Security @ gitlab-org/gitlab

Directory Structure
Entrypoints
API
CLI
UI
Schemas
Build
Test
Security
Bookmarks

.github
- ISSUE_TEMPLATE.md
- PULL_REQUEST_TEMPLATE.md
.gitlab
- agents
- ci
- issue_templates
- merge_request_templates
- CODEOWNERS
- changelog_config.yml
- route-map.yml
- sast-ruleset.toml
- secret-detection-ruleset.toml
.lefthook
- pre-push
- gitleaks.sh
.rubocop_todo
- capybara
- cop
- database
- factory_bot
- fips
- gemspec
- gettext
- gitlab
- gitlab_security
- graphql
- internal_affairs
- layout
- lint
- metrics
- migration
- naming
- performance
- rails
- rake
- rspec
- search
- security
- sidekiq_load_balancing
- style
.vscode
- extensions.json
app
- assets
- channels
- components
- controllers
- enums
- events
- experiments
- finders
- graphql
- helpers
- mailers
- models
- policies
- presenters
- serializers
- services
- uploaders
- validators
- views
- workers
bin
- audit-event-type
- background_jobs
- bundle
- check
- daemon_with_pidfile
- diagnostic-reports-uploader
- feature-flag
- gitlab-backup-cli
- mail_room
- metrics-server
- parallel-rsync-repos
- pngquant
- profile-url
- rails
- rake
- rspec
- rspec-stackprof
- rubocop-profile
- saas-feature.rb
- secpick
- setup
- sidekiq-cluster
- spring
- update
- vite
- web
- with_env
- yarn
builds
- .gitkeep
changelogs
- README.md
- archive-10-ee.md
- archive-10.md
- archive-11-ee.md
- archive-11.md
- archive-12-ee.md
- archive-12.md
- archive-13-ee.md
- archive-13.md
- archive-14.md
- archive-15.md
- archive-ee.md
- archive.md
config
- application_setting_columns
- audit_events
- environments
- events
- feature_flags
- helpers
- initializers
- initializers_before_autoloader
- knative
- locales
- metrics
- plugins
- prometheus
- routes
- security
- vue3migration
- README.md
- apollo.config.js
- application.rb
- boot.rb
- bounded_contexts.yml
- bullet.yml
- bundler_setup.rb
- cable.yml.example
- click_house.yml.example
- coverband.rb
- database.yml.decomposed-postgresql
- database.yml.postgresql
- dependency_decisions.yml
- environment.rb
- feature_categories.yml
- gitlab.yml.example
- gitlab_loose_foreign_keys.yml
- gitleaks.toml
- known_invalid_graphql_queries.yml
- license_finder.yml
- mail_room.yml
- object_store_settings.rb
- open_api.yml
- puma.example.development.rb
- puma.rb.example
- redis.yml.example
- resque.yml.example
- routes.rb
- secrets.yml.example
- session_store.yml.example
- settings.rb
- sidekiq.yml.example
- sidekiq_queues.yml
- smime_signature_settings.rb
- spring.rb
- storage.yml
- tailwind.config.js
- upgrade_path.yml
- vite.json
- vite.rb
- weak_password_digests.yml
- webpack.config.js
- webpack.constants.js
- webpack.helpers.js
- webpack.vendor.config.js
danger
- ai_logging
- analytics_instrumentation
- architecture
- bulk_database_actions
- ce_ee_vue_templates
- change_column_default
- ci_config
- ci_tables
- ci_templates
- clickhouse
- config_files
- cookie_setting
- customer_success
- database
- datateam
- documentation
- duplicate_yarn_dependencies
- eslint
- experiments
- feature_flag
- gitaly
- gitlab_schema_validation
- ignored_model_columns
- master_pipeline_status
- model_validations
- multiversion
- pipeline
- pipeline_config
- plugins
- qa_selector
- roulette
- rubocop
- rubygems
- saas_feature
- settings_sections
- sidekiq_args
- sidekiq_queues
