GitLab
vs
Veracode
vs
Decision Kit
Decision Kit
Summary
Both Veracode and GitLab Ultimate offer open source component scanning along with Static and Dynamic Application Security Testing. Veracode is a mature product with a hefty price tag. Veracode offers a separate SAST-lite product that integrates in the developer’s IDE offering spell-check-like functionality to flag vulnerabilities as the developer types.
GitLab Ultimate automatically includes broad security scanning with every code commit including Static and Dynamic Application Security Testing, along with dependency scanning, container scanning, and license management.
Note: In November 2018, the private equity firm Thoma Bravo acquired Veracode from Broadcom. Veracode now functions as an independent company within the Thoma Bravo portfolio of companies. Between March 2017 and July 2018 Veracode was part of CA Technologies. For a brief period, from July 2018 to November 2018, Veracode was part of Broadcom following CA Technologies’ acquisition by Broadcom
Comparison to GitLab
Veracode is a well established player in the Application Security Testing (AST) market. Although they offer a range of products, including SAST, DAST, IAST, and SCA, each of these products are sold and licensed separately. GitLab offers simplicity and a high level of integration by including all of these types of scanning capabilities within a single product. Additionally, GitLab has tightly integrated the scanning results with the rest of the SLDC, including the merge request review process.
Additionally, organizations that have concerns about using a cloud-hosted scanning solution, or that use GitLab’s self managed offering, will find that GitLab is a clear winner as Veracode does not have an on-premise offering.
Security Scanning
Strengths and Weaknesses
| GitLab | Veracode | |
|---|---|---|
| Strengths | • Tight out-of-the-box integration with the rest of the SDLC, including the merge request review process • GitLab’s recent acquisitions of Peach Tech and Fuzzit provide Fuzzing capabilities that Veracode lacks • Supports on-premise deployments including disconnected, offline, or air-gapped environments |
• Strong offering across scanning types • Nice, clean UX and design • Strong offering across scanning types • Tight integration with IDEs • Strong offering across scanning types • False positive rates are better than average |
| Weaknesses | • GitLab’s SAST offering only scans code repositories today and cannot scan compiled binaries | • Only available as a SaaS tool and cannot be deployed on-premise • Not natively integrated into merge requests or the SDLC |
Feature Lineup
| GitLab | Veracode | |
|---|---|---|
| SAST | ✅ | ✅ |
| DAST | ✅ | ✅ |
| IAST | ✅ | |
| SCA: Vulnerability Scanning | ✅ | ✅ |
| SCA: Open Source Audit | ✅ | ✅ |
| Fuzz Testing | ✅ |
Feature Comparison
| FEATURES |
|
|
|---|---|---|
|
Static Application Security Testing
GitLab allows easily running Static Application Security Testing (SAST) in CI/CD pipelines; checking for vulnerable source code or well known security bugs in the libraries that are included by the application. Results are then shown in the Merge Request and in the Pipeline view. This feature is available as part of Auto DevOps to provide security-by-default. |
|
|
|
Secret Detection
GitLab allows you to perform Secret Detection in CI/CD pipelines; checking for unintentionally committed secrets and credentials. Results are then shown in the Merge Request and in the Pipeline view. This feature is available as part of Auto DevOps to provide security-by-default. |
|
|
|
Dependency Scanning
GitLab automatically detects well known security bugs in the libraries that are included by the application, protecting your application from vulnerabilities that affect dependencies that are used dynamically. Results are then shown in the Merge Request and in the Pipeline view. This feature is available as part of Auto DevOps to provide security-by-default. |
|
|
|
Dynamic Application Security Testing
Once your application is online, GitLab allows running Dynamic Application Security Testing (DAST) in CI/CD pipelines; your application will be scanned to ensure threats like XSS or broken authentication flaws are not affecting it. Results are then shown in the Merge Request and in the Pipeline view. This feature is available as part of Auto DevOps to provide security-by-default. |
|
|
|
Interactive Application Security Testing
IAST combines elements of static and dynamic application security testing methods to improve the overall quality of the results. IAST typically uses an agent to instrument the application to monitor library calls and more. GitLab does not yet offer this feature. |
|
|
|
Container Scanning
When building a Docker image for your application, GitLab can run a security scan to ensure it does not have any known vulnerability in the environment where your code is shipped. Results are then shown in the Merge Request and in the Pipeline view. This feature is available as part of Auto DevOps to provide security-by-default. |
|
|
|
License Compliance
Check that licenses of your dependencies are compatible with your application, and approve or deny them. Results are then shown in the Merge Request and in the Pipeline view. |
|
|
|
On-demand Dynamic Application Security Testing
There’s no reason to wait for the next CI pipeline run to find out if your site if vulnerable or to reproduce a previously found vulnerability. GitLab offers scanning your running application with On-demand Dynamic Application Security Testing (DAST), independent of code changes or merge requests. |
|
|
|
Site and Scanner profiles for On-demand DAST scans
Reuse configuration profiles quickly with on-demand DAST scans, instead of reconfiguring scans every time you need to run one. Mix different scan profiles with site profiles to quickly conduct scans that cover different areas or depths of your application and API. |
|
|
|
DAST Configuration UI
Enabling DAST is now as simple as three clicks. This guided configuration experience makes it easier for non-CI experts to get started with GitLab DAST. The tool helps a user create a merge request to enable DAST scanning while leveraging best configuration practices like using the GitLab-managed |
|
|
Git is a trademark of Software Freedom Conservancy and our use of 'GitLab' is under license
