Gitlab hero border pattern left svg Gitlab hero border pattern right svg
GitLab
vs
Checkmarx
Decision Kit
Decision Kit

Checkmarx Summary

Checkmarx is a long-standing company with their roots in SAST. They are recognized as a Leader in the Gartner Application Security Testing Magic Quadrant.

Comparison to GitLab

Although Checkmarx has a more mature SAST offering, GitLab offers a much broader range of security testing capabilities, including DAST and Fuzz Testing. GitLab’s capabilities come integrated with the rest of GitLab out-of-the-box and do not require any special integration to shift the workflow left to the development team. GitLab customers report that GitLab generally has a better false positive rate than Checkmarx, which saves time when trying to find true vulnerabilities that really matter. Checkmarx’s established position in the security market and deep SAST capabilities are offset by GitLab’s lower price point and tighter integration with the rest of the software development lifecycle.

The Checkmarx vision is closest to GitLab among the AppSec vendors, but because they must integrate into the rest of the SDLC via APIs, their path toward execution is more limited. Also, like the other AppSec vendors, Checkmarx is expensive. It is priced per developer with a rough estimate of 12 Developers for $59k USD per year or 50 Developers for $99k USD per year. Checkmarx uses Whitesource for dependency scanning and charges an extra $12k USD per year for this open source scanning.

Checkmarx excels in that they are context aware, meaning they can mark what is not exploitable based on path. GitLab lacks this capability. On the other hand, GitLab automatically includes broad security scanning with every code commit including Static and Dynamic Application Security Testing, along with dependency scanning, container scanning, and license compliance. All of this is part of the single GitLab Ultimate application.

Security Scanning

Strengths and Weaknesses

  GitLab Checkmarx
Strengths   •     Cost is significantly less expensive than Checkmarx
  •     Tight integration with developer workflow
  •     Complete range of application testing types (SAST, DAST, etc.) are included by default
  •     Comparatively low false positive rates
  •     Strong offering across scanning types
  •     Good integration with IDEs and local developer environments
  •     Well known, market-leading SAST offering
Weaknesses   •     GitLab’s SAST offering only scans code repositories today and cannot scan compiled binaries   •     SCA is essentially a brand new product and only available as an addon to their SAST product
  •     DAST is only available as a managed service via a partnership
  •     Fuzz testing is not offered
  •     Each kind of testing is a separate piece of software that must be licensed, managed, and integrated with the DevOps lifecycle separately
  •     Operating system support to run the Checkmarx software is limited to Windows
  •     Significant tuning is required to reduce false positives

Feature Lineup

  GitLab Checkmarx
SAST
DAST managed service only
IAST  
SCA: Vulnerability Scanning
SCA: Open Source Audit
Fuzz Testing  
Feature Comparison
FEATURES

静态应用安全测试

极狐GitLab支持在 CI/CD 流水线中轻松地运行静态应用安全测试 (SAST),检查易受攻击的源代码或应用程序包含的库中的已知安全问题,并将结果显示在合并请求和流水线视图中。此特性作为 Auto DevOps 的一部分来提供缺省的安全。

Learn more about Static Application Security Testing

密钥检测

极狐GitLab 允许您在流水线中运行密钥检测,检查是否有包含未察觉的密钥和证书代码提交。检查结果将被展示在合并请求和流水线中。这一特性将作为 Auto DevOps 的一部分来提供默认安全策略。

Learn more about Secret Detection

依赖项扫描

极狐GitLab 自动检测该应用所包含的库中已知的安全问题,从而保护您的应用在动态使用依赖项时免遭漏洞影响。检测结果会显示在合并请求和流水线视图中,此特性作为 Auto DevOps 一部分来提供缺省的安全性。

Learn more about Dependency Scanning

动态应用安全测试

在应用运行后,极狐GitLab 支持在 CI/CD 流水线中运行动态应用安全测试(DAST),通过扫描您的应用以确保诸如 XSS 或无效身份验证之类的威胁不会影响到它。检测结果会显示在合并请求和流水线视图中,此特性作为 Auto DevOps 一部分来提供缺省的安全性。

Learn more about application security for containers

Interactive Application Security Testing

IAST combines elements of static and dynamic application security testing methods to improve the overall quality of the results. IAST typically uses an agent to instrument the application to monitor library calls and more. GitLab does not yet offer this feature.

容器扫描

在为您的应用程序构建 Docker 镜像时,极狐GitLab 可以运行安全扫描以确保它没有任何已知的代码交付环境中的漏洞。结果随后显示在合并请求和流水线视图中。此功能作为 Auto DevOps 的一部分来提供缺省的安全策略。

Learn more about container scanning

许可证合规

检查依赖项的许可是否与应用程序兼容,然后批准或拒绝它们。最终结果会显示在合并请求和流水线的视图中。

Learn more about License Compliance

按需动态应用安全测试

一直等待下一次 CI 流水线的运行来检查您的站点是否存在漏洞,或是重现以前发现的漏洞是不合理的。极狐GitLab 提供了按需动态应用安全测试(DAST)来扫描正在运行的应用,它可以独立于代码更改和合并请求执行。

Learn more about On-demand DAST

按需 DAST 扫描的站点配置文件

通过按需 DAST 扫描快速重用配置文件,而不是每次需要运行时重新配置。将不同的扫描配置文件与站点配置文件混合,以快速执行涵盖应用程序和 API 不同区域或不同深度的扫描。

Learn more about application security for containers