gitlab-org / gitlab-ce

GitLab Security

Authentication and Authorization

GitLab employs a robust authentication and authorization system to safeguard user accounts and sensitive data.

  • Authentication: Users authenticate through a variety of methods, including email/password, OAuth, and two-factor authentication.
  • Authorization: GitLab utilizes role-based access control (RBAC) to manage permissions for different users and groups.

Code Example:

# app/models/user.rb
          class User < ActiveRecord::Base
            # ...
            devise :database_authenticatable, :registerable,
                   :recoverable, :rememberable, :trackable, :validatable,
                   :omniauthable, :confirmable, :lockable, :timeoutable
          end
          
          # app/models/project.rb
          class Project < ActiveRecord::Base
            # ...
            has_many :users, through: :project_members
          end

References:

Vulnerability Scanning

GitLab offers various vulnerability scanning features to help developers identify and remediate security issues.

  • Static Application Security Testing (SAST): Analyzes source code for potential vulnerabilities without executing the application.
  • Dynamic Application Security Testing (DAST): Tests running applications by simulating real-world attacks.
  • Container Scanning: Scans Docker images for known vulnerabilities.

Code Example:

# app/controllers/projects/security_controller.rb
          class Projects::SecurityController < Projects::ApplicationController
            # ...
            def show
              # ...
              @saast_vulnerabilities = @project.find_vulnerabilities(:saast)
              @daast_vulnerabilities = @project.find_vulnerabilities(:daast)
            end
          end

References:

Data Protection

GitLab implements measures to protect sensitive data, such as user information, code, and project settings.

  • Encryption: GitLab encrypts data at rest and in transit.
  • Data Retention: GitLab follows data retention policies to ensure data is deleted or archived appropriately.
  • Data Masking: Sensitive data can be masked during logging and reporting to protect privacy.

Code Example:

# app/models/user.rb
          class User < ActiveRecord::Base
            # ...
            # Encrypt sensitive data
            encrypted :password, :private_token
          end

References:

Security Audit and Compliance

GitLab undergoes regular security audits and complies with industry standards to ensure the platform’s security.

  • Penetration Testing: GitLab’s platform is subjected to regular penetration testing by independent security experts.
  • Compliance: GitLab complies with various industry standards and regulations, such as SOC 2, ISO 27001, and GDPR.

References: