[{"data":1,"prerenderedAt":731},["ShallowReactive",2],{"/en-us/blog/building-gitlab-with-gitlab-api-fuzzing-workflow/":3,"navigation-en-us":38,"banner-en-us":467,"footer-en-us":484,"Mike Eddington-Eugene Lim":694,"next-steps-en-us":716},{"_path":4,"_dir":5,"_draft":6,"_partial":6,"_locale":7,"seo":8,"content":16,"config":28,"_id":31,"_type":32,"title":33,"_source":34,"_file":35,"_stem":36,"_extension":37},"/en-us/blog/building-gitlab-with-gitlab-api-fuzzing-workflow","blog",false,"",{"title":9,"description":10,"ogTitle":9,"ogDescription":10,"noIndex":6,"ogImage":11,"ogUrl":12,"ogSiteName":13,"ogType":14,"canonicalUrls":12,"schema":15},"Building GitLab with GitLab: Web API Fuzz Testing","Our new series shows how we dogfood new DevSecOps platform features to ready them for you. First up, security testing.","https://res.cloudinary.com/about-gitlab-com/image/upload/v1749659740/Blog/Hero%20Images/building-gitlab-with-gitlab-no-type.png","https://about.gitlab.com/blog/building-gitlab-with-gitlab-api-fuzzing-workflow","https://about.gitlab.com","article","\n                        {\n        \"@context\": \"https://schema.org\",\n        \"@type\": \"Article\",\n        \"headline\": \"Building GitLab with GitLab: Web API Fuzz Testing\",\n        \"author\": [{\"@type\":\"Person\",\"name\":\"Mike Eddington\"},{\"@type\":\"Person\",\"name\":\"Eugene Lim\"}],\n        \"datePublished\": \"2023-05-09\",\n      }",{"title":9,"description":10,"authors":17,"heroImage":11,"date":20,"body":21,"category":22,"tags":23},[18,19],"Mike Eddington","Eugene Lim","2023-05-09","At GitLab, we try to [dogfood\neverything](/handbook/product/product-processes/#dogfood-everything) to help\nus better understand the product, pain points, and configuration issues. We\nuse what we learn to build a more efficient, feature-rich platform and user\nexperience. In this first installment of our “Building GitLab with GitLab”\nseries, we will focus on security testing. We constantly strive to improve\nour security testing coverage and integrate it into our DevSecOps lifecycle.\nThese considerations formed the motivation for the API fuzzing dogfooding\nproject at GitLab. By sharing our lessons from building this workflow, we\nhope other teams can also learn how to integrate GitLab’s Web API Fuzz\nTesting and solve some common challenges.\n\n\n## What is Web API Fuzz Testing?\n\n\nWeb API Fuzz Testing involves generating and sending various unexpected\ninput parameters to a web API in an attempt to trigger unexpected behavior\nand errors in the API backend. By analyzing these errors, you can discover\nbugs and potential security issues missed by other scanners that focus on\nspecific vulnerabilities. GitLab's Web API Fuzz Testing complements and\nshould be run in addition to GitLab Secure’s other security scanners such as\nstatic application security testing\n([SAST](https://docs.gitlab.com/ee/user/application_security/sast/)) and\ndynamic application security testing\n([DAST](https://docs.gitlab.com/ee/user/application_security/dast/)) APIs.\n\n\n## Auto-generating an OpenAPI specification\n\nTo run the Web API Fuzzing Analyzer, you need one of the following:\n\n* OpenAPI Specification - Version 2 or 3\n\n* GraphQL Schema\n\n* HTTP Archive (HAR)\n\n* Postman Collection - Version 2.0 or 2.1\n\n\nAt the start of the API fuzzing project, the [API Vision working\ngroup](/company/team/structure/working-groups/api-vision/) was also working\non an issue to automatically document [GitLab’s REST API endpoints in an\nOpenAPI specification](https://gitlab.com/groups/gitlab-org/-/epics/8636),\nso we worked with our colleague Andy Soiron on implementing it. Because\nGitLab uses the [grape](https://github.com/ruby-grape/grape) API framework,\nAndy had already identified and\n[tested](https://gitlab.com/gitlab-org/gitlab/-/merge_requests/95877) the\n[grape-swagger](https://github.com/ruby-grape/grape-swagger) gem that\nauto-generates an OpenAPI v2 specification based on existing grape\nannotations. For example, the following API endpoint code:\n\n\n```\n     Class.new(Grape::API) do\n       format :json\n       desc 'This gets something.'\n       get '/something' do\n         { bla: 'something' }\n       end\n       add_swagger_documentation\n     end\n``` \n\nWill be parsed by grape-swagger into:\n\n\n```\n\n{\n  // rest of OpenAPI v2 specification\n  …\n  \"paths\": {\n    \"/something\": {\n      \"get\": {\n        \"description\": \"This gets something.