Product Security Tooling Integration
# Context A key initiative of the Product Security Engineering team is to integrate existing tooling into the GitLab product. The purpose of this Epic is to identify, track, plan, and collaborate on the tools that will be integrated into the product. # List of Tools ## Tools we're actively working to integrate :warning: This is a list of tools that have some amount of work in-flight to integrate them | Tool Name + link | Brief Description | Integration Priority | Integration Epic | Status | |------------------|-------------------|----------------------|------------------|--------| | [VulnMapper](https://gitlab.com/gitlab-com/gl-security/threatmanagement/vulnerability-management/vulnerability-management-internal/vulnmapper) | Build an accurate view of vulnerabilities on external, internal and software assets for the purpose of managing and automating a broad-scope vulnerability management process | TBD | https://gitlab.com/groups/gitlab-com/gl-security/-/epics/292+ | Stopped for now ~https://gitlab.com/gitlab-com/gl-security/product-security/product-security-meta/-/issues/57+s~ | | [Tokinator](https://gitlab.com/gitlab-com/gl-security/appsec/tokinator) | monitors for leaked credentials | TBD | https://gitlab.com/groups/gitlab-com/gl-security/-/epics/294+ | Stopped for now (see Secret Detection Group roadmap for FY26 on their work) | | [Youtube Video Scanner](https://gitlab.com/gitlab-com/gl-security/security-research/video-scanner/youtube-video-scanner) | Monitors videos uploaded by team members to GitLab unfiltered for secrets leaking. [On its way](https://gitlab.com/gitlab-com/gl-security/security-research/security-research-terraform-config/-/merge_requests/31) to also look at images/videos uploaded by team members on GitLab itself. | TBD | https://gitlab.com/groups/gitlab-com/gl-security/-/epics/314 | Stopped for now (non-product-integration maintenance / development _is_ ocurring) | ## Tools we're considering integrating :warning: This is a list of tools that have been previously discussed as integration opportunities or are top candidates to be considered | Tool Name + link | Brief Description | Integration Priority | Integration Epic | |------------------|-------------------|----------------------|------------------| | [Inventory](https://gitlab.com/gitlab-com/gl-security/product-security/inventory/) | monitors our projects and violations of security best practices and standards | TBD | https://gitlab.com/groups/gitlab-com/gl-security/-/epics/298+ | | [Public MR Confidential Issue Detector](https://gitlab.com/gitlab-com/gl-security/product-security/appsec/tooling/public-mr-confidential-issue-detector) | monitors for public merge requests that should have been opened in our security mirror | TBD | https://gitlab.com/groups/gitlab-com/gl-security/-/epics/293+ | | [Depscore](https://gitlab.com/gitlab-com/gl-security/product-security/appsec/tooling/depscore) | runs dependency review checks on new/updated dependencies in gitlab-org/gitlab project. | TBD | https://gitlab.com/groups/gitlab-com/gl-security/-/epics/299+ | | [DepSASTer](https://gitlab.com/gitlab-com/gl-security/product-security/appsec/tooling/depsaster) | runs SAST on the dependencies used by GitLab | TBD | TBD | | [AppSec Escalator](https://gitlab.com/gitlab-private/gl-security/engineering-and-research/automation-team/escalator/appsec-escalator) | Uses the [Escalation Engine](https://gitlab.com/gitlab-com/gl-security/engineering-and-research/automation-team/escalator) to create an AppSec-focused rule-based workflow engine for GitLab issues | TBD | TBD | | [HackerOne Tooling](https://gitlab.com/gitlab-com/gl-security/engineering-and-research/automation-team/automation/-/issues/482) ([h1bot](https://gitlab.com/gitlab-private/gl-security/engineering-and-research/automation-team/kubernetes/secauto/h1bot), [h1-attchments](https://gitlab.com/gitlab-com/gl-security/engineering-and-research/automation-team/h1-attachments), [h1-gitlab](https://gitlab.com/gitlab-com/security-tools/h1-gitlab)) | A set of tools used by AppSec to assist with running our bug bounty program | TBD | https://gitlab.com/groups/gitlab-com/gl-security/-/epics/295+ | | [Package Hunter](https://gitlab.com/gitlab-org/security-products/package-hunter) | detects suspicious activity in dependencies at runtime | TBD | https://gitlab.com/groups/gitlab-com/gl-security/-/epics/303+ | | [Gandalf](https://internal.gitlab.com/handbook/security/product_security/infrastructure_security/tooling/gandalf/) | See internal handbook link | TBD | https://gitlab.com/groups/gitlab-com/gl-security/-/epics/304+ | ## Other tools we might consider integrating :warning: This is a list of tools that we _may_ want to integrate into the product, but haven't been actively discussed or considered | Tool Name + link | Brief Description | Integration Priority | Integration Epic | |------------------|-------------------|----------------------|------------------| | [Maintainer Watcher](https://gitlab.com/gitlab-com/gl-security/product-security/appsec/tooling/maintainer-watcher) | monitors potentially compromisable dependency maintainer accounts | TBD | https://gitlab.com/groups/gitlab-com/gl-security/-/epics/324+ | | [Group Variables Monitoring](https://gitlab.com/gitlab-com/gl-security/product-security/appsec/tooling/group-variables-monitoring) | dumps environment variables and then checks if there's anything beyond what would be expected in a default project | TBD | TBD | | [gemchecker](https://gitlab.com/gitlab-com/gl-security/product-security/appsec/tooling/gem-checker) | monitors suspicious activity on RubyGems.org for gems that we use at GitLab | TBD | TBD | | [security-release-tools](https://gitlab.com/gitlab-com/gl-security/product-security/appsec/tooling/security-release-tools) | Tools used by AppSec during the security release process | TBD | TBD | | [release-certification-tools](https://gitlab.com/gitlab-com/gl-security/product-security/appsec/tooling/release-certification-tools) | Tools used by the Federal AppSec team to perform [release certifications](https://handbook.gitlab.com/handbook/ceo/office-of-the-ceo/jihu-support/release-certification/) | Very Low | TBD | | [untamper-my-lockfile](https://gitlab.com/gitlab-org/frontend/untamper-my-lockfile/) | included in CI to prevent lockfile tampering | TBD | TBD | | [Escalation Engine](https://gitlab.com/gitlab-com/gl-security/engineering-and-research/automation-team/escalator) | A rule-based workflow engine for GitLab issues. The rulesets are executed in scheduled CI pipelines under [gitlab-private/gl-security/engineering-and-research/automation-team/escalator](https://gitlab.com/gitlab-private/gl-security/engineering-and-research/automation-team/escalator). | TBD | TBD | | [Phonebook](https://gitlab.com/gitlab-com/gl-security/engineering-and-research/automation-team/phonebook) | Service for GitLab team member lookup, using account information that has been added to Okta profiles | TBD | TBD | # Resources - [AppSec Automation and Monitoring handbook page](https://handbook.gitlab.com/handbook/security/product-security/application-security/application-security-automation-monitoring/)
epic