- specialization_labels
- specs
- stable_branch_patch
- todos
- utility_css
- vue_shared_documentation
- Dangerfile-bundle_size
data
- deprecations
- whats_new
db
- click_house
- database_connections
- docs
- fixtures
- gitlab_schemas
- migrate
- post_migrate
- schema_migrations
- ci_structure.sql
- init_structure.sql
- integer_ids_not_yet_initialized_to_bigint.yml
- main_clusterwide.sql
- sec_structure.sql
- seeds.rb
- structure.sql
doc
- .markdownlint
- .vale
- administration
- api
- architecture
- ci
- cloud_seed
- development
- downgrade_ee_to_ce
- drawers
- editor_extensions
- gitlab-basics
- install
- integration
- legal
- operations
- policy
- raketasks
- security
- solutions
- subscriptions
- topics
- tutorials
- update
- user
- devsecops.md
- index.md
ee
- app
- bin
- config
- db
- elastic
- fixtures
- lib
- locale
- spec
- LICENSE
file_hooks
- examples
- .gitignore
fixtures
- emojis
- lib
gems
- activerecord-gitlab
- click_house-client
- config
- csv_builder
- error_tracking_open_api
- gitlab-backup-cli
- gitlab-database-load_balancing
- gitlab-database-lock_retries
- gitlab-housekeeper
- gitlab-http
- gitlab-rspec
- gitlab-rspec_flaky
- gitlab-safe_request_store
- gitlab-schema-validation
- gitlab-secret_detection
- gitlab-utils
- ipynbdiff
- openbao_client
- README.md
- gem-pg.gitlab-ci.yml
- gem.gitlab-ci.yml
generator_templates
- active_record
- post_deployment_migration
- usage_metric_definition
haml_lint
- linter
keeps
- helpers
- delete_obsolete_advanced_search_migrations.rb
- delete_old_feature_flags.rb
- generate_rubocop_todos.rb
- mark_old_advanced_search_migrations_as_obsolete.rb
- overdue_finalize_background_migration.rb
- quarantine_flaky_tests.rb
- remove_duplicated_indexes.rb
lib
- api
- assets
- atlassian
- audit_events
- authn
- aws
- backup
- banzai
- bitbucket
- bitbucket_server
- bulk_imports
- ci
- click_house
- cloud_connector
- constraints
- container_registry
- error_tracking
- extracts_ref
- feature
- gem_extensions
- generators
- gitaly
- gitlab
- gitlab_settings
- google_api
- grafana
- import
- json_web_token
- kramdown
- mattermost
- microsoft_teams
- namespaces
- object_storage
- omni_auth
- pager_duty
- parameter_filters
- peek
- prometheus
- quality
- release_highlights
- rouge
- safe_zip
- sbom
- search
- security
- serializers
- service_ping
- sidebars
- slack
- spam
- support
- system_check
- tasks
- unnested_in_filters
- users
- vs_code
- web_ide
- backup.rb
- banzai.rb
- carrier_wave_string_file.rb
- declarative_enum.rb
- event_filter.rb
- expand_variables.rb
- extracts_path.rb
- feature.rb
- file_size_validator.rb
- forever.rb
- gitlab.rb
- gitlab_edition.rb
- gitlab_settings.rb
- initializer_connections.rb
- mattermost.rb
- slack_markdown_sanitizer.rb
- static_model.rb
- system_check.rb
- uploaded_file.rb
- version_check.rb
- vite_gdk.rb
locale
- am_ET
- ar_SA
- as_IN
- az_AZ
- ba_RU
- be_BY
- bg
- bn_BD
- bn_IN
- br_FR
- bs_BA
- ca_ES
- cs_CZ
- cy_GB
- da_DK
- de
- el_GR
- en_GB
- eo
- es
- et_EE
- eu_ES
- fa_IR
- fi_FI
- fil_PH
- fr
- ga_IE
- gl_ES
- he_IL
- hi_IN
- hr_HR
- hu_HU
- hy_AM
- id_ID
- ig_NG
- is_IS
- it
- ja
- ka_GE
- kab
- ko
- ku_TR
- ky_KG
- lt_LT
- mk_MK
- ml_IN
- mn_MN
- ms_MY
- nb_NO
- ne_NP
- nl_NL
- or_IN
- pa_IN
- pa_PK
- pl_PL
- pt_BR
- pt_PT
- ro_RO
- ru
- si_LK
- sk_SK
- sl_SI