\",\n        \"produces\": [\n          \"application/json\"\n        ],\n        \"operationId\": \"getSomething\",\n        \"responses\": {\n          \"200\": {\n            \"description\": \"This gets something.\"\n          }\n        }\n      }\n    }\n  }\n}\n\n```\n\n\n\nHowever, with almost 2,000 API operations with different requirements and\nformats, a lot of additional work needed to be done to resolve edge cases\nthat did not meet the requirements of grape-swagger or the OpenAPI format.\nFor example, one simple case was API endpoints that accept file parameters,\nsuch as the [upload metric image\nendpoint](https://docs.gitlab.com/ee/api/issues.html#upload-metric-image).\nGitLab uses the\n[Workhorse](https://gitlab.com/gitlab-org/gitlab/tree/master/workhorse)\nsmart reverse proxy to handle \"large\" HTTP requests such as file uploads. As\nsuch, file parameters must be of the type WorkhorseFile:\n\n\n\n```\n\nnamespace ':id/issues/:issue_iid/metric_images' do\n            …\n            desc 'Upload a metric image for an issue' do\n              success Entities::IssuableMetricImage\n            end\n            params do\n              requires :file, type: ::API::Validations::Types::WorkhorseFile, desc: 'The image file to be uploaded'\n              optional :url, type: String, desc: 'The url to view more metric info'\n              optional :url_text, type: String, desc: 'A description of the image or URL'\n            end\n            post do\n              require_gitlab_workhorse!\n```\n\n\nBecause grape-swagger does not recognize what OpenAPI type WorkhorseFile\ncorresponds to, it excludes the parameter from its output. We fixed this by\nadding a grape-swagger-specific documentation to override the type during\ngeneration:\n\n\n```\n             requires :file, type: ::API::Validations::Types::WorkhorseFile, desc: 'The image file to be uploaded', documentation: { type: 'file' }\n```\n\n\nHowever, not all edge cases could be resolved with a simple\nmatch-and-replace in the grape annotations. For example, Ruby on Rails\nsupports wildcard segment parameters. A route like `get\n'books/*section/:title'` would\nmatch`books/some/section/last-words-a-memoir`. In addition, the URI would be\nparsed such that the `section` path parameter would have the value\n`some/section` and the `title` path parameter would have the value\n`last-words-a-memoir`.\n\n\nCurrently, grape-swagger does not recognize these wildcard segments as path\nparameters. For example, the route would generate:\n\n\n```\n\n\"paths\": {\n  \"/api/v2/books/*section/{title}\": {\n    \"get\": {\n    ...\n      \"parameters\": [\n         {\n           \"in\": \"query\", \"name\": \"*section\"\n           ...\n  }\n}\n\n```\n\n\nInstead of the expected:\n\n\n```\n\n\"paths\": {\n  \"/api/v2/books/{section}/{title}\": {\n    \"get\": {\n    ...\n      \"parameters\": [\n         {\n           \"in\": \"path\", \"name\": \"section\"\n           ...\n  }\n}\n\n```\n\n\nAs such, we also needed to make several patches to grape-swagger, which we\nforked while waiting for the changes to be accepted upstream. Nevertheless,\nwith lots of careful checking and cooperation across teams, we managed to\nget the OpenAPI specification generated for most of the endpoints.\n\n\n## Performance tuning\n\n\nWith the OpenAPI specification, we could now begin with the API fuzzing.\nGitLab already uses the [Review\nApps](https://docs.gitlab.com/ee/ci/review_apps/) feature to generate\ntesting environments for some feature changes, providing a readily available\nfuzzing target. However, given the large number of endpoints, it would be\nimpossible to expect a standard shared runner to complete fuzzing in a\nsingle job. The Web API Fuzz Testing documentation includes a [performance\ntuning\nsection](https://docs.gitlab.com/ee/user/application_security/api_fuzzing/#performance-tuning-and-testing-speed)\nthat recommends the following:\n\n\n* using a multi-CPU Runner\n\n* excluding slow operations\n\n* splitting a test into multiple jobs\n\n* excluding operations in feature branches, but not default branch\n\n\nThe first recommendation was easy to implement with a dedicated fuzzing\nrunner. We recommend doing this for large scheduled fuzzing workflows,\nespecially if you select the Long-100 fuzzing profile. We also began\nexcluding slow operations by checking the job logs for the time taken to\ncomplete each operation. Along the way, we identified other endpoints that\nneeded to be excluded, such as the [revoke token\nendpoint](https://docs.gitlab.com/ee/api/personal_access_tokens.html#revoke-a-personal-access-token)\nthat prematurely ended the fuzzing session.\n\n\nSplitting the test into multiple jobs took the most effort due to the\nrequirements of the OpenAPI format. Each OpenAPI document includes a\nrequired set of objects and fields, so it is not simply a matter of\nsplitting after a fixed number of lines. Additionally, each operation relies\non entities defined in the definitions object, so we needed to ensure that\nwhen splitting the OpenAPI specification, the entities required by the\nendpoints were included. We also wrote a quick script to fill the example\nparameter data with actual data from the testing environment, such as\nproject IDs.\n\n\nWhile it was possible to run these scripts locally, then push the split jobs\nand OpenAPI specifications to the repository, this created a large number of\nchanges every time we updated the original OpenAPI specification. Instead,\nwe adapted the workflow to use dynamically generated child pipelines that\nwould split the OpenAPI document in a CI job, then generate a child pipeline\nwith jobs for each split document. This made iterating a lot easier and more\nagile. We have uploaded [the scripts and pipeline\nconfiguration](https://gitlab.com/eugene_lim/api-fuzzing-dogfooding) for\nreference.\n\n\nBy tweaking the number of parallel jobs and fuzzing profile, we were\neventually able to achieve a reasonably comprehensive fuzzing session in an\nacceptable time frame. When tuning your own fuzzing workflow, balancing\nthese trade-offs is essential.\n\n\n## Triaging the API fuzzing findings\n\n\nWith the fuzzing done, we were now confronted with hundreds of findings.\nUnlike DAST analyzers that try to detect specific vulnerabilities, Web API\nFuzz Testing looks for unexpected behavior and errors that may not\nnecessarily be vulnerabilities. This is why fuzzing faults discovered by the\nAPI Fuzzing Analyzer show up as vulnerabilities with a severity of\n“Unknown.” This requires more involved triaging.\n\n\nFortunately, the Web API fuzzer also outputs Postman collections as\nartifacts in the Vulnerability Report page. These collections allow you to\nquickly repeat requests that triggered a fault during fuzzing. For this\nstage of the fuzzing workflow, we recommend that you set up a local instance\nof the application so that you can easily check logs and debug specific\nfaults. In this case, we ran the [GitLab Development\nKit](https://gitlab.com/gitlab-org/gitlab-development-kit).\n\n\nMany of the faults occurred due to a lack of error handling for unexpected\ninputs. We created issues from the Vulnerability Report page, and if we\nfound that a particular fault had the same root cause as a previously\ntriaged fault, we linked the vulnerability to the original issue instead.\n\n\n## Lessons learned\n\n\nThe API fuzzing dogfooding project turned out to be a fruitful exercise that\nbenefited other workstreams at GitLab, such as the API documentation\nproject. In addition, tuning and triaging helped us identify key pain points\nin the process for improvement. Automated API documentation generation is\ndifficult even with OpenAPI, particularly on a long-lived codebase. GitLab’s\nexisting annotations and tests helped speed up documentation via a\ndistributed, asynchronous workflow across multiple teams. In addition, many\nGitLab features such as Review Apps, Vulnerability Reports, and dynamically\ngenerated child pipelines helped us build a robust fuzzing workflow.\n\n\nThere are still many improvements that can be made to the workflow. Moving\nto OpenAPI v3 could improve endpoint coverage. The Secure team also wrote a\n[HAR Recorder](https://gitlab.com/gitlab-org/security-products/har-recorder)\ntool that could help generate HAR files on the fly instead of relying on\nstatic documentation. For now, due to the high compute cost of fuzzing\nthousands of operations in GitLab’s API, the workflow is better suited to a\nscheduled pipeline instead of GitLab’s core pipeline.\n\n\nFor teams that have already implemented several layers of static and dynamic\nchecks and want to take further steps to increase coverage, we recommend\ntrying a Web API fuzzing exercise as a way to validate assumptions and\ndiscover “unknown unknowns” in your code.\n\n\nWe encourage you to get familiar with API fuzzing and let us know how it\nworks for you. If you face any issues or have any feedback, please file an\nissue at the [issue tracker on\nGitLab.com](https://gitlab.com/gitlab-org/gitlab/-/issues/). Use the\n`~\"Category:API Security\"` label when opening a new issue regarding API\nfuzzing to ensure it is quickly reviewed by the appropriate team members.