[{"data":1,"prerenderedAt":785},["ShallowReactive",2],{"/en-us/blog/browser-based-dast-feature-announcement":3,"navigation-en-us":38,"banner-en-us":438,"footer-en-us":448,"blog-post-authors-en-us-Isaac Dawson":690,"blog-related-posts-en-us-browser-based-dast-feature-announcement":704,"assessment-promotions-en-us":736,"next-steps-en-us":775},{"id":4,"title":5,"authorSlugs":6,"body":8,"categorySlug":9,"config":10,"content":14,"description":8,"extension":26,"isFeatured":12,"meta":27,"navigation":28,"path":29,"publishedDate":20,"seo":30,"stem":34,"tagSlugs":35,"__hash__":37},"blogPosts/en-us/blog/browser-based-dast-feature-announcement.yml","Browser Based Dast Feature Announcement",[7],"isaac-dawson",null,"product",{"slug":11,"featured":12,"template":13},"browser-based-dast-feature-announcement",false,"BlogPost",{"title":15,"description":16,"authors":17,"heroImage":19,"date":20,"body":21,"category":9,"tags":22},"Introducing browser-based DAST and integrated passive checks","We're working hard on reducing noise. Here's what you need to know about the status of our browser-based DAST offering today.",[18],"Isaac Dawson","https://res.cloudinary.com/about-gitlab-com/image/upload/v1749682466/Blog/Hero%20Images/vek-labs-e8ofKlNHdsg-unsplash.jpg","2022-10-19","The [DAST](/direction/application_security_testing/dynamic-analysis/dast/) and [Vulnerability Research](https://handbook.gitlab.com/handbook/engineering/development/sec/secure/vulnerability-research/) teams at GitLab are excited to announce we have fully [integrated passive checks](/releases/2022/08/22/gitlab-15-3-released/#browser-based-dast-passive-check-milestone) into our new [browser-based DAST analyzer](https://docs.gitlab.com/ee/user/application_security/dast/browser_based.html). Passive checks work by monitoring the network traffic to target applications while the web site is automatically crawled. This allows us to identify weaknesses that may exist without sending potentially disruptive network requests. This continues our effort to fully switch over to our browser-based analyzer for DAST in the coming months. If you are interested in using our new DAST analyzer please see our [documentation on how to configure a browser-based DAST scan](https://docs.gitlab.com/ee/user/application_security/dast/browser_based.html).\n\n## History of DAST at GitLab\n\nDAST was [officially launched](/releases/2018/01/22/gitlab-10-4-released/) as a part of the GitLab 10.4 release in January 2018. By utilizing the powerful OWASP [Zed Attack Proxy](https://www.zaproxy.org/) we were able to give our customers the ability to dynamically scan\ntheir web applications. From that initial minimal viable product, we have grown to the point where we are now running over a million scans a month.\n\nScanning web applications in the CI/CD context comes with challenges. Unlike [SAST](/direction/application_security_testing/static-analysis/sast/), which is relatively fast, dynamically scanning an application can take a significant amount of time. DAST is resource intensive as it needs to process each request and response to the target application. To ensure smooth operations for the majority of our customers we have to run under the assumption that our memory and CPU footprints should be as small as possible. Finally, and most likely the biggest pain point, is the disconnect that often occurs when trying to visualize or understand how a web application should be analyzed when one can not physically see any of the interactions between the scanner and the target application.\n\nZAP was originally built as a desktop application, meaning auditors could use it to see the target application while conducting their testing. Only by utilizing ZAP's scripting API could we make DAST scans viable in a CI/CD context. This surfaced some challenges: what is easy to configure in the UI may or may not be straightforward to adjust from a configuration file or a command line option.\n\nWhen reviewing our support tickets however, a very clear picture began to surface. Users were having the most problem with configuring authentication for their applications. This makes sense, as it is where the user interacts with the scanner the most. Modern applications almost require a browser to authenticate, due to relying on browser features like local or session storage. These features are commonly used for handling JSON Web Token (JWT) based authentication and authorization.\n\nIt should be noted that ZAP does have a browser based crawler extension, called AJAX Spider. This extension uses [Crawljax](https://github.com/crawljax/crawljax). GitLab provides this feature by supplying the correct CI/CD variable, but it is no longer recommended. AJAX Spider is however, only an extension, and does not represent a tight integration between the browser and the DAST tool.