- sq_AL
- sr_CS
- sr_SP
- sv_SE
- sw_KE
- ta_IN
- th_TH
- ti_ER
- tr_TR
- uk
- ur_PK
- uz_UZ
- vi_VN
- zh_CN
- zh_HK
- zh_TW
- gitlab.pot
- unfound_translations.rb
log
- .gitkeep
metrics_server
- dependencies.rb
- metrics_server.rb
- override_gitlab_current_settings.rb
- override_rails_constants.rb
- settings_overrides.rb
patches
- @gitlab+web-ide+0.0.1-dev-20240909013227.patch
- @rails+ujs+7.0.8-4.patch
- @vue+compat+3.2.47.patch
- @vue+compiler-core+3.2.47.dev.patch
- @vue+compiler-sfc+3.2.47.patch
- @vue+test-utils-vue3+2.3.1.patch
- @vue+vue3-jest+29.2.3.patch
- eslint-plugin-local-rules+3.0.2.patch
- jest-mock+29.7.0.dev.patch
- leaflet+1.9.4.patch
- vue++@vue+compiler-sfc+2.7.16.patch
- vue-apollo+3.0.7.patch
- vue-loader-vue3+17.4.2.patch
public
- -
- 404.html
- 422.html
- 500.html
- 502.html
- 503.html
- apple-touch-icon.png
- deploy.html
- robots.txt
- slash-command-logo.png
qa
- .devcontainer
- allure
- bin
- gdk
- gems
- knapsack
- perf
- qa
- spec
- tasks
- tls_certificates
- tmp
- .gitignore
- .rspec
- .rspec_internal
- .solargraph.yml.example
- Dockerfile
- Gemfile
- Gemfile.lock
- README.md
- Rakefile
- qa.rb
rubocop
- cop
- formatter
- check_graceful_task.rb
- code_reuse_helpers.rb
- cop_todo.rb
- feature_categories.rb
- migration_helpers.rb
- node_pattern_helper.rb
- qa_helpers.rb
- routes_under_scope.rb
- rubocop-code_reuse.yml
- rubocop-documentation.yml
- rubocop-migrations.yml
- rubocop-usage-data.yml
- rubocop.rb
- todo_dir.rb
- usage_data_helpers.rb
scripts
- api
- cells
- custom_models
- data_seeder
- database
- decomposition
- duo_chat
- feature_flags
- flaky_examples
- frontend
- internal_events
- lib
- lint
- packages
- partitioning
- perf
- pipeline
- qa
- release_environment
- remote_development
- review_apps
- setup
- allowed_warnings.txt
- build_assets_image
- build_gdk_image
- build_qa_image
- bundle_size_review
- check-template-changes
- create_postgres_user.sh
- db_tasks
- docs_screenshots.rb
- download-downstream-artifact.rb
- dump_graphql_schema
- elastic-migration
- failed_tests.rb
- gemfile_lock_changed.sh
- generate-e2e-pipeline
- generate-failed-test-on-omnibus-mr-message.rb
- generate-memory-metrics-on-boot
- generate-message-to-run-e2e-pipeline.rb
- generate-test-mapping
- generate_rspec_pipeline.rb
- gitaly-test-build
- gitaly-test-spawn
- gitlab_component_helpers.sh
- ingest-reports-to-siem
- ingest-reports-to-siem-devo
- insert-rspec-profiling-data
- license-check.sh
- lint-conflicts.sh
- lint-doc.sh
- lint-docs-blueprints.rb
- lint-docs-link-check.sh
- lint-docs-metadata.sh
- lint-docs-redirects.rb
- lint-json
- lint-vendored-gems.sh
- lint-yaml.sh
- lint_templates_bash.rb
- merge-auto-explain-logs
- merge-reports
- merge-simplecov
- migration_schema_validator.rb
- no-dir-check
- pack-test-mapping
- pipeline_test_report_builder.rb
- post_deployment_migrations_validator
- prepare_build.sh
- rails-update-bisect
- refresh-migrations-timestamps
- regenerate-schema
- rspec_bisect_flaky
- rspec_check_order_dependence
- rspec_helpers.sh
- rubocop-parse
- run-fast-specs.sh
- schema_changed.sh
- security-harness
- semgrep_result_processor.rb
- setup-test-env
- slack
- static-analysis
- sync-stable-branch.sh
- trigger-build.rb
- undercoverage
- unpack-test-mapping
- update-feature-categories
- update-topology-service-gem.sh
