Source code management and CI/CD pipeline orchestration are foundational infrastructure choices for any government DevSecOps program. GitLab and GitHub — the two dominant platforms — have each developed significant government-specific capabilities in recent years. The choice between them has real implications for compliance posture, operational model, and long-term program flexibility.
Platform Overview
GitLab is a single-application DevSecOps platform — source control, CI/CD, issue tracking, security scanning, container registry, package registry, and deployment automation are all built into a single product. GitLab can be deployed as: - GitLab SaaS (gitlab.com) — FedRAMP Moderate authorized - GitLab Dedicated — single-tenant SaaS on AWS, FedRAMP High pursuing/available - GitLab self-managed — deployed in any environment including classified
GitHub is primarily known for source control and has expanded into CI/CD (Actions) and the broader developer platform space through GitHub Advanced Security. GitHub deployments: - GitHub.com — commercial SaaS, not FedRAMP authorized - GitHub Enterprise Cloud — FedRAMP High authorized (government cloud) - GitHub Enterprise Server — self-managed, deployable in classified environments
FedRAMP Authorization Status
Both platforms have FedRAMP authorized offerings for government use:
GitLab SaaS (gitlab.com): FedRAMP Moderate authorization through FedRAMP marketplace. Appropriate for systems with CUI and similar data classifications. GitLab Dedicated (single-tenant deployment) has pursued FedRAMP High authorization — check the FedRAMP marketplace for current status.
GitHub Enterprise Cloud: FedRAMP High authorized. This is a specific government offering separate from github.com. Organization data remains in a government-specific environment with appropriate access controls.
For classified systems, neither SaaS offering is appropriate. Both platforms support air-gapped self-managed deployments: - GitLab self-managed on GovCloud or in classified environments - GitHub Enterprise Server on-premises or on GovCloud infrastructure
CI/CD Pipeline Architecture
GitLab CI/CD: GitLab's built-in pipeline system (.gitlab-ci.yml) is tightly integrated with the source repository. Runners (the execution agents) can be deployed in any environment — GovCloud, on-premises, classified networks. The tight coupling between source control and pipeline is an advantage in classified environments where accessing multiple external services is a security concern.
GitLab's built-in security scanning (SAST, DAST, dependency scanning, container scanning, secret detection) are native pipeline jobs — no third-party integrations required for basic security scanning. This simplifies the FedRAMP boundary and reduces third-party risk.
GitHub Actions: GitHub's CI/CD system is highly extensible through the Actions marketplace. For government use, this extensibility is double-edged — the vast ecosystem of community Actions simplifies pipeline development but introduces supply chain risk. Government programs should restrict Action usage to vetted, pinned versions of specific Actions rather than using community Actions broadly.
GitHub Advanced Security (GHAS) provides SAST and secret scanning as platform-native features for GitHub Enterprise. Container scanning and DAST require integration with external tools.
DoD Software Factory Ecosystem
Multiple DoD Software Factories have made platform selections that inform contractor choices:
Platform One (USAF/DoD): Built primarily around GitLab on Big Bang (a Kubernetes deployment framework). Platform One provides a GitLab-based Software Factory available to DoD programs through its IL4 and IL5 environments.
Kessel Run: Uses both GitLab and GitHub depending on program and data sensitivity requirements.
Contractor-operated Software Factories: Most large contractor-operated software factories for DoD programs have standardized on either GitLab or GitHub based on their customer requirements, data sensitivity, and operational experience.
Self-Managed vs. SaaS Trade-offs for Government
| Factor | Self-Managed | SaaS |
|---|---|---|
| Government control | Full — your infrastructure | Shared responsibility model |
| Update responsibility | You own upgrades | Platform-managed |
| Classified data support | Yes (on appropriate infrastructure) | No (max unclassified/CUI) |
| Operational overhead | Higher | Lower |
| Disaster recovery | Your responsibility | Platform SLA |
| Cost at scale | Lower (flat license) | Higher (per-seat at scale) |
Programs handling only CUI and below operating in GovCloud can effectively use either platform's SaaS offering. Programs with IL5 (Controlled Classified Information) or classified requirements must use self-managed deployments or purpose-built classified hosting.
Migration Considerations
Switching from GitLab to GitHub or vice versa mid-program is expensive — repositories, pipelines, CI configurations, integrations, and team workflow habits all need updating. Choose the platform that fits your program's long-term trajectory:
- If the program is embedded in a DoD Software Factory (Platform One, Kessel Run), use the factory's platform
- If building from scratch with GovCloud deployment and CUI data, GitLab SaaS (FedRAMP Moderate) or GitHub Enterprise Cloud (FedRAMP High) are both viable
- If the program requires classified capability, plan for self-managed deployment from the start — retrofitting classified capability into a SaaS-first architecture is painful
Rutagon provides DevSecOps infrastructure design and Software Factory implementation services for government programs. Contact us to discuss your source control and pipeline architecture requirements.
Frequently Asked Questions
Is GitLab FedRAMP High authorized?
GitLab SaaS (gitlab.com) is currently FedRAMP Moderate authorized. GitLab Dedicated, a single-tenant offering, has been pursuing FedRAMP High authorization — check the FedRAMP marketplace at marketplace.fedramp.gov for current status. For IL5 requirements today, GitHub Enterprise Cloud (FedRAMP High authorized) or self-managed GitLab on appropriate infrastructure are the primary options.
Can I use GitHub Actions in a government program?
Yes, with restrictions. GitHub Actions are available in GitHub Enterprise Cloud (FedRAMP High) and GitHub Enterprise Server. For government programs, restrict Actions usage to approved, pinned versions — avoid using untrusted community Actions that could introduce supply chain risk. GitHub provides guidance on Actions governance for enterprise use. The DoD and CISA have issued guidance on CI/CD pipeline security that addresses Actions risk management.
Which platform does Platform One use?
Platform One, the Air Force/DoD Software Factory, is built primarily around GitLab and the Big Bang Kubernetes deployment framework. Platform One provides a GitLab-based DevSecOps environment available to DoD programs through its Impact Level 4 (IL4) and IL5 access tiers. Contractor programs onboarding to Platform One use GitLab as their SCM and CI/CD platform.
How do I decide between GitLab and GitHub for a new DoD program?
Key decision factors: (1) If the program will use Platform One or a DoD Software Factory, use that factory's platform (typically GitLab). (2) If the program requires FedRAMP High on SaaS, GitHub Enterprise Cloud is currently the clearer option. (3) If the program expects to grow into classified environments, GitLab's self-managed deployment model has a longer history in air-gapped classified contexts. (4) If the team has strong existing expertise on one platform, that is a meaningful operational factor.