\n\n## A path forward\n\nWe needed a system where we could have full control over a browser to allow us to instrument interactions between a website and the DAST tool. A DAST tool which does not tightly integrate with a browser will be limited in its ability to fully interact with today's demanding web applications. Just some of the challenges of this are:\n\n- Single Page Applications (SPAs)\n- Complex, multi-step sign in features\n- Complex front-end frameworks\n- Utilization of built-in browser features (e.g. usage of localStorage or sessionStorage)\n\nA new DAST tool based completely off instrumenting a browser and written in Go would give GitLab a lot more control going forward. What started as a side project during nights and weekends began to show some promise. The Vulnerability Research and DAST teams worked together to assess the viability of building out this DAST analyzer. To allow us to take advantage of new features without having to implement the entire engine, we opted to continue to use ZAP as the proxy. This means our analyzer is forwarding all the browser traffic through ZAP, but processing logic of crawling and passive checks are now done in our engine. While we've been relatively quiet on our progress, we've been incrementally rolling out new features with almost every release. The end goal is to completely replace ZAP with our own engine.\n\n## Where we are today\n\nOf course the biggest announcement is that we have fully switched over to using our own vulnerability check system for passive checks. These checks replace ZAP's \"passive\" checks. The Vulnerability Research team invested a lot of time looking over how each ZAP plugin worked and determined whether it was worth implementing, or if it should be implemented differently. Alert fatigue is a real concern we share with our customers. By reducing the noise (false positives) in our DAST offering, we hope to reduce the chance of our customers ignoring real findings. As such, our goal is to significantly reduce the noise that is usually associated with DAST scan results, and this is achieved through three different methods:\n\n1. Not implementing certain checks\n2. Reducing false positives (incorrect findings)\n3. Aggregating true positives (real findings)\n\nPoint one is worth expanding upon. DAST vulnerabilities are unique in that in some cases the fix for a vulnerability is reliant on the browser or user-agent being modified, and not  the target application. Browsers increase their security directly or have it increased by deprecating features that were used in attacks. Browsers deciding to disable Flash is a good example of this – what was a vulnerability yesterday may no longer be a vulnerability today.\n\nZAP's check for [Charset mis-match](https://www.zaproxy.org/docs/alerts/90011/) is another case in point. After [researching](https://gitlab.com/gitlab-org/gitlab/-/issues/331218) what was possible in 2022, it turns out this is no longer an issue worth reporting. Other DAST tools report similar issues that are no longer realistically exploitable or worth reporting, so this is not just an issue with ZAP.\n\nReducing false positives is another major initiative, and one that led us to create a rather unique system for creating new vulnerability checks. Traditionally, DAST tools use a plugin architecture of hardcoded vulnerability checks. While quick to implement, they can have the downside of being difficult to understand or error prone. They are also harder to implement in a standardized way. At GitLab we opted to use a configuration-file-based check system, much like today's SAST tools.\n\nFinally, aggregating true positives allows us to merge similar issues into a single finding. These types of issues are usually fixed by a single configuration change, such as adding a security header.\n\nOur passive checks are almost entirely written in YAML, using a custom specification that allows us to define a check as text. Where this is not feasible, reusable components are written that can be referenced by various checks. Below is an example check that looks for the `X-Content-Type-Options` header in HTTP response headers and reports if it is missing the `nosniff` value.\n\n```yaml\n",[23,24,25],"testing","features","code review","yml",{},true,"/en-us/blog/browser-based-dast-feature-announcement",{"title":15,"description":16,"ogTitle":15,"ogDescription":16,"noIndex":12,"ogImage":19,"ogUrl":31,"ogSiteName":32,"ogType":33,"canonicalUrls":31},"https://about.gitlab.com/blog/browser-based-dast-feature-announcement","https://about.gitlab.com","article","en-us/blog/browser-based-dast-feature-announcement",[23,24,36],"code-review","sFJ9sYKRh69hL2Gyjvd0LxAX0prGXwiVT-gV-zG4L8s",{"data":39},{"logo":40,"freeTrial":45,"sales":50,"login":55,"items":60,"search":368,"minimal":399,"duo":418,"pricingDeployment":428},{"config":41},{"href":42,"dataGaName":43,"dataGaLocation":44},"/","gitlab logo","header",{"text":46,"config":47},"Get free trial",{"href":48,"dataGaName":49,"dataGaLocation":44},"https://gitlab.com/-/trial_registrations/new?glm_source=about.gitlab.com&glm_content=default-saas-trial/","free