GitLab 14.7 released with Streaming Audit Events, GitLab Runner compliance with FIPS 140-2, and Group Access Tokens
Today, we are excited to announce the release of GitLab 14.7 with Streaming Audit Events, GitLab Runner compliance with FIPS 140-2, Group Access Tokens and much more!
These are just a few highlights from the 25+ improvements in this release. Read on to check out all of the great updates.
To preview what's coming in next month’s release, check out our Upcoming Releases page, which includes our 14.8 release kickoff video.
This month's Most Valuable Person (MVP) is Fabio Huser
Fabio added support for group access tokens, including a UI and a REST API. The enormity of this contribution shows the breadth of effort this contribution spanned in: one epic, three issues, and over 250 community upvotes for this feature!
Previously, access tokens were only available at the project level. There was a workaround that allowed self-managed admins to generate a group access token via the rails console, but that left our SaaS customers in the dark.
Fabio’s contribution allows any user with the proper privileges to generate access tokens at the group level. These tokens can be generated with a pre-defined role, expiration date, and scope.
Thank you, Fabio, for your incredible contribution! 🙌
GitLab Runner compliant with FIPS 140-2
For some GitLab customers, U.S. government regulatory requirements require the use of FIPS (Federal Information Processing Standards) compliant software. The FIPS 140-2 and FIPS 140-3 publications define the security requirements for cryptographic modules used in computer and telecommunication systems, and within cyber systems that protect sensitive information. GitLab Runner is now FIPS 140-2 compliant for AMD64 compute architectures and Red Hat Enterprise Linux (RHEL) distributions. Refer to this epic to follow the discussions about making GitLab FIPS compliant.
Streaming audit events
You can now stream audit events to a destination of your choosing! This is a great way to correlate GitLab audit events with other data streams you have, maintain a backup of audit events, or build out your own automation to take action when a specific audit event happens.
You can specify an HTTPS endpoint with our new GraphQL API and events are sent to it as webhooks. These messages contain the same information as the Audit Events UI about what type of change happened, when it happened, who was involved, as well as some additional metadata.
After you receive those messages, you can filter based on person, type, or inject that data into another third-party tool. This is a great way to trigger any custom automation you have built if, for example, a new user is created or a key setting is changed. We’re excited to see what you use streaming audit events for and would love to hear from you about it! Let us know by commenting on the epic.
Group access tokens
With group access tokens, you can use a single token to perform actions for groups, manage the projects within the group, and, in GitLab 14.2 and later, authenticate with Git over HTTPS.
Previously, group access tokens were limited to self-managed instances only, and could only be generated using the Rails console. Now, you can create group access tokens using the UI and API. You can define token name, expiration date, and scope. You can also revoke an existing group access token.
Thank you Fabio Huser for your contribution!
Delete labels directly from the Edit Label page
In this release, we’ve added the ability to delete labels in the Edit Label page. This is a usability enhancement that finally allows users to delete labels instead of having a long list of labels called “deprecated”. This includes Admin, Project, and Group labels.
LDAP failover support
You can now specify multiple hosts (using hosts) in your GitLab LDAP configuration. GitLab will use the first reachable host. This ensures continuity of access to GitLab should one of your LDAP hosts become unresponsive.
Thanks to Mathieu Parent for the contribution!
Setting to enable personalization questions during group creation
In previous releases, we added personalization questions to the group creation process. This information might be helpful for our SaaS users on GitLab.com, but less helpful for self-managed instances. We found out that these additional questions confuse the users and complicate the group creation process. In this release, thanks to Jonas Wälter’s contribution, we’ve added the ability for GitLab administrators to disable these questions.
GitLab Runner 14.7
We’re also releasing GitLab Runner 14.7 today! GitLab Runner is the lightweight, highly-scalable agent that runs your build jobs and sends the results back to a GitLab instance. GitLab Runner works in conjunction with GitLab CI/CD, the open-source continuous integration service included with GitLab.
What’s new:
Bug Fixes:
The list of all changes is in the GitLab Runner CHANGELOG.
Sort Docker tags in the Container Registry browser
You can now sort the list of tags in the Container Registry tag details page by name. Previously, there was no sort functionality. This sometimes required you to scroll through many pages to find a specific tag. By default, the tags list is now sorted by name in ascending order. You may also change the sort order to descending. See this issue to track any further work on tag sorting.
Static Analysis analyzer updates
GitLab Static Analysis is comprised of a set of many security analyzers that the GitLab Static Analysis team actively manages, maintains, and updates. Below are the analyzer updates released during GitLab 14.7. These updates bring additional coverage, bug fixes, and improvements.
- Spotbugs updated to v2.28.12 - MR, Changelog
- Updates Log4j library to patched version (v4.5.3). See our updated blog post for more information.
- Code Climate updated to v0.85.26 - MR, Changelog
If you include the GitLab managed vendored SAST template (SAST.gitlab-ci.yml), you do not need to do anything to receive these updates. However, if you override or customize your own CI/CD template, you need to update your CI/CD configurations. To remain on a specific version of any analyzer, you can pin to a minor version of an analyzer. Pinning to a previous version prevents you from receiving automatic analyzer updates and requires you to manually bump your analyzer version in your CI/CD template.
OpenID Connect support for GitLab CI/CD
Connecting GitLab CI/CD to cloud providers using environment variables works fine for many use cases. However, it doesn’t scale well if you need advanced permissions management or would prefer a signed, short-lived, contextualized connection to your cloud provider. GitLab 12.10 shipped initial support for JWT token-based connection (CI_JOB_JWT) to enable HashiCorp Vault users to safely retrieve secrets. That implementation was restricted to Vault, while the logic we built JWT upon opened up the possibility to connect to other providers as well.
In GitLab 14.7, we are introducing a CI_JOB_JWT_V2 environment variable that can be used to connect to AWS, GCP, Vault, and likely many other cloud services. Please note that this is an alpha feature and not ready for production use. Your feedback is welcomed in this epic.
For AWS specifically, with the new CI_JOB_JWT_V2 variable, you can connect to AWS to retrieve secrets, or to deploy within your account. You can also manage access rights to your cluster using AWS IAM roles. You can read more on setting up OIDC connection with AWS.
The new variable is automatically injected into your pipeline but is not backward compatible with the current CI_JOB_JWT. Until GitLab 15.0, the CI_JOB_JWT will continue to work normally but this will change in a future release. We will notify you about the change in time. The secrets stanza today uses the CI_JOB_JWT_V1 variable. If you use the secrets stanza, you don’t have to make any changes yet.
Backup and restore supports package registry files
With the GitLab Package Registry, you can use GitLab as a private or public registry for a variety of supported package managers. Before GitLab 14.7, our backup and restore Rake tasks did not support package registry files. GitLab now includes package registry files in backups created with the command gitlab-backup create. Administrators no longer need to have a separate backup strategy for these files to protect against data loss. Note that this only applies to items stored in the file system. If you are storing package registry files using object storage, enable backups with your object storage provider.
Omnibus improvements
- GitLab 14.7 includes Mattermost 6.2, with private channel autocomplete, click to reply to a thread, ability to follow Playbook runs, Boards calendar view and @mention autocomplete, and much more. This version also includes security updates and upgrade from earlier versions is recommended.
- With GitLab 14.7, you can configure Redis to run behind SSL.
GitLab UI identifies to administrators that a user is locked
In previous versions of GitLab, administrators could not see in the UI that a user was locked. Now, the GitLab UI identifies locked users to administrators, which helps confirm they are locked.
Project names of records added to value stream stage table
The value stream analytics stage table for groups now includes the project name of each issue and merge request to help you better understand the data in the stage table.
Bulk delete artifacts with the API
While a good strategy for managing storage consumption is to set regular expiration policies for artifacts, sometimes you need to reduce items in storage right away. Previously, you might have used a script to automate the tedious task of deleting artifacts one by one with API calls, but now you can use a new API endpoint to bulk delete job artifacts quickly and easily.
Runner status badges in Admin view
You can now easily visualize the state of all the runners on your instance. The Admin Area for runners now includes status badges and big, bold numbers, so you can see critical data at a glance, improving your runner fleet management experience.
Major Gitleaks performance improvements
Building on the large rule expansion included in GitLab 14.5, we are updating our GitLab Secret Detection analyzer, Gitleaks, to the next major version 8. This new, major version includes massive performance updates and a complete rewrite of its core detection engine. Secret Detection historical scans should now run much faster, with a large reduction in memory usage. This means both faster detection and shorter (and more efficient) pipelines. This change also sets us up to make more performance improvements that will improve all non-historical Secret Detection job runs in the future.
Here’s some real world performance data showcasing the speed and memory decreases of v8:
- Large repo (~82K commits) https://github.com/rails/rails
- memory: 800 MB -> 120 MB (6.67x reduction)
- scan time: 28 minutes -> 1 minute 24 seconds (21x speedup)
- Medium Repo (~600 commits) https://github.com/zricethezav/gitleaks
- memory: 300 MB -> 30 MB (10x reduction)
- scan time: 27 seconds -> 8.9 seconds (3x speedup)
- Small Repo (~36 commits) - https://gitlab.com/gitlab-org/security-products/tests/secrets
- memory: 26 MB -> 8.4 MB (3x reduction)
- scan time: 315 ms -> 277 ms
We want to give Zachary Rice a special shoutout, as not only is he a member of the GitLab team, but he’s the creator and maintainer of the open source Gitleaks project, which has helped many organizations, both public and private, search their codebases for leaked secrets. We are thrilled to support his work with Gitleaks, as well as his contributions to the wider open source community.
Delete a GitLab Agent for Kubernetes from the UI
The GitLab Agent for Kubernetes is tested and adopted by hundreds of GitLab customers each month. A few users noticed that it’s not straightforward to remove a registered agent from GitLab. Until now, the agent could be removed only through the GraphQL API. Introduced in GitLab 14.7, you can delete an agent directly from the GitLab UI as well.
When you delete the agent, GitLab revokes its tokens and the given connection stops working immediately.
Backup and restore supports Terraform state files
The GitLab-managed Terraform state backend can store your Terraform state securely, sparing you the need to set up additional remote resources. Before GitLab 14.7, our backup and restore rake tasks did not support Terraform state files. GitLab now includes Terraform state files in backups created with the command gitlab-backup create. Administrators no longer need to have a separate backup strategy for these files to protect against data loss. Note that this only applies to items stored in the file system. If you are storing Terraform state files using object storage, enable backups with your object storage provider.
Go to Git blame from code search results
Users often want to understand more about code search results, such as when was a file changed or by whom. With GitLab 14.7, users can easily answer these questions with fewer clicks by using the View blame link in Global Search results. This change adds an additional link next to lines of code when hovering over results from a code search.
Bug fixes
Some of the notable bug fixes in GitLab 14.7 are:
- Failure to execute Dependency Scanning with some sbt and Yarn projects
- NuGet metadata doesn’t load with long/short version numbers
- Can’t delete malformed tags from the Container Registry
- Group SAML - Scheduled Pipelines Cannot Find Valid SSO Session
- API call to retrieve information of wrong token returns error “400” instead of “401”
- Azure DevOps - LFS sync issues
- Fixed asynchronously-triggered streaming audit events
- Duplicates in CI needs causes 500 response
- Fix filename is overflowing modal when importing
- Imported group membership not reflected in child project members API
- sidekiq-cluster throws errors for certain gitlab.yml configs
- Fix Incident sidebar in Issue Boards
- Group by Epic on issue board doesn’t show the right amount of issues
- An epic should store any content populated within it when a user navigates away, similar to issues
- Query timeouts while tracking running jobs in Runner Queue
- Container Scanning fails for “from scratch” Images
- Vulnerability related fields are available to unauthorized users on GraphQL API
Performance improvements
In every release, we continue to make great strides improving GitLab’s performance. We’re committed to making every GitLab instance faster. This includes GitLab.com, an instance with over 1 million users!
In GitLab 14.7, we’re shipping performance improvements for issues, projects, milestones, and much more! Some improvements in GitLab 14.7 are:
- Migrate package details page to
vue-router. - Migrate package list to
vue-router. - Improve epic swimlanes loading performance for group issue board
- Performance improvement in Markdown rendering
Usability improvements
In every release, we make great strides in improving the overall effectiveness and usefulness of our product.
We also have a UI Polish gallery to track important updates to our interfaces. These updates, while often small, improve your user experience.
In GitLab 14.7, we’re shipping usability improvements for issues, projects, milestones, and much more! We highlight the following changes in GitLab 14.7:
- Allow users to delete a malformed container tag in the UI.
- Only show the action menu if a user can delete a container image.
- Update project settings copy for merge trains support for fast forward merge
Deprecations
New deprecations and the complete list of all features that are currently deprecated can be viewed in the GitLab documentation.
from GitLab https://ift.tt/3nri3jf #GitLab #DevSecOps
Comments
Post a Comment