\n","engineering",[24,25,24,26,27],"inside GitLab","security","testing","tutorial",{"slug":29,"featured":6,"template":30},"building-gitlab-with-gitlab-api-fuzzing-workflow","BlogPost","content:en-us:blog:building-gitlab-with-gitlab-api-fuzzing-workflow.yml","yaml","Building Gitlab With Gitlab Api Fuzzing Workflow","content","en-us/blog/building-gitlab-with-gitlab-api-fuzzing-workflow.yml","en-us/blog/building-gitlab-with-gitlab-api-fuzzing-workflow","yml",{"_path":39,"_dir":40,"_draft":6,"_partial":6,"_locale":7,"data":41,"_id":463,"_type":32,"title":464,"_source":34,"_file":465,"_stem":466,"_extension":37},"/shared/en-us/main-navigation","en-us",{"logo":42,"freeTrial":47,"sales":52,"login":57,"items":62,"search":394,"minimal":425,"duo":444,"pricingDeployment":453},{"config":43},{"href":44,"dataGaName":45,"dataGaLocation":46},"/","gitlab logo","header",{"text":48,"config":49},"Get free trial",{"href":50,"dataGaName":51,"dataGaLocation":46},"https://gitlab.com/-/trial_registrations/new?glm_source=about.gitlab.com&glm_content=default-saas-trial/","free trial",{"text":53,"config":54},"Talk to sales",{"href":55,"dataGaName":56,"dataGaLocation":46},"/sales/","sales",{"text":58,"config":59},"Sign in",{"href":60,"dataGaName":61,"dataGaLocation":46},"https://gitlab.com/users/sign_in/","sign in",[63,107,205,210,315,375],{"text":64,"config":65,"cards":67,"footer":90},"Platform",{"dataNavLevelOne":66},"platform",[68,74,82],{"title":64,"description":69,"link":70},"The most comprehensive AI-powered DevSecOps Platform",{"text":71,"config":72},"Explore our Platform",{"href":73,"dataGaName":66,"dataGaLocation":46},"/platform/",{"title":75,"description":76,"link":77},"GitLab Duo (AI)","Build software faster with AI at every stage of development",{"text":78,"config":79},"Meet GitLab Duo",{"href":80,"dataGaName":81,"dataGaLocation":46},"/gitlab-duo/","gitlab duo ai",{"title":83,"description":84,"link":85},"Why GitLab","10 reasons why Enterprises choose GitLab",{"text":86,"config":87},"Learn more",{"href":88,"dataGaName":89,"dataGaLocation":46},"/why-gitlab/","why gitlab",{"title":91,"items":92},"Get started with",[93,98,103],{"text":94,"config":95},"Platform Engineering",{"href":96,"dataGaName":97,"dataGaLocation":46},"/solutions/platform-engineering/","platform engineering",{"text":99,"config":100},"Developer Experience",{"href":101,"dataGaName":102,"dataGaLocation":46},"/developer-experience/","Developer experience",{"text":104,"config":105},"MLOps",{"href":106,"dataGaName":104,"dataGaLocation":46},"/topics/devops/the-role-of-ai-in-devops/",{"text":108,"left":109,"config":110,"link":112,"lists":116,"footer":187},"Product",true,{"dataNavLevelOne":111},"solutions",{"text":113,"config":114},"View all Solutions",{"href":115,"dataGaName":111,"dataGaLocation":46},"/solutions/",[117,142,166],{"title":118,"description":119,"link":120,"items":125},"Automation","CI/CD and automation to accelerate deployment",{"config":121},{"icon":122,"href":123,"dataGaName":124,"dataGaLocation":46},"AutomatedCodeAlt","/solutions/delivery-automation/","automated software delivery",[126,130,134,138],{"text":127,"config":128},"CI/CD",{"href":129,"dataGaLocation":46,"dataGaName":127},"/solutions/continuous-integration/",{"text":131,"config":132},"AI-Assisted Development",{"href":80,"dataGaLocation":46,"dataGaName":133},"AI assisted development",{"text":135,"config":136},"Source Code Management",{"href":137,"dataGaLocation":46,"dataGaName":135},"/solutions/source-code-management/",{"text":139,"config":140},"Automated Software Delivery",{"href":123,"dataGaLocation":46,"dataGaName":141},"Automated software delivery",{"title":143,"description":144,"link":145,"items":150},"Security","Deliver code faster without compromising security",{"config":146},{"href":147,"dataGaName":148,"dataGaLocation":46,"icon":149},"/solutions/security-compliance/","security and compliance","ShieldCheckLight",[151,156,161],{"text":152,"config":153},"Application Security Testing",{"href":154,"dataGaName":155,"dataGaLocation":46},"/solutions/application-security-testing/","Application security testing",{"text":157,"config":158},"Software Supply Chain Security",{"href":159,"dataGaLocation":46,"dataGaName":160},"/solutions/supply-chain/","Software supply chain security",{"text":162,"config":163},"Software