trial",{"text":51,"config":52},"Talk to sales",{"href":53,"dataGaName":54,"dataGaLocation":44},"/sales/","sales",{"text":56,"config":57},"Sign in",{"href":58,"dataGaName":59,"dataGaLocation":44},"https://gitlab.com/users/sign_in/","sign in",[61,88,183,188,289,349],{"text":62,"config":63,"cards":65},"Platform",{"dataNavLevelOne":64},"platform",[66,72,80],{"title":62,"description":67,"link":68},"The intelligent orchestration platform for DevSecOps",{"text":69,"config":70},"Explore our Platform",{"href":71,"dataGaName":64,"dataGaLocation":44},"/platform/",{"title":73,"description":74,"link":75},"GitLab Duo Agent Platform","Agentic AI for the entire software lifecycle",{"text":76,"config":77},"Meet GitLab Duo",{"href":78,"dataGaName":79,"dataGaLocation":44},"/gitlab-duo-agent-platform/","gitlab duo agent platform",{"title":81,"description":82,"link":83},"Why GitLab","See the top reasons enterprises choose GitLab",{"text":84,"config":85},"Learn more",{"href":86,"dataGaName":87,"dataGaLocation":44},"/why-gitlab/","why gitlab",{"text":89,"left":28,"config":90,"link":92,"lists":96,"footer":165},"Product",{"dataNavLevelOne":91},"solutions",{"text":93,"config":94},"View all Solutions",{"href":95,"dataGaName":91,"dataGaLocation":44},"/solutions/",[97,121,144],{"title":98,"description":99,"link":100,"items":105},"Automation","CI/CD and automation to accelerate deployment",{"config":101},{"icon":102,"href":103,"dataGaName":104,"dataGaLocation":44},"AutomatedCodeAlt","/solutions/delivery-automation/","automated software delivery",[106,110,113,117],{"text":107,"config":108},"CI/CD",{"href":109,"dataGaLocation":44,"dataGaName":107},"/solutions/continuous-integration/",{"text":73,"config":111},{"href":78,"dataGaLocation":44,"dataGaName":112},"gitlab duo agent platform - product menu",{"text":114,"config":115},"Source Code Management",{"href":116,"dataGaLocation":44,"dataGaName":114},"/solutions/source-code-management/",{"text":118,"config":119},"Automated Software Delivery",{"href":103,"dataGaLocation":44,"dataGaName":120},"Automated software delivery",{"title":122,"description":123,"link":124,"items":129},"Security","Deliver code faster without compromising security",{"config":125},{"href":126,"dataGaName":127,"dataGaLocation":44,"icon":128},"/solutions/application-security-testing/","security and compliance","ShieldCheckLight",[130,134,139],{"text":131,"config":132},"Application Security Testing",{"href":126,"dataGaName":133,"dataGaLocation":44},"Application security testing",{"text":135,"config":136},"Software Supply Chain Security",{"href":137,"dataGaLocation":44,"dataGaName":138},"/solutions/supply-chain/","Software supply chain security",{"text":140,"config":141},"Software Compliance",{"href":142,"dataGaName":143,"dataGaLocation":44},"/solutions/software-compliance/","software compliance",{"title":145,"link":146,"items":151},"Measurement",{"config":147},{"icon":148,"href":149,"dataGaName":150,"dataGaLocation":44},"DigitalTransformation","/solutions/visibility-measurement/","visibility and measurement",[152,156,160],{"text":153,"config":154},"Visibility & Measurement",{"href":149,"dataGaLocation":44,"dataGaName":155},"Visibility and Measurement",{"text":157,"config":158},"Value Stream Management",{"href":159,"dataGaLocation":44,"dataGaName":157},"/solutions/value-stream-management/",{"text":161,"config":162},"Analytics & Insights",{"href":163,"dataGaLocation":44,"dataGaName":164},"/solutions/analytics-and-insights/","Analytics and insights",{"title":166,"items":167},"GitLab for",[168,173,178],{"text":169,"config":170},"Enterprise",{"href":171,"dataGaLocation":44,"dataGaName":172},"/enterprise/","enterprise",{"text":174,"config":175},"Small Business",{"href":176,"dataGaLocation":44,"dataGaName":177},"/small-business/","small business",{"text":179,"config":180},"Public Sector",{"href":181,"dataGaLocation":44,"dataGaName":182},"/solutions/public-sector/","public sector",{"text":184,"config":185},"Pricing",{"href":186,"dataGaName":187,"dataGaLocation":44,"dataNavLevelOne":187},"/pricing/","pricing",{"text":189,"config":190,"link":192,"lists":196,"feature":276},"Resources",{"dataNavLevelOne":191},"resources",{"text":193,"config":194},"View all resources",{"href":195,"dataGaName":191,"dataGaLocation":44},"/resources/",[197,230,248],{"title":198,"items":199},"Getting started",[200,205,210,215,220,225],{"text":201,"config":202},"Install",{"href":203,"dataGaName":204,"dataGaLocation":44},"/install/","install",{"text":206,"config":207},"Quick start guides",{"href":208,"dataGaName":209,"dataGaLocation":44},"/get-started/","quick setup checklists",{"text":211,"config":212},"Learn",{"href":213,"dataGaLocation":44,"dataGaName":214},"https://university.gitlab.com/","learn",{"text":216,"config":217},"Product documentation",{"href":218,"dataGaName":219,"dataGaLocation":44},"https://docs.gitlab.com/","product documentation",{"text":221,"config":222},"Best