths and Weaknesses
| GitLab | Synopsys | |
|---|---|---|
| Strengths | • Licensing and management is much simpler as it is all included in a single tool • No special integration is required to surface vulnerabilities as part of development’s regular MR workflow |
• Widespread recognition as a security testing leader by Gartner and across the industry • Strong managed services offering for customers who are looking to outsource their security scanning • Polaris Software Integrity Platform provides a single console to manage all of Synopsys’ testing products • Good integration with IDEs and local developer environments |
| Weaknesses | • GitLab is much newer to the security testing space and does not yet have the feature depth or market recognition held by Synopsys • No managed services offering |
• Poor visualization of vulnerabilities and limited fix recommendations • Each kind of testing is a separate piece of software that must be licensed and integrated with the DevOps lifecycle separately • Professional services engagements are pushed by sales and can be costly for customers |
Feature Lineup
| GitLab | Synopsys | |
|---|---|---|
| SAST | ✅ | ✅ |
| DAST | ✅ | recently acquired a startup |
| IAST | ✅ | |
| SCA: Vulnerability Scanning | ✅ | ✅ |
| SCA: Open Source Audit | ✅ | ✅ |
| Fuzz Testing | ✅ | ✅ |
Feature Comparison
| FEATURES |
|
|
|---|---|---|
|
Static Application Security Testing
GitLab allows easily running Static Application Security Testing (SAST) in CI/CD pipelines; checking for vulnerable source code or well known security bugs in the libraries that are included by the application. Results are then shown in the Merge Request and in the Pipeline view. This feature is available as part of Auto DevOps to provide security-by-default. |
|
|
|
Secret Detection
GitLab allows you to perform Secret Detection in CI/CD pipelines; checking for unintentionally committed secrets and credentials. Results are then shown in the Merge Request and in the Pipeline view. This feature is available as part of Auto DevOps to provide security-by-default. |
|
|
|
Dependency Scanning
GitLab automatically detects well known security bugs in the libraries that are included by the application, protecting your application from vulnerabilities that affect dependencies that are used dynamically. Results are then shown in the Merge Request and in the Pipeline view. This feature is available as part of Auto DevOps to provide security-by-default. |
|
|
|
Dynamic Application Security Testing
Once your application is online, GitLab allows running Dynamic Application Security Testing (DAST) in CI/CD pipelines; your application will be scanned to ensure threats like XSS or broken authentication flaws are not affecting it. Results are then shown in the Merge Request and in the Pipeline view. This feature is available as part of Auto DevOps to provide security-by-default. |
|
|
|
Interactive Application Security Testing
IAST combines elements of static and dynamic application security testing methods to improve the overall quality of the results. IAST typically uses an agent to instrument the application to monitor library calls and more. GitLab does not yet offer this feature. |
|
|
|
Container Scanning
When building a Docker image for your application, GitLab can run a security scan to ensure it does not have any known vulnerability in the environment where your code is shipped. Results are then shown in the Merge Request and in the Pipeline view. This feature is available as part of Auto DevOps to provide security-by-default. |
|
|
|
License Compliance
Check that licenses of your dependencies are compatible with your application, and approve or deny them. Results are then shown in the Merge Request and in the Pipeline view. |
|
|
|
On-demand Dynamic Application Security Testing
There’s no reason to wait for the next CI pipeline run to find out if your site if vulnerable or to reproduce a previously found vulnerability. GitLab offers scanning your running application with On-demand Dynamic Application Security Testing (DAST), independent of code changes or merge requests. |
|
|
|
Site and Scanner profiles for On-demand DAST scans
Reuse configuration profiles quickly with on-demand DAST scans, instead of reconfiguring scans every time you need to run one. Mix different scan profiles with site profiles to quickly conduct scans that cover different areas or depths of your application and API. |
|
|
|
DAST Configuration UI
Enabling DAST is now as simple as three clicks. This guided configuration experience makes it easier for non-CI experts to get started with GitLab DAST. The tool helps a user create a merge request to enable DAST scanning while leveraging best configuration practices like using the GitLab-managed |
|
|
Git is a trademark of Software Freedom Conservancy and our use of 'GitLab' is under license