Compliance",{"href":164,"dataGaName":165,"dataGaLocation":46},"/solutions/software-compliance/","software compliance",{"title":167,"link":168,"items":173},"Measurement",{"config":169},{"icon":170,"href":171,"dataGaName":172,"dataGaLocation":46},"DigitalTransformation","/solutions/visibility-measurement/","visibility and measurement",[174,178,182],{"text":175,"config":176},"Visibility & Measurement",{"href":171,"dataGaLocation":46,"dataGaName":177},"Visibility and Measurement",{"text":179,"config":180},"Value Stream Management",{"href":181,"dataGaLocation":46,"dataGaName":179},"/solutions/value-stream-management/",{"text":183,"config":184},"Analytics & Insights",{"href":185,"dataGaLocation":46,"dataGaName":186},"/solutions/analytics-and-insights/","Analytics and insights",{"title":188,"items":189},"GitLab for",[190,195,200],{"text":191,"config":192},"Enterprise",{"href":193,"dataGaLocation":46,"dataGaName":194},"/enterprise/","enterprise",{"text":196,"config":197},"Small Business",{"href":198,"dataGaLocation":46,"dataGaName":199},"/small-business/","small business",{"text":201,"config":202},"Public Sector",{"href":203,"dataGaLocation":46,"dataGaName":204},"/solutions/public-sector/","public sector",{"text":206,"config":207},"Pricing",{"href":208,"dataGaName":209,"dataGaLocation":46,"dataNavLevelOne":209},"/pricing/","pricing",{"text":211,"config":212,"link":214,"lists":218,"feature":302},"Resources",{"dataNavLevelOne":213},"resources",{"text":215,"config":216},"View all resources",{"href":217,"dataGaName":213,"dataGaLocation":46},"/resources/",[219,252,274],{"title":220,"items":221},"Getting started",[222,227,232,237,242,247],{"text":223,"config":224},"Install",{"href":225,"dataGaName":226,"dataGaLocation":46},"/install/","install",{"text":228,"config":229},"Quick start guides",{"href":230,"dataGaName":231,"dataGaLocation":46},"/get-started/","quick setup checklists",{"text":233,"config":234},"Learn",{"href":235,"dataGaLocation":46,"dataGaName":236},"https://university.gitlab.com/","learn",{"text":238,"config":239},"Product documentation",{"href":240,"dataGaName":241,"dataGaLocation":46},"https://docs.gitlab.com/","product documentation",{"text":243,"config":244},"Best practice videos",{"href":245,"dataGaName":246,"dataGaLocation":46},"/getting-started-videos/","best practice videos",{"text":248,"config":249},"Integrations",{"href":250,"dataGaName":251,"dataGaLocation":46},"/integrations/","integrations",{"title":253,"items":254},"Discover",[255,260,264,269],{"text":256,"config":257},"Customer success stories",{"href":258,"dataGaName":259,"dataGaLocation":46},"/customers/","customer success stories",{"text":261,"config":262},"Blog",{"href":263,"dataGaName":5,"dataGaLocation":46},"/blog/",{"text":265,"config":266},"Remote",{"href":267,"dataGaName":268,"dataGaLocation":46},"https://handbook.gitlab.com/handbook/company/culture/all-remote/","remote",{"text":270,"config":271},"TeamOps",{"href":272,"dataGaName":273,"dataGaLocation":46},"/teamops/","teamops",{"title":275,"items":276},"Connect",[277,282,287,292,297],{"text":278,"config":279},"GitLab Services",{"href":280,"dataGaName":281,"dataGaLocation":46},"/services/","services",{"text":283,"config":284},"Community",{"href":285,"dataGaName":286,"dataGaLocation":46},"/community/","community",{"text":288,"config":289},"Forum",{"href":290,"dataGaName":291,"dataGaLocation":46},"https://forum.gitlab.com/","forum",{"text":293,"config":294},"Events",{"href":295,"dataGaName":296,"dataGaLocation":46},"/events/","events",{"text":298,"config":299},"Partners",{"href":300,"dataGaName":301,"dataGaLocation":46},"/partners/","partners",{"backgroundColor":303,"textColor":304,"text":305,"image":306,"link":310},"#2f2a6b","#fff","Insights for the future of software development",{"altText":307,"config":308},"the source promo card",{"src":309},"https://res.cloudinary.com/about-gitlab-com/image/upload/v1758208064/dzl0dbift9xdizyelkk4.svg",{"text":311,"config":312},"Read the latest",{"href":313,"dataGaName":314,"dataGaLocation":46},"/the-source/","the source",{"text":316,"config":317,"lists":319},"Company",{"dataNavLevelOne":318},"company",[320],{"items":321},[322,327,333,335,340,345,350,355,360,365,370],{"text":323,"config":324},"About",{"href":325,"dataGaName":326,"dataGaLocation":46},"/company/","about",{"text":328,"config":329,"footerGa":332},"Jobs",{"href":330,"dataGaName":331,"dataGaLocation":46},"/jobs/","jobs",{"dataGaName":331},{"text":293,"config":334},{"href":295,"dataGaName":296,"dataGaLocation":46},{"text":336,"config":337},"Leadership",{"href":338,"dataGaName":339,"dataGaLocation":46},"/company/team/e-group/","leadership",{"text":341,"config":342},"Team",{"href":343,"dataGaName":344,"dataGaLocation":46},"/company/team/","team",{"text":346,"config":347},"Handbook",{"href":348,"dataGaName":349,"dataGaLocation":46},"https://handbook.gitlab.com/","handbook",{"text":351,"config":352},"Investor