practice videos",{"href":223,"dataGaName":224,"dataGaLocation":44},"/getting-started-videos/","best practice videos",{"text":226,"config":227},"Integrations",{"href":228,"dataGaName":229,"dataGaLocation":44},"/integrations/","integrations",{"title":231,"items":232},"Discover",[233,238,243],{"text":234,"config":235},"Customer success stories",{"href":236,"dataGaName":237,"dataGaLocation":44},"/customers/","customer success stories",{"text":239,"config":240},"Blog",{"href":241,"dataGaName":242,"dataGaLocation":44},"/blog/","blog",{"text":244,"config":245},"Remote",{"href":246,"dataGaName":247,"dataGaLocation":44},"https://handbook.gitlab.com/handbook/company/culture/all-remote/","remote",{"title":249,"items":250},"Connect",[251,256,261,266,271],{"text":252,"config":253},"GitLab Services",{"href":254,"dataGaName":255,"dataGaLocation":44},"/services/","services",{"text":257,"config":258},"Community",{"href":259,"dataGaName":260,"dataGaLocation":44},"/community/","community",{"text":262,"config":263},"Forum",{"href":264,"dataGaName":265,"dataGaLocation":44},"https://forum.gitlab.com/","forum",{"text":267,"config":268},"Events",{"href":269,"dataGaName":270,"dataGaLocation":44},"/events/","events",{"text":272,"config":273},"Partners",{"href":274,"dataGaName":275,"dataGaLocation":44},"/partners/","partners",{"backgroundColor":277,"textColor":278,"text":279,"image":280,"link":284},"#2f2a6b","#fff","Insights for the future of software development",{"altText":281,"config":282},"the source promo card",{"src":283},"https://res.cloudinary.com/about-gitlab-com/image/upload/v1758208064/dzl0dbift9xdizyelkk4.svg",{"text":285,"config":286},"Read the latest",{"href":287,"dataGaName":288,"dataGaLocation":44},"/the-source/","the source",{"text":290,"config":291,"lists":293},"Company",{"dataNavLevelOne":292},"company",[294],{"items":295},[296,301,307,309,314,319,324,329,334,339,344],{"text":297,"config":298},"About",{"href":299,"dataGaName":300,"dataGaLocation":44},"/company/","about",{"text":302,"config":303,"footerGa":306},"Jobs",{"href":304,"dataGaName":305,"dataGaLocation":44},"/jobs/","jobs",{"dataGaName":305},{"text":267,"config":308},{"href":269,"dataGaName":270,"dataGaLocation":44},{"text":310,"config":311},"Leadership",{"href":312,"dataGaName":313,"dataGaLocation":44},"/company/team/e-group/","leadership",{"text":315,"config":316},"Team",{"href":317,"dataGaName":318,"dataGaLocation":44},"/company/team/","team",{"text":320,"config":321},"Handbook",{"href":322,"dataGaName":323,"dataGaLocation":44},"https://handbook.gitlab.com/","handbook",{"text":325,"config":326},"Investor relations",{"href":327,"dataGaName":328,"dataGaLocation":44},"https://ir.gitlab.com/","investor relations",{"text":330,"config":331},"Trust Center",{"href":332,"dataGaName":333,"dataGaLocation":44},"/security/","trust center",{"text":335,"config":336},"AI Transparency Center",{"href":337,"dataGaName":338,"dataGaLocation":44},"/ai-transparency-center/","ai transparency center",{"text":340,"config":341},"Newsletter",{"href":342,"dataGaName":343,"dataGaLocation":44},"/company/contact/#contact-forms","newsletter",{"text":345,"config":346},"Press",{"href":347,"dataGaName":348,"dataGaLocation":44},"/press/","press",{"text":350,"config":351,"lists":352},"Contact us",{"dataNavLevelOne":292},[353],{"items":354},[355,358,363],{"text":51,"config":356},{"href":53,"dataGaName":357,"dataGaLocation":44},"talk to sales",{"text":359,"config":360},"Support portal",{"href":361,"dataGaName":362,"dataGaLocation":44},"https://support.gitlab.com","support portal",{"text":364,"config":365},"Customer portal",{"href":366,"dataGaName":367,"dataGaLocation":44},"https://customers.gitlab.com/customers/sign_in/","customer portal",{"close":369,"login":370,"suggestions":377},"Close",{"text":371,"link":372},"To search repositories and projects, login to",{"text":373,"config":374},"gitlab.com",{"href":58,"dataGaName":375,"dataGaLocation":376},"search login","search",{"text":378,"default":379},"Suggestions",[380,382,386,388,392,396],{"text":73,"config":381},{"href":78,"dataGaName":73,"dataGaLocation":376},{"text":383,"config":384},"Code Suggestions (AI)",{"href":385,"dataGaName":383,"dataGaLocation":376},"/solutions/code-suggestions/",{"text":107,"config":387},{"href":109,"dataGaName":107,"dataGaLocation":376},{"text":389,"config":390},"GitLab on AWS",{"href":391,"dataGaName":389,"dataGaLocation":376},"/partners/technology-partners/aws/",{"text":393,"config":394},"GitLab on Google Cloud",{"href":395,"dataGaName":393,"dataGaLocation":376},"/partners/technology-partners/google-cloud-platform/",{"text":397,"config":398},"Why GitLab?",{"href":86,"dataGaName":397,"dataGaLocation":376},{"freeTrial":400,"mobileIcon":405,"desktopIcon":410,"secondaryButton":413},{"text":401,"config":402},"Start free trial",{"href":403,"dataGaName":49,"dataGaLocation":404},"https://gitlab.com/-/trials/new/","nav",{"altText":406,"config":407},"Gitlab