[throwaway5752]

It's frustrating to set up OWASP scans over and over again. Anything Github or Gitlab or whomever can do to normalize audits (please, by all means check for CVEs on my dependencies, too) and static analysis, it's great. Make it something I can enable on my PR/MR workflow.

[sytse]

Totally agree. With GitLab you can do static and dynamic code analysis, as well as dependency and container scanning on your PR/MR out of the box.

And your security team gets an organization wide overview of the security results as well https://docs.gitlab.com/ee/user/application_security/securit...

[gravis]

GitLab offers free security checks for opensource projects (https://about.gitlab.com/blog/2018/06/05/gitlab-ultimate-and...). Enabling these checks is as simple as this one-liner (https://docs.gitlab.com/ee/user/application_security/sast/in...):

include: template: SAST.gitlab-ci.yml

Now do the same with Dependency Scanning, Container Scanning, DAST and License Compliance if needed.

Note that Auto-DevOps enables this automatically.

On a general note, I agree with you, Security should be available out of the box for everyone. I created last month this issue for this purpose, feel free to comment or watch it.