Whenever Qualys scan finds out software vulnerability, say for example Java SDK or any software version that has a potential vulnerability, we search the web to find out the solution and usually install a later version or patch downloading from the web. The problem is, as we are downloading it from web and there are a number of servers where we patch and as an ultimate outcome different people downloads different version and so forth. So I want to create a repository for such binaries so that we use the same patch for all servers.
When I was thinking about the repo, obviously first thought came as GitHub.. But then I realized, it is for code version control and collaboration, not for the packaged software. The other option I am thinking is JFrog Artifactory which stores the binaries and the package software.
What is your recommendation?
Out of most of the VCS solutions out there, we found Gitlab was the most feature complete with a free community edition. Their DevSecops offering is also a very robust solution. Gitlab CI/CD was quite easy to setup and the direct integration with your VCS + CI/CD is also a bonus. Out of the box integration with major cloud providers, alerting through instant messages etc. are all extremely convenient. We push our CI/CD updates to MS Teams.
Gitlab as A LOT of features that GitHub and Azure DevOps are missing. Even if both GH and Azure are backed by Microsoft, GitLab being open source has a faster upgrade rate and the hosted by gitlab.com solution seems more appealing than anything else! Quick win: the UI is way better and the Pipeline is way easier to setup on GitLab!
At DeployPlace we use self-hosted GitLab, we have chosen GitLab as most of us are familiar with it. We are happy with all features GitLab provides, I can’t imagine our life without integrated GitLab CI. Another important feature for us is integrated code review tool, we use it every day, we use merge requests, code reviews, branching. To be honest, most of us have GitHub accounts as well, we like to contribute in open source, and we want to be a part of the tech community, but lack of solutions from GitHub in the area of CI doesn’t let us chose it for our projects.