relations",{"href":353,"dataGaName":354,"dataGaLocation":46},"https://ir.gitlab.com/","investor relations",{"text":356,"config":357},"Trust Center",{"href":358,"dataGaName":359,"dataGaLocation":46},"/security/","trust center",{"text":361,"config":362},"AI Transparency Center",{"href":363,"dataGaName":364,"dataGaLocation":46},"/ai-transparency-center/","ai transparency center",{"text":366,"config":367},"Newsletter",{"href":368,"dataGaName":369,"dataGaLocation":46},"/company/contact/","newsletter",{"text":371,"config":372},"Press",{"href":373,"dataGaName":374,"dataGaLocation":46},"/press/","press",{"text":376,"config":377,"lists":378},"Contact us",{"dataNavLevelOne":318},[379],{"items":380},[381,384,389],{"text":53,"config":382},{"href":55,"dataGaName":383,"dataGaLocation":46},"talk to sales",{"text":385,"config":386},"Get help",{"href":387,"dataGaName":388,"dataGaLocation":46},"/support/","get help",{"text":390,"config":391},"Customer portal",{"href":392,"dataGaName":393,"dataGaLocation":46},"https://customers.gitlab.com/customers/sign_in/","customer portal",{"close":395,"login":396,"suggestions":403},"Close",{"text":397,"link":398},"To search repositories and projects, login to",{"text":399,"config":400},"gitlab.com",{"href":60,"dataGaName":401,"dataGaLocation":402},"search login","search",{"text":404,"default":405},"Suggestions",[406,408,412,414,418,422],{"text":75,"config":407},{"href":80,"dataGaName":75,"dataGaLocation":402},{"text":409,"config":410},"Code Suggestions (AI)",{"href":411,"dataGaName":409,"dataGaLocation":402},"/solutions/code-suggestions/",{"text":127,"config":413},{"href":129,"dataGaName":127,"dataGaLocation":402},{"text":415,"config":416},"GitLab on AWS",{"href":417,"dataGaName":415,"dataGaLocation":402},"/partners/technology-partners/aws/",{"text":419,"config":420},"GitLab on Google Cloud",{"href":421,"dataGaName":419,"dataGaLocation":402},"/partners/technology-partners/google-cloud-platform/",{"text":423,"config":424},"Why GitLab?",{"href":88,"dataGaName":423,"dataGaLocation":402},{"freeTrial":426,"mobileIcon":431,"desktopIcon":436,"secondaryButton":439},{"text":427,"config":428},"Start free trial",{"href":429,"dataGaName":51,"dataGaLocation":430},"https://gitlab.com/-/trials/new/","nav",{"altText":432,"config":433},"Gitlab Icon",{"src":434,"dataGaName":435,"dataGaLocation":430},"https://res.cloudinary.com/about-gitlab-com/image/upload/v1758203874/jypbw1jx72aexsoohd7x.svg","gitlab icon",{"altText":432,"config":437},{"src":438,"dataGaName":435,"dataGaLocation":430},"https://res.cloudinary.com/about-gitlab-com/image/upload/v1758203875/gs4c8p8opsgvflgkswz9.svg",{"text":440,"config":441},"Get Started",{"href":442,"dataGaName":443,"dataGaLocation":430},"https://gitlab.com/-/trial_registrations/new?glm_source=about.gitlab.com/compare/gitlab-vs-github/","get started",{"freeTrial":445,"mobileIcon":449,"desktopIcon":451},{"text":446,"config":447},"Learn more about GitLab Duo",{"href":80,"dataGaName":448,"dataGaLocation":430},"gitlab duo",{"altText":432,"config":450},{"src":434,"dataGaName":435,"dataGaLocation":430},{"altText":432,"config":452},{"src":438,"dataGaName":435,"dataGaLocation":430},{"freeTrial":454,"mobileIcon":459,"desktopIcon":461},{"text":455,"config":456},"Back to pricing",{"href":208,"dataGaName":457,"dataGaLocation":430,"icon":458},"back to pricing","GoBack",{"altText":432,"config":460},{"src":434,"dataGaName":435,"dataGaLocation":430},{"altText":432,"config":462},{"src":438,"dataGaName":435,"dataGaLocation":430},"content:shared:en-us:main-navigation.yml","Main Navigation","shared/en-us/main-navigation.yml","shared/en-us/main-navigation",{"_path":468,"_dir":40,"_draft":6,"_partial":6,"_locale":7,"title":469,"button":470,"image":475,"config":479,"_id":481,"_type":32,"_source":34,"_file":482,"_stem":483,"_extension":37},"/shared/en-us/banner","is now in public beta!",{"text":471,"config":472},"Try the Beta",{"href":473,"dataGaName":474,"dataGaLocation":46},"/gitlab-duo/agent-platform/","duo banner",{"altText":476,"config":477},"GitLab Duo Agent