Icon",{"src":408,"dataGaName":409,"dataGaLocation":404},"https://res.cloudinary.com/about-gitlab-com/image/upload/v1758203874/jypbw1jx72aexsoohd7x.svg","gitlab icon",{"altText":406,"config":411},{"src":412,"dataGaName":409,"dataGaLocation":404},"https://res.cloudinary.com/about-gitlab-com/image/upload/v1758203875/gs4c8p8opsgvflgkswz9.svg",{"text":414,"config":415},"Get Started",{"href":416,"dataGaName":417,"dataGaLocation":404},"https://gitlab.com/-/trial_registrations/new?glm_source=about.gitlab.com/compare/gitlab-vs-github/","get started",{"freeTrial":419,"mobileIcon":424,"desktopIcon":426},{"text":420,"config":421},"Learn more about GitLab Duo",{"href":422,"dataGaName":423,"dataGaLocation":404},"/gitlab-duo/","gitlab duo",{"altText":406,"config":425},{"src":408,"dataGaName":409,"dataGaLocation":404},{"altText":406,"config":427},{"src":412,"dataGaName":409,"dataGaLocation":404},{"freeTrial":429,"mobileIcon":434,"desktopIcon":436},{"text":430,"config":431},"Back to pricing",{"href":186,"dataGaName":432,"dataGaLocation":404,"icon":433},"back to pricing","GoBack",{"altText":406,"config":435},{"src":408,"dataGaName":409,"dataGaLocation":404},{"altText":406,"config":437},{"src":412,"dataGaName":409,"dataGaLocation":404},{"title":439,"button":440,"config":445},"See how agentic AI transforms software delivery",{"text":441,"config":442},"Watch GitLab Transcend now",{"href":443,"dataGaName":444,"dataGaLocation":44},"/events/transcend/virtual/","transcend event",{"layout":446,"icon":447},"release","AiStar",{"data":449},{"text":450,"source":451,"edit":457,"contribute":462,"config":467,"items":472,"minimal":679},"Git is a trademark of Software Freedom Conservancy and our use of 'GitLab' is under license",{"text":452,"config":453},"View page source",{"href":454,"dataGaName":455,"dataGaLocation":456},"https://gitlab.com/gitlab-com/marketing/digital-experience/about-gitlab-com/","page source","footer",{"text":458,"config":459},"Edit this page",{"href":460,"dataGaName":461,"dataGaLocation":456},"https://gitlab.com/gitlab-com/marketing/digital-experience/about-gitlab-com/-/blob/main/content/","web ide",{"text":463,"config":464},"Please contribute",{"href":465,"dataGaName":466,"dataGaLocation":456},"https://gitlab.com/gitlab-com/marketing/digital-experience/about-gitlab-com/-/blob/main/CONTRIBUTING.md/","please contribute",{"twitter":468,"facebook":469,"youtube":470,"linkedin":471},"https://twitter.com/gitlab","https://www.facebook.com/gitlab","https://www.youtube.com/channel/UCnMGQ8QHMAnVIsI3xJrihhg","https://www.linkedin.com/company/gitlab-com",[473,520,574,618,645],{"title":184,"links":474,"subMenu":489},[475,479,484],{"text":476,"config":477},"View plans",{"href":186,"dataGaName":478,"dataGaLocation":456},"view plans",{"text":480,"config":481},"Why Premium?",{"href":482,"dataGaName":483,"dataGaLocation":456},"/pricing/premium/","why premium",{"text":485,"config":486},"Why Ultimate?",{"href":487,"dataGaName":488,"dataGaLocation":456},"/pricing/ultimate/","why ultimate",[490],{"title":491,"links":492},"Contact Us",[493,496,498,500,505,510,515],{"text":494,"config":495},"Contact sales",{"href":53,"dataGaName":54,"dataGaLocation":456},{"text":359,"config":497},{"href":361,"dataGaName":362,"dataGaLocation":456},{"text":364,"config":499},{"href":366,"dataGaName":367,"dataGaLocation":456},{"text":501,"config":502},"Status",{"href":503,"dataGaName":504,"dataGaLocation":456},"https://status.gitlab.com/","status",{"text":506,"config":507},"Terms of use",{"href":508,"dataGaName":509,"dataGaLocation":456},"/terms/","terms of use",{"text":511,"config":512},"Privacy statement",{"href":513,"dataGaName":514,"dataGaLocation":456},"/privacy/","privacy statement",{"text":516,"config":517},"Cookie preferences",{"dataGaName":518,"dataGaLocation":456,"id":519,"isOneTrustButton":28},"cookie preferences","ot-sdk-btn",{"title":89,"links":521,"subMenu":530},[522,526],{"text":523,"config":524},"DevSecOps platform",{"href":71,"dataGaName":525,"dataGaLocation":456},"devsecops platform",{"text":527,"config":528},"AI-Assisted Development",{"href":422,"dataGaName":529,"dataGaLocation":456},"ai-assisted development",[531],{"title":532,"links":533},"Topics",[534,539,544,549,554,559,564,569],{"text":535,"config":536},"CICD",{"href":537,"dataGaName":538,"dataGaLocation":456},"/topics/ci-cd/","cicd",{"text":540,"config":541},"GitOps",{"href":542,"dataGaName":543,"dataGaLocation":456},"/topics/gitops/","gitops",{"text":545,"config":546},"DevOps",{"href":547,"dataGaName":548,"dataGaLocation":456},"/topics/devops/","devops",{"text":550,"config":551},"Version Control",{"href":552,"dataGaName":553,"dataGaLocation":456},"/topics/version-control/","version control",{"text":555,"config":556},"DevSecOps",{"href":557,"dataGaName":558,"dataGaLocation":456},"/topics/devsecops/","devsecops",{"text":560,"config":561},"Cloud Native",{"href":562,"dataGaName":563,"dataGaLocation":456},"/topics/cloud-native/","cloud native",{"text":565,"config":566},"AI