- utils.sh
- validate-monorepo-gem
- validate_migration_schema
- validate_migration_timestamps
- validate_name_collisions_between_migrations
- validate_schema_changes
- vendor_template
- verify-tff-mapping
shared
- artifacts
- ci_secure_files
- lfs-objects
- packages
- pages
- registry
- terraform_state
- .gitignore
- .gitkeep
sidekiq_cluster
- cli.rb
- sidekiq_cluster.rb
spec
- benchmarks
- bin
- channels
- commands
- components
- config
- contracts
- controllers
- db
- dependencies
- docs_screenshots
- dot_gitlab_ci
- experiments
- factories
- features
- finders
- fixtures
- frontend
- frontend_integration
- graphql
- haml_lint
- helpers
- initializers
- keeps
- lib
- mailers
- metrics_server
- migrations
- models
- policies
- presenters
- rack_servers
- requests
- routing
- rubocop
- scripts
- serializers
- services
- sidekiq
- sidekiq_cluster
- spam
- support
- support_specs
- tasks
- tooling
- uploaders
- validators
- views
- workers
- crystalball_env.rb
- deprecation_toolkit_env.rb
- deprecation_warnings.rb
- fast_spec_helper.rb
- knapsack_env.rb
- rails_autoload.rb
- rake_helper.rb
- rubocop_spec_helper.rb
- simplecov_env.rb
- simplecov_env_core.rb
- spec_helper.rb
storybook
- config
- helpers
- .env.template
- .gitignore
- fixture_stub.js
- package.json
- yarn.lock
tmp
- feature_flags
- pids
- prometheus_multiproc_dir
- sockets
- .gitignore
tooling
- audit_events
- bin
- config
- custom_roles
- danger
- docs
- eslint-config
- graphql
- lib
- quality
- stylelint
- README.md
- merge_request.rb
- merge_request_rspec_failure_rake_task.rb
vendor
- Dockerfile
- assets
- cert_manager
- crossplane
- elastic_stack
- gems
- gitignore
- ingress
- jupyter
- project_templates
- prometheus
- runner
- sample_data_templates
- languages.yml
- spdx.json
workhorse
- _support
- changelogs
- cmd
- internal
- testdata
- .gitignore
- .golangci.yml
- .tool-versions
- Makefile
- README.md
- VERSION
- config.toml.example
- go.mod
- go.sum
.browserslistrc
.codeclimate.yml
.dockerignore
.editorconfig
.git-blame-ignore-revs
.gitattributes
.gitignore
.gitlab-ci.yml
.gitleaksignore
.gitpod.yml
.graphqlrc
.haml-lint.yml
.index.yml.example
.license_encryption_key.pub
.mailmap
.markdownlint-cli2.yaml
.nvmrc
.prettierignore
.prettierrc
.projections.json.example
.rubocop.yml
.rubocop_revert_ignores.txt
.rubocop_todo.yml
.ruby-version
.solargraph.yml.example
.stylelintrc
.test_license_encryption_key.pub
.tool-versions
.vale.ini
.yamllint
AI_GATEWAY_VERSION
CHANGELOG-EE.md
CHANGELOG.md
CONTRIBUTING.md
DEI.md
DUO_WORKFLOW_EXECUTOR_VERSION
Dangerfile
Dockerfile.assets
GITALY_SERVER_VERSION
GITLAB_ELASTICSEARCH_INDEXER_VERSION
GITLAB_KAS_VERSION
GITLAB_OPENBAO_VERSION
GITLAB_PAGES_VERSION
GITLAB_SHELL_VERSION
GITLAB_WORKHORSE_VERSION
Gemfile
Gemfile.checksum
Gemfile.lock
Gemfile.next
Gemfile.next.checksum
Gemfile.next.lock
Guardfile
INSTALLATION_TYPE
LICENSE
MAINTENANCE.md
PHILOSOPHY.md
PROCESS.md
Pipfile
Pipfile.lock
README.md
Rakefile
VERSION
axe-linter.yml
babel.config.js
config.ru
crowdin.yml
docker-compose.yml
eslint.config.mjs
jest.config.base.js
jest.config.contract.js
jest.config.eslint.js
jest.config.integration.js
jest.config.js
jest.config.scripts.js
jest.config.snapshots.js
jest_resolver.js
lefthook.yml
package.json
postcss.config.js
tests.yml
vite.config.js
yarn.lock

