Many companies are required to meet compliance frameworks or standards by business or government bodies such as regulators. These are things like SOC 2, HIPAA, Sarbanes-Oxley, and GDPR. Pretty much all of them have requirements such as the ability to manage who has access to what resources, a separation of duties, and a strong password policy. And saying that you manage them is not enough, you have to be able to prove that these processes are in place. GitLab's compliance features help self-managed instance administrators enforce common compliance requirements, and help admins gather the reports and artefacts they need to prove they are meeting these standards.
New in GitLab 12.8, the Compliance Dashboard sits on top of many GitLab features and allows you to see which settings relate to which policy, and the evidence artifacts you need.
For this first iteration, the dashboard shows an aggregate view of approved merge requests in projects across your group, or across multiple groups. For each merge request, you can see the title, who approved it, when they approved it, and the project it's part of. Clicking the merge request takes you to the full details in our standard merge request view. For other stakeholders involved in something like compliance audits, we have ways to visualize and export the data they need.
For example, you are an administrator responsible for compliance and you know that a project is not supposed to have any code deployments. On the dashboard you see a merge request that resulted in a code deployment, and you can look into the audit trail to see what happened.
Currently, the view looks similar to our existing project merge requests overview but abstracts it one or more levels up to group level(s), which is especially useful for those managing a lot of projects.
Future iterations on the Compliance Dashboard
We're planning on adding more features to the dashboard, including:
- Merge request approval settings
- Security scanning data with each deploy
- Specific test results with each deploy
- The results of pipelines
We will also add an overview of compliance policies, and which your team are not currently meeting. For example, if your vulnerability management policy says that you scan every 90 days and it's been 91 days since the last scan, but a merge request is still approved, we inform you of that policy violation. For more development-focused teams who are new to compliance, these notifications will help prompt them to items that need attention and action.
Projects hosted on GitLab are often an essential part of a business and their processes, and customers entrust us with their production environments and data. But Git repositories and code projects present a potentially easy way for internal and external parties to introduce intentional or unintentional vulnerabilities and security risks.
Another party could insert malicious code into your production environment that introduces further vulnerabilities to you, and your customers. With the Compliance Dashboard's current features, you can see from a merge request who, when and what they added, and remove the code responsible quickly. Future iterations will detect any potentially malicious code automatically, and depending on your policy, prevent it from being merged, or alert you.
Another party could take secrets information for your production environment and share them outside of the company. Or more fundamentally, someone could invite them to a GitLab instance in the first place, leading to multiple other issues. Future iterations will show you who invited whom to your projects, and what level of access they have.
The product manager behind the feature, Matt Gonzales worked at a handful of smaller startups before joining GitLab. In those roles, he juggled multiple responsibilities, but also handled legal and regulatory issues. To begin with, Matt had to handle compliance with the U.S.-EU Safe Harbor Framework, which evolved into the EU-US Privacy Shield, which then became a supplement to the General Data Protection Regulation (GDPR). Add to that PCI-DSS if you handle payments, CASL (The Canadian Anti-Spam Legislation), CCPA for California, and myriad other regional and global policies, and a team can quickly become inundated with administrative tasks and requests for data. Matt knows how hard it is to manage these extra tasks in addition to their main work and hopes that the new features and dashboard are a helping hand to help lessen that work.
About the guest author
Chris is a freelance technical communicator for numerous developer-focused companies. Happy creating text, videos, courses, and interactive learning experiences, in his spare time he writes games and interactive fiction.