for Coding",{"href":567,"dataGaName":568,"dataGaLocation":456},"/topics/devops/ai-for-coding/","ai for coding",{"text":570,"config":571},"Agentic AI",{"href":572,"dataGaName":573,"dataGaLocation":456},"/topics/agentic-ai/","agentic ai",{"title":575,"links":576},"Solutions",[577,579,581,586,590,593,597,600,602,605,608,613],{"text":131,"config":578},{"href":126,"dataGaName":131,"dataGaLocation":456},{"text":120,"config":580},{"href":103,"dataGaName":104,"dataGaLocation":456},{"text":582,"config":583},"Agile development",{"href":584,"dataGaName":585,"dataGaLocation":456},"/solutions/agile-delivery/","agile delivery",{"text":587,"config":588},"SCM",{"href":116,"dataGaName":589,"dataGaLocation":456},"source code management",{"text":535,"config":591},{"href":109,"dataGaName":592,"dataGaLocation":456},"continuous integration & delivery",{"text":594,"config":595},"Value stream management",{"href":159,"dataGaName":596,"dataGaLocation":456},"value stream management",{"text":540,"config":598},{"href":599,"dataGaName":543,"dataGaLocation":456},"/solutions/gitops/",{"text":169,"config":601},{"href":171,"dataGaName":172,"dataGaLocation":456},{"text":603,"config":604},"Small business",{"href":176,"dataGaName":177,"dataGaLocation":456},{"text":606,"config":607},"Public sector",{"href":181,"dataGaName":182,"dataGaLocation":456},{"text":609,"config":610},"Education",{"href":611,"dataGaName":612,"dataGaLocation":456},"/solutions/education/","education",{"text":614,"config":615},"Financial services",{"href":616,"dataGaName":617,"dataGaLocation":456},"/solutions/finance/","financial services",{"title":189,"links":619},[620,622,624,626,629,631,633,635,637,639,641,643],{"text":201,"config":621},{"href":203,"dataGaName":204,"dataGaLocation":456},{"text":206,"config":623},{"href":208,"dataGaName":209,"dataGaLocation":456},{"text":211,"config":625},{"href":213,"dataGaName":214,"dataGaLocation":456},{"text":216,"config":627},{"href":218,"dataGaName":628,"dataGaLocation":456},"docs",{"text":239,"config":630},{"href":241,"dataGaName":242,"dataGaLocation":456},{"text":234,"config":632},{"href":236,"dataGaName":237,"dataGaLocation":456},{"text":244,"config":634},{"href":246,"dataGaName":247,"dataGaLocation":456},{"text":252,"config":636},{"href":254,"dataGaName":255,"dataGaLocation":456},{"text":257,"config":638},{"href":259,"dataGaName":260,"dataGaLocation":456},{"text":262,"config":640},{"href":264,"dataGaName":265,"dataGaLocation":456},{"text":267,"config":642},{"href":269,"dataGaName":270,"dataGaLocation":456},{"text":272,"config":644},{"href":274,"dataGaName":275,"dataGaLocation":456},{"title":290,"links":646},[647,649,651,653,655,657,659,663,668,670,672,674],{"text":297,"config":648},{"href":299,"dataGaName":292,"dataGaLocation":456},{"text":302,"config":650},{"href":304,"dataGaName":305,"dataGaLocation":456},{"text":310,"config":652},{"href":312,"dataGaName":313,"dataGaLocation":456},{"text":315,"config":654},{"href":317,"dataGaName":318,"dataGaLocation":456},{"text":320,"config":656},{"href":322,"dataGaName":323,"dataGaLocation":456},{"text":325,"config":658},{"href":327,"dataGaName":328,"dataGaLocation":456},{"text":660,"config":661},"Sustainability",{"href":662,"dataGaName":660,"dataGaLocation":456},"/sustainability/",{"text":664,"config":665},"Diversity, inclusion and belonging (DIB)",{"href":666,"dataGaName":667,"dataGaLocation":456},"/diversity-inclusion-belonging/","Diversity, inclusion and belonging",{"text":330,"config":669},{"href":332,"dataGaName":333,"dataGaLocation":456},{"text":340,"config":671},{"href":342,"dataGaName":343,"dataGaLocation":456},{"text":345,"config":673},{"href":347,"dataGaName":348,"dataGaLocation":456},{"text":675,"config":676},"Modern Slavery Transparency Statement",{"href":677,"dataGaName":678,"dataGaLocation":456},"https://handbook.gitlab.com/handbook/legal/modern-slavery-act-transparency-statement/","modern slavery transparency statement",{"items":680},[681,684,687],{"text":682,"config":683},"Terms",{"href":508,"dataGaName":509,"dataGaLocation":456},{"text":685,"config":686},"Cookies",{"dataGaName":518,"dataGaLocation":456,"id":519,"isOneTrustButton":28},{"text":688,"config":689},"Privacy",{"href":513,"dataGaName":514,"dataGaLocation":456},[691],{"id":692,"title":18,"body":8,"config":693,"content":695,"description":8,"extension":26,"meta":699,"navigation":28,"path":700,"seo":701,"stem":702,"__hash__":703},"blogAuthors/en-us/blog/authors/isaac-dawson.yml",{"template":694},"BlogAuthor",{"name":18,"config":696},{"headshot":697,"ctfId":698},"https://res.cloudinary.com/about-gitlab-com/image/upload/v1749669814/Blog/Author%20Headshots/idawson-headshot.jpg","idawson",{},"/en-us/blog/authors/isaac-dawson",{},"en-us/blog/authors/isaac-dawson","UpCqyNOSlM21joWN2Eu9Z_uC29MGdlJWAYDQImap3w8",[705,717,727],{"content":706,"config":715},{"title":707,"description":708,"authors":709,"heroImage":711,"body":712,"date":713,"category":9,"tags":714},"New GitLab metrics and registry features help reduce CI/CD bottlenecks","See how CI/CD Job Performance Metrics and Container Virtual Registry, currently in beta, help platform teams quickly spot slow jobs and simplify multi-registry container pulls.",[710],"Talia Armato-Helle","https://res.cloudinary.com/about-gitlab-com/image/upload/v1771438388/t6sts5qw4z8561gtlxiq.png","Platform and DevOps engineers spend too much time piecing together visibility across fragmented tools and managing infrastructure that should just work.