Mar 11, 2020 - Chris Ward    

Make tracking agreements simple with our new Compliance Dashboard

New in GitLab 12.8, this dashboard helps to simplify the complex process of compliance tracking, right inside GitLab.

Many companies are required to meet compliance frameworks or standards by business or government bodies such as regulators. These are things like SOC 2, HIPAA, Sarbanes-Oxley, and GDPR. Pretty much all of them have requirements such as the ability to manage who has access to what resources, a separation of duties, and a strong password policy. And saying that you manage them is not enough, you have to be able to prove that these processes are in place. GitLab's compliance features help self-hosted instance administrators enforce common compliance requirements, and help admins gather the reports and artefacts they need to prove they are meeting these standards.

New in GitLab 12.8, the Compliance Dashboard sits on top of many GitLab features and allows you to see which settings relate to which policy, and the evidence artefacts you need.

For this first iteration, the dashboard shows an aggregate view of approved merge requests in projects across your group, or across multiple groups. For each merge request, you can see the title, who approved it, when they approved it, and the project it's part of. Clicking the merge request takes you to the full details in our standard merge request view. For other stakeholders involved in something like compliance audits, we have ways to visualize and export the data they need.

For example, you are an administrator responsible for compliance and you know that a project is not supposed to have any code deployments. On the dashboard you see a merge request that resulted in a code deployment, and you can look into the audit trail to see what happened.

Currently, the view looks similar to our existing project merge requests overview but abstracts it one or more levels up to group level(s), which is especially useful for those managing a lot of projects.

Compliance dashboard view

Future iterations on the Compliance Dashboard

We're planning on adding more features to the dashboard, including:

We will also add an overview of compliance policies, and which your team are not currently meeting. For example, if your vulnerability management policy says that you scan every 90 days and it's been 91 days since the last scan, but a merge request is still approved, we inform you of that policy violation. For more development-focused teams who are new to compliance, these notifications will help prompt them to items that need attention and action.

Projects hosted on GitLab are often an essential part of a business and their processes, and customers entrust us with their production environments and data. But Git repositories and code projects present a potentially easy way for internal and external parties to introduce intentional or unintentional vulnerabilities and security risks.

Another party could insert malicious code into your production environment that introduces further vulnerabilities to you, and your customers. With the Compliance Dashboard's current features, you can see from a merge request who, when and what they added, and remove the code responsible quickly. Future iterations will detect any potentially malicious code automatically, and depending on your policy, prevent it from being merged, or alert you.

Another party could take secrets information for your production environment and share them outside of the company. Or more fundamentally, someone could invite them to a GitLab instance in the first place, leading to multiple other issues. Future iterations will show you who invited whom to your projects, and what level of access they have.

The product manager behind the feature, Matt Gonzales worked at a handful of smaller startups before joining GitLab. In those roles, he juggled multiple responsibilities, but also handled legal and regulatory issues. To begin with, Matt had to handle compliance with the U.S.-EU Safe Harbor Framework, which evolved into the EU-US Privacy Shield, which then became a supplement to the General Data Protection Regulation (GDPR). Add to that PCI-DSS if you handle payments, CASL (The Canadian Anti-Spam Legislation), CCPA for California, and myriad other regional and global policies, and a team can quickly become inundated with administrative tasks and requests for data. Matt knows how hard it is to manage these extra tasks in addition to their main work and hopes that the new features and dashboard are a helping hand to help lessen that work.

About the guest author

Chris is a freelance technical communicator for numerous developer-