[claytonjy]

Gitlab hasn't generally seemed interested in these sorts of free scanning tools. I wonder if that's because their users are much more weighted towards private/self-hosted than Github's are? Because so little open source happens on Gitlab, they can't buy good PR through this kind of strategy like Github can.

[leblancfg]

I've been looking quite a bit into this recently, and even though they might not be screaming it from the rooftops, Gitlab offers quite a few security-related features. There are code scanning, dependency tracking, etc. features at various levels of readiness.

https://about.gitlab.com/devops-tools/ https://about.gitlab.com/stages-devops-lifecycle/secure/

[prepend]

They’ve had SAST tools for a few releases, but high up in the paid license types. With GitHub providing for free, they may need to move them into CE.

[beckler]

Their scanning tools are "source available", but they're definitely not open-source. The license is gonna be a non-starter, but how they built their SAST tool [0] is actually quite interesting.

It just uses existing open-source analysis tools, but orchestrates them all into a single tool by coordinating a bunch of docker images.

[0] https://gitlab.com/gitlab-org/security-products/sast