\n\nTwo new GitLab features currently in beta tackle this from different angles but share the same goal: giving practitioners direct control over the CI/CD infrastructure they depend on, without adding another third-party tool. One surfaces job-level performance data right where you monitor pipelines. The other simplifies how you pull container images from multiple registries with built-in caching.\n\nBoth features are open for feedback now. Your input will help shape what ships next.\n\n## CI/CD Job Performance Metrics\n\n* **Available tiers:** GitLab Premium, GitLab Ultimate\n* **Status:** Limited-availability beta on GitLab.com; available on GitLab Self-Managed and GitLab Dedicated when ClickHouse is configured\n\nToday, there’s no simple way to see when a particular job’s duration starts increasing or which jobs are quietly dragging down your pipeline runtimes. Most teams either build custom dashboards or manually dig through logs to answer basic questions like:\n\n* Which jobs are slowest?  \n* Where are failure rates climbing?  \n* Which stage is the real bottleneck?\n\nCI/CD Job Performance Metrics changes that by adding a new job-focused panel to the CI/CD analytics page at the project level.\n\nFor each job in your pipelines, you can see:\n\n* Typical (P50, median) and worst‑case (P95) job duration, so you can quickly view normal versus slowest runs  \n* Failure rate, so you can spot fragile or flaky jobs  \n* Job name and stage, covering the last 30 days by default\n\nThe table is sortable, searchable by job name, and paginated, so platform teams get a single view to answer questions that previously required separate tools or custom reporting.\n\n**Try it now**\n\n* Navigate to your project and select **Analyze \\> CI/CD analytics**.  \n* Look for the CI/CD job performance metrics panel and sort by duration or failure rate to find your slowest or least reliable jobs.\n\n**Documentation**\n\n* [CI/CD analytics – CI/CD job performance metrics](https://docs.gitlab.com/user/analytics/ci_cd_analytics/#cicd-job-performance-metrics)\n\n**What’s coming next**\n\nWe’re working on stage-level grouping, so you can view aggregated metrics across your build, test, and deploy stages, and quickly understand where to focus optimization work.\n\n**Share your feedback:**\n\n* [CI/CD job performance metrics epic](https://gitlab.com/groups/gitlab-org/-/work_items/18548)\n\n## Container Virtual Registry\n\n**Tier:** GitLab Premium, GitLab Ultimate\n**Status:** Beta, API-ready in 18.9\n\nMost organizations pulling container images into CI/CD pipelines rely on multiple registries: Docker Hub, Harbor, Quay, and internal registries, to name a few. Managing authentication, availability, and caching across all of them is operational overhead that slows pipelines down and introduces fragility.\n\nThe Container Virtual Registry lets you create a single GitLab endpoint that pulls from multiple upstream container sources with built-in caching.\n\nInstead of configuring credentials and availability for each registry individually in your pipeline configuration, you can:\n\n* Point your pipelines at one GitLab virtual registry endpoint  \n* Configure multiple upstream registries (Docker Hub, Harbor, Quay, and others using long-lived token authentication)  \n* Let GitLab resolve image pulls automatically, with pull-through caching to reduce bandwidth costs and improve reliability\n\nFor teams evaluating GitLab as a container registry replacement, this closes a critical capability gap. For teams already managing multi-registry container workflows, it centralizes image management into GitLab and cuts down on repeated pulls.\n\n**What the beta supports today**\n\n* Upstream registries using long-lived token authentication: Docker Hub, Harbor, Quay, and other compatible registries  \n* Pull-through caching so commonly used images are served from GitLab after the first pull  \n* API-first configuration, with UI management in progress++\n\nCloud provider registries requiring IAM authentication (such as Amazon Elastic Container Registry, Google Artifact Registry, and Azure Container Registry) are being considered for future iterations.\n\n**Test it today**\n\n* The Container Virtual Registry is API-ready in 18.9.  \n* SaaS (GitLab.com): Request access through your CSM or by commenting on the feedback issue below to have the feature flag enabled for your group.  \n* Self-managed: Enable the feature flag and configure the virtual registry using the API.