Platform",{"src":478},"https://res.cloudinary.com/about-gitlab-com/image/upload/v1753720689/somrf9zaunk0xlt7ne4x.svg",{"layout":480},"release","content:shared:en-us:banner.yml","shared/en-us/banner.yml","shared/en-us/banner",{"_path":485,"_dir":40,"_draft":6,"_partial":6,"_locale":7,"data":486,"_id":690,"_type":32,"title":691,"_source":34,"_file":692,"_stem":693,"_extension":37},"/shared/en-us/main-footer",{"text":487,"source":488,"edit":494,"contribute":499,"config":504,"items":509,"minimal":682},"Git is a trademark of Software Freedom Conservancy and our use of 'GitLab' is under license",{"text":489,"config":490},"View page source",{"href":491,"dataGaName":492,"dataGaLocation":493},"https://gitlab.com/gitlab-com/marketing/digital-experience/about-gitlab-com/","page source","footer",{"text":495,"config":496},"Edit this page",{"href":497,"dataGaName":498,"dataGaLocation":493},"https://gitlab.com/gitlab-com/marketing/digital-experience/about-gitlab-com/-/blob/main/content/","web ide",{"text":500,"config":501},"Please contribute",{"href":502,"dataGaName":503,"dataGaLocation":493},"https://gitlab.com/gitlab-com/marketing/digital-experience/about-gitlab-com/-/blob/main/CONTRIBUTING.md/","please contribute",{"twitter":505,"facebook":506,"youtube":507,"linkedin":508},"https://twitter.com/gitlab","https://www.facebook.com/gitlab","https://www.youtube.com/channel/UCnMGQ8QHMAnVIsI3xJrihhg","https://www.linkedin.com/company/gitlab-com",[510,533,589,618,652],{"title":64,"links":511,"subMenu":516},[512],{"text":513,"config":514},"DevSecOps platform",{"href":73,"dataGaName":515,"dataGaLocation":493},"devsecops platform",[517],{"title":206,"links":518},[519,523,528],{"text":520,"config":521},"View plans",{"href":208,"dataGaName":522,"dataGaLocation":493},"view plans",{"text":524,"config":525},"Why Premium?",{"href":526,"dataGaName":527,"dataGaLocation":493},"/pricing/premium/","why premium",{"text":529,"config":530},"Why Ultimate?",{"href":531,"dataGaName":532,"dataGaLocation":493},"/pricing/ultimate/","why ultimate",{"title":534,"links":535},"Solutions",[536,541,543,545,550,555,559,562,566,571,573,576,579,584],{"text":537,"config":538},"Digital transformation",{"href":539,"dataGaName":540,"dataGaLocation":493},"/topics/digital-transformation/","digital transformation",{"text":152,"config":542},{"href":154,"dataGaName":152,"dataGaLocation":493},{"text":141,"config":544},{"href":123,"dataGaName":124,"dataGaLocation":493},{"text":546,"config":547},"Agile development",{"href":548,"dataGaName":549,"dataGaLocation":493},"/solutions/agile-delivery/","agile delivery",{"text":551,"config":552},"Cloud transformation",{"href":553,"dataGaName":554,"dataGaLocation":493},"/topics/cloud-native/","cloud transformation",{"text":556,"config":557},"SCM",{"href":137,"dataGaName":558,"dataGaLocation":493},"source code management",{"text":127,"config":560},{"href":129,"dataGaName":561,"dataGaLocation":493},"continuous integration & delivery",{"text":563,"config":564},"Value stream management",{"href":181,"dataGaName":565,"dataGaLocation":493},"value stream management",{"text":567,"config":568},"GitOps",{"href":569,"dataGaName":570,"dataGaLocation":493},"/solutions/gitops/","gitops",{"text":191,"config":572},{"href":193,"dataGaName":194,"dataGaLocation":493},{"text":574,"config":575},"Small business",{"href":198,"dataGaName":199,"dataGaLocation":493},{"text":577,"config":578},"Public sector",{"href":203,"dataGaName":204,"dataGaLocation":493},{"text":580,"config":581},"Education",{"href":582,"dataGaName":583,"dataGaLocation":493},"/solutions/education/","education",{"text":585,"config":586},"Financial services",{"href":587,"dataGaName":588,"dataGaLocation":493},"/solutions/finance/","financial services",{"title":211,"links":590},[591,593,595,597,600,602,604,606,608,610,612,614,616],{"text":223,"config":592},{"href":225,"dataGaName":226,"dataGaLocation":493},{"text":228,"config":594},{"href":230,"dataGaName":231,"dataGaLocation":493},{"text":233,"config":596},{"href":235,"dataGaName":236,"dataGaLocation":493},{"text":238,"config":598},{"href":240,"dataGaName":599,"dataGaLocation":493},"docs",{"text":261,"config":601},{"href":263,"dataGaName":5,"dataGaLocation":493},{"text":256,"config":603},{"href":258,"dataGaName":259,"dataGaLocation":493},{"text":265,"config":605},{"href":267,"dataGaName":268,"dataGaLocation":493},{"text":278,"config":607},{"href":280,"dataGaName":281,"dataGaLocation":493},{"text":270,"config":609},{"href":272,"dataGaName":273,"dataGaLocation":493},{"text":283,"config":611},{"href":285,"dataGaName":286,"dataGaLocation":493},{"text":288,"config":613},{"href":290,"dataGaName