Security

GitLab prioritizes security and follows industry best practices to protect user data and ensure a secure platform. This outline details GitLab’s security approach, including:

Secure Development Practices

Code Review: All code changes undergo rigorous peer review before merging into the main branch.
- Source: https://docs.gitlab.com/ee/user/gitlab_com/security/code_reviews.html
Static Analysis: GitLab utilizes static analysis tools to identify potential vulnerabilities in code before deployment.
- Source: https://docs.gitlab.com/ee/user/gitlab_com/security/static_analysis_security_testing.html
Dynamic Analysis: Dynamic analysis is used to test applications in a runtime environment, uncovering vulnerabilities that static analysis might miss.
- Source: https://docs.gitlab.com/ee/user/gitlab_com/security/dynamic_analysis_security_testing.html

Data Security

Encryption at Rest: Sensitive data, such as passwords and private keys, are encrypted at rest using strong encryption algorithms.
- Source: https://docs.gitlab.com/ee/user/gitlab_com/security/data_security.html
Encryption in Transit: Data transmitted between GitLab and users is secured using TLS/SSL encryption.
- Source: https://docs.gitlab.com/ee/user/gitlab_com/security/data_security.html
Data Retention: GitLab adheres to industry best practices for data retention, regularly reviewing and deleting unnecessary data.
- Source: https://docs.gitlab.com/ee/user/gitlab_com/security/data_retention.html

Vulnerability Management

Vulnerability Disclosure Program: GitLab encourages responsible disclosure of vulnerabilities through a dedicated program, ensuring prompt investigation and remediation.
- Source: https://about.gitlab.com/handbook/security/security-policy/
Security Updates: Regular security updates are released to address identified vulnerabilities and enhance the platform’s security posture.
- Source: https://docs.gitlab.com/ee/user/gitlab_com/security/security_releases.html
Security Audits: GitLab undergoes regular security audits by independent third parties to validate its security controls and identify potential weaknesses.
- Source: https://about.gitlab.com/handbook/security/security-audits/

Access Control and Authentication

Two-Factor Authentication (2FA): GitLab strongly recommends enabling 2FA for enhanced account security.
- Source: https://docs.gitlab.com/ee/user/profile/two_factor_authentication.html
Role-Based Access Control (RBAC): Access to GitLab resources is controlled based on user roles, minimizing potential security risks.
- Source: https://docs.gitlab.com/ee/user/admin_area/permissions/index.html
Single Sign-On (SSO): GitLab supports SSO integration, enabling users to authenticate with existing enterprise identity providers.
- Source: https://docs.gitlab.com/ee/user/admin_area/authentication/saml.html

Security Best Practices for Developers

Secure Coding Practices: GitLab encourages developers to adhere to secure coding practices to minimize vulnerabilities.
- Source: https://docs.gitlab.com/ee/user/gitlab_com/security/secure_coding_practices.html
Security Testing: Developers are encouraged to perform security testing throughout the development lifecycle to identify and address vulnerabilities early.
- Source: https://docs.gitlab.com/ee/user/gitlab_com/security/security_testing.html

Reporting Security Issues

Security Bug Bounty Program: GitLab offers a bug bounty program for responsible security researchers to report vulnerabilities and earn rewards.
- Source: https://about.gitlab.com/handbook/security/bug-bounty/

Security Resources

Security Documentation: Comprehensive security documentation is available for users and developers, covering various security aspects of GitLab.
- Source: https://docs.gitlab.com/ee/user/gitlab_com/security/
Security Blog: The GitLab Security blog provides updates on security vulnerabilities, best practices, and industry news.
- Source: https://about.gitlab.com/blog/categories/security/
Security Team: The GitLab Security team is dedicated to protecting the platform and its users, actively responding to security incidents and vulnerabilities.
- Source: https://about.gitlab.com/handbook/security/

Security

Secure Development Practices

Data Security

Vulnerability Management

Access Control and Authentication

Security Best Practices for Developers

Reporting Security Issues

Security Resources

Explanation

Graph

Symbols

We couldn't identify any entrypoints. If you believe this to be incorrect then please contact support.