\n\n**Documentation**\n\n* [Container Virtual Registry API](https://docs.gitlab.com/api/container_virtual_registries/)  \n* [Pull container images from the virtual registry](https://docs.gitlab.com/user/packages/virtual_registry/container/#pull-container-images-from-the-virtual-registry)\n\n\n Watch this walkthrough of the Container Virtual Registry Beta:\n   \n\n  \u003Ciframe src=\"https://player.vimeo.com/video/1167512082?title=0&byline=0&portrait=0&badge=0&autopause=0&player_id=0&app_id=58479\" frameborder=\"0\" allow=\"autoplay; fullscreen; picture-in-picture; clipboard-write; encrypted-media; web-share\" referrerpolicy=\"strict-origin-when-cross-origin\" style=\"position:absolute;top:0;left:0;width:100%;height:100%;\" title=\"20260223_Container Virtual Registry Beta_V1\">\u003C/iframe>\u003C\u003Cscript src=\"https://player.vimeo.com/api/player.js\">\u003C/script>\n\n  \u003Cbr>\u003C/br>\n\n\n\n**Share your feedback:**\n\n* [Container virtual registry feedback issue](https://gitlab.com/gitlab-org/gitlab/-/issues/589630)\n\n## Help us build what matters\n\nEveryone in the GitLab community is a contributor. We built these betas based on community requests.\n\n* **CI/CD Job Performance Metrics** came from teams who had no easy way to see when build times started trending in the wrong direction, or which jobs were hurting pipeline reliability.  \n* **Container Virtual Registry** came from enterprise customers managing multiple registries and looking to reduce tool sprawl and bandwidth costs while evaluating GitLab as a central registry.\n\nYour feedback shapes what we create next. Try one or both of these betas, and share your experience in the linked feedback issues.\n\nThis is the first in a series of Core DevOps betas we plan to highlight. More are coming throughout the year, and we hope you’ll help us make them as useful as possible.\n","2026-02-25",[107,9,24],{"featured":28,"template":13,"slug":716},"new-gitlab-metrics-and-registry-features-help-reduce-ci-cd-bottlenecks",{"content":718,"config":725},{"title":719,"description":720,"heroImage":721,"date":713,"category":9,"tags":722},"GitLab Patch Release: 18.9.1, 18.8.5, 18.7.5","Learn more about this patch release for GitLab Community Edition and Enterprise Edition.","https://res.cloudinary.com/about-gitlab-com/image/upload/v1749661926/Blog/Hero%20Images/security-patch-blog-image-r2-0506-700x400-fy25_2x.jpg",[723,724],"patch releases","security releases",{"featured":12,"template":13,"externalUrl":726},"https://about.gitlab.com/releases/2026/02/25/patch-release-gitlab-18-9-1-released/",{"content":728,"config":734},{"title":729,"description":730,"heroImage":711,"date":731,"tags":732,"category":9},"GitLab 18.9 released","Read about GitLab Duo Agent Platform self-hosted models now available for cloud licenses, vulnerability resolution with GitLab Duo Agent Platform, and more.","2026-02-19",[9,733],"releases",{"featured":12,"template":13,"externalUrl":735},"https://about.gitlab.com/releases/2026/02/19/gitlab-18-9-released/",{"promotions":737},[738,752,763],{"id":739,"categories":740,"header":742,"text":743,"button":744,"image":749},"ai-modernization",[741],"ai-ml","Is AI achieving its promise at scale?","Quiz will take 5 minutes or less",{"text":745,"config":746},"Get your AI maturity score",{"href":747,"dataGaName":748,"dataGaLocation":242},"/assessments/ai-modernization-assessment/","modernization assessment",{"config":750},{"src":751},"https://res.cloudinary.com/about-gitlab-com/image/upload/v1772138786/qix0m7kwnd8x2fh1zq49.png",{"id":753,"categories":754,"header":755,"text":743,"button":756,"image":760},"devops-modernization",[9,558],"Are you just managing tools or shipping innovation?",{"text":757,"config":758},"Get your DevOps maturity score",{"href":759,"dataGaName":748,"dataGaLocation":242},"/assessments/devops-modernization-assessment/",{"config":761},{"src":762},"https://res.cloudinary.com/about-gitlab-com/image/upload/v1772138785/eg818fmakweyuznttgid.png",{"id":764,"categories":765,"header":767,"text":743,"button":768,"image":772},"security-modernization",[766],"security","Are you trading speed for security?",{"text":769,"config":770},"Get your security maturity score",{"href":771,"dataGaName":748,"dataGaLocation":242},"/assessments/security-modernization-assessment/",{"config":773},{"src":774},"https://res.cloudinary.com/about-gitlab-com/image/upload/v1772138786/p4pbqd9nnjejg5ds6mdk.png",{"header":776,"blurb":777,"button":778,"secondaryButton":783},"Start building faster today","See what your team can do with the intelligent orchestration platform for DevSecOps.\n",{"text":779,"config":780},"Get your free trial",{"href":781,"dataGaName":49,"dataGaLocation":782},"https://gitlab.com/-/trial_registrations/new?glm_content=default-saas-trial&glm_source=about.gitlab.com/","feature",{"text":494,"config":784},{"href":53,"dataGaName":54,"dataGaLocation":782},1772652066472]