GitLab’s Security & Compliance Features
GitLab offers built-in security and compliance features to help teams manage and maintain their codebase securely. This document will explore various options and provide examples for each, quoting the source of information to build confidence.
Compliance Management
GitLab’s compliance management includes policy management, automatic compliance workflows, and audit management.
- Policy management: Determine rules to follow compliance frameworks.
- Automatic compliance workflows: Help team members comply with standards.
- Audit management: Log activities to document incidents and adherence to established policies.
Security Management
Security management with GitLab enables automatic scanning of code for quality and security with every commit. Developers can remediate vulnerabilities while working in code or create an issue with a single click.
Access Controls
GitLab simplifies auditing and compliance with granular access controls and reporting. Protecting project creation/deletion and limiting visibility into projects, groups, and snippets are possible with GitLab’s advanced access control features.
Secret Detection and Dependency Scanning
Enable Secret Detection and Dependency Scanning to identify any leaked secrets and vulnerable packages in your codebase.
Example of enabling Secret Detection and Dependency Scanning in .gitlab-ci.yml:
include:
- template: Security/Dependency-Scanning.gitlab-ci.yml
- template: Security/Secret-Detection.gitlab-ci.yml
Audit Events and Audit Reports
Audit events give administrators the ability to view any modifications made in the GitLab server in an advanced audit events system. Audit reports create and access reports based on the audit events that have occurred.
Example of enabling audit events in .gitlab-ci.yml:
audit_pipeline:
stage: audit
script:
- audit --report
artifacts:
reports:
audit: audit.json
Compliance Center
The Compliance Center provides quick visibility into the compliance posture of your organization.
Compliance Tools
GitLab offers various compliance tools, including License approval policies, License list, and License scanning of CycloneDX files.
Example of enabling License scanning in .gitlab-ci.yml:
include:
- template: Security/License-Scanning.gitlab-ci.yml
Hardening GitLab
To harden your GitLab instance and minimize the risk of unwanted user account creation, consider access control features like Sign up restrictions and Authentication options.
Example of enabling Sign up restrictions in GitLab RBAC:
gitlab_rails['signup_enabled'] = false
These are just a few examples of GitLab’s built-in security and compliance features. For more information, consult the official GitLab documentation.