":291,"dataGaLocation":493},{"text":293,"config":615},{"href":295,"dataGaName":296,"dataGaLocation":493},{"text":298,"config":617},{"href":300,"dataGaName":301,"dataGaLocation":493},{"title":316,"links":619},[620,622,624,626,628,630,632,636,641,643,645,647],{"text":323,"config":621},{"href":325,"dataGaName":318,"dataGaLocation":493},{"text":328,"config":623},{"href":330,"dataGaName":331,"dataGaLocation":493},{"text":336,"config":625},{"href":338,"dataGaName":339,"dataGaLocation":493},{"text":341,"config":627},{"href":343,"dataGaName":344,"dataGaLocation":493},{"text":346,"config":629},{"href":348,"dataGaName":349,"dataGaLocation":493},{"text":351,"config":631},{"href":353,"dataGaName":354,"dataGaLocation":493},{"text":633,"config":634},"Sustainability",{"href":635,"dataGaName":633,"dataGaLocation":493},"/sustainability/",{"text":637,"config":638},"Diversity, inclusion and belonging (DIB)",{"href":639,"dataGaName":640,"dataGaLocation":493},"/diversity-inclusion-belonging/","Diversity, inclusion and belonging",{"text":356,"config":642},{"href":358,"dataGaName":359,"dataGaLocation":493},{"text":366,"config":644},{"href":368,"dataGaName":369,"dataGaLocation":493},{"text":371,"config":646},{"href":373,"dataGaName":374,"dataGaLocation":493},{"text":648,"config":649},"Modern Slavery Transparency Statement",{"href":650,"dataGaName":651,"dataGaLocation":493},"https://handbook.gitlab.com/handbook/legal/modern-slavery-act-transparency-statement/","modern slavery transparency statement",{"title":653,"links":654},"Contact Us",[655,658,660,662,667,672,677],{"text":656,"config":657},"Contact an expert",{"href":55,"dataGaName":56,"dataGaLocation":493},{"text":385,"config":659},{"href":387,"dataGaName":388,"dataGaLocation":493},{"text":390,"config":661},{"href":392,"dataGaName":393,"dataGaLocation":493},{"text":663,"config":664},"Status",{"href":665,"dataGaName":666,"dataGaLocation":493},"https://status.gitlab.com/","status",{"text":668,"config":669},"Terms of use",{"href":670,"dataGaName":671,"dataGaLocation":493},"/terms/","terms of use",{"text":673,"config":674},"Privacy statement",{"href":675,"dataGaName":676,"dataGaLocation":493},"/privacy/","privacy statement",{"text":678,"config":679},"Cookie preferences",{"dataGaName":680,"dataGaLocation":493,"id":681,"isOneTrustButton":109},"cookie preferences","ot-sdk-btn",{"items":683},[684,686,688],{"text":668,"config":685},{"href":670,"dataGaName":671,"dataGaLocation":493},{"text":673,"config":687},{"href":675,"dataGaName":676,"dataGaLocation":493},{"text":678,"config":689},{"dataGaName":680,"dataGaLocation":493,"id":681,"isOneTrustButton":109},"content:shared:en-us:main-footer.yml","Main Footer","shared/en-us/main-footer.yml","shared/en-us/main-footer",[695,707],{"_path":696,"_dir":697,"_draft":6,"_partial":6,"_locale":7,"content":698,"config":702,"_id":704,"_type":32,"title":18,"_source":34,"_file":705,"_stem":706,"_extension":37},"/en-us/blog/authors/mike-eddington","authors",{"name":18,"config":699},{"headshot":700,"ctfId":701},"https://res.cloudinary.com/about-gitlab-com/image/upload/v1749659488/Blog/Author%20Headshots/gitlab-logo-extra-whitespace.png","q5tK0TgB1ZovSwShKSvOJ",{"template":703},"BlogAuthor","content:en-us:blog:authors:mike-eddington.yml","en-us/blog/authors/mike-eddington.yml","en-us/blog/authors/mike-eddington",{"_path":708,"_dir":697,"_draft":6,"_partial":6,"_locale":7,"content":709,"config":712,"_id":713,"_type":32,"title":19,"_source":34,"_file":714,"_stem":715,"_extension":37},"/en-us/blog/authors/eugene-lim",{"name":19,"config":710},{"headshot":700,"ctfId":711},"6KHdIdghkUfSTzV2MzxNcj",{"template":703},"content:en-us:blog:authors:eugene-lim.yml","en-us/blog/authors/eugene-lim.yml","en-us/blog/authors/eugene-lim",{"_path":717,"_dir":40,"_draft":6,"_partial":6,"_locale":7,"header":718,"eyebrow":719,"blurb":720,"button":721,"secondaryButton":725,"_id":727,"_type":32,"title":728,"_source":34,"_file":729,"_stem":730,"_extension":37},"/shared/en-us/next-steps","Start shipping better software faster","50%+ of the Fortune 100 trust GitLab","See what your team can do with the intelligent\n\n\nDevSecOps platform.\n",{"text":48,"config":722},{"href":723,"dataGaName":51,"dataGaLocation":724},"https://gitlab.com/-/trial_registrations/new?glm_content=default-saas-trial&glm_source=about.gitlab.com/","feature",{"text":53,"config":726},{"href":55,"dataGaName":56,"dataGaLocation":724},"content:shared:en-us:next-steps.yml","Next Steps","shared/en-us/next-steps.yml","shared/en-us/next-steps",1758326223256]