Published on: March 24, 2022
3 min read
How to get integrated secure coding advice in GitLab
Secure Code Warrior now offers integrated security training and guidance within the GitLab DevOps Platform.
Busy developers want to write secure code and fix any issues. But they often lack the time and resources to get it done efficiently.
To resolve vulnerabilities faster, developers need actionable advice from trusted sources of secure coding right inside the tools they use every day. Secure Code Warrior is proud to partner with GitLab to enable developers to ship safe code faster, utilizing actionable and highly relevant secure coding guidance that is accessible from within GitLab’s DevOps Platform. This integration was announced as part of GitLab’s 14.9 release.
Empower developers with actionable guidance integrated inside GitLab
GitLab is enabling developer-led security by getting scan results into the hands of those who can make fixes fast. Secure Code Warrior further strengthens this vision by bringing to GitLab some of the world’s largest secure coding and remediation content (6500+ interactive coding challenges, 56+ languages:frameworks, 150+ vulnerability categories) that is used by hundreds of thousands of professional developers across many industries. With this integration, secure coding guidance that is highly relevant to the detected vulnerabilities is easily accessible to developers with the click of a link in GitLab.
How this integration delivers contextual secure coding training
When GitLab’s vulnerability scanners detect code security issues in merge requests and/or pipeline scans, a security issue is created and the identified vulnerability descriptions or CWE IDs are added to the Vulnerability Details section. The integration uses the vulnerability information to get a link to learning resources that educate developers on finding and fixing that particular security problem.
For example, if the vulnerability scanners detected a Cross-Site Request Forgery (CSRF) in the application code, the vulnerability detail would be updated with the relevant training link.
GitLab-Secure Code Warrior integration at a glance
When users click on the link, they are taken to SCW’s platform as shown below.
By completing an appropriate challenge they get the trusted guidance to resolve the CSRF vulnerability with confidence. This is also a highly effective way to retain the knowledge because:
- Bite-sized coding challenges give developers targeted, hands-on skill building in that vulnerability, and how to resolve it
- Contextual learning - presented in manageable chunks - continually reinforces good, secure coding patterns from a trusted source, not just enabling a patch
- It reduces the time gap between learning and application of knowledge, ensuring lasting engagement and retention
- Developers grow their muscle memory to recognize security issues while they code, eliminating common vulnerabilities from the start of software creation
Ship secure code faster with improved merge request rate
As more teams adopt this workflow path to resolve vulnerabilities faster, they will gradually improve their MR rate and release quality and create secure code at speed. By embedding secure coding training within developer workflows, this integration automates and scales remediation support to all development teams and lets AppSec focus on risk monitoring and strengthening the security posture of the organization.
The partnership between Secure Code Warrior and GitLab is just getting started; follow us as we enable developers to build and release secure software at speed. We’d love you to try it out, and your feedback can help shape the future of the product.
Get more details on how to enable this integration.