GitLab's integrated security scanning is transforming compliance in regulated industries, but here’s what most teams miss: scanning without evidence is just noise.
The complete security pipeline architecture
GitLab’s security arsenal includes:
- SAST (Static Application Security Testing): Catches vulnerabilities in source code before compilation.
- DAST (Dynamic Application Security Testing): Tests running applications for runtime vulnerabilities.
- Container Scanning: Analyses Docker images for known CVEs.
- Dependency Scanning: Identifies vulnerable dependencies in your supply chain.
- Secret Detection: Prevents credentials from entering your codebase.
- License Compliance: Ensures OSS licence compatibility.
The evidence game-changer: GitLab + Kosli
Integrating Kosli with GitLab creates an immutable evidence trail. Every scan, every finding, every remediation—captured as attestations that satisfy even the strictest auditors.
Implementation pattern
security-scan:
stage: test
script:
- gitlab-sast-scan
- kosli attest artifact --name="sast-scan" --flow="production"
This creates a permanent, tamper-proof record linking your security scans to specific deployments. When auditors ask, “How do you ensure security scanning for every release?”, you show them the Kosli trail.
For regulated industries, this means
- Binary attestations prove what actually ran in production.
- Scan results are permanently linked to deployments.
- Compliance evidence is generated automatically, not retrospectively.
- Full traceability from commit to production with cryptographic proof.
The beauty: developers keep using GitLab as normal. Kosli captures the evidence in the background. Compliance becomes a by-product, not a burden.
What security evidence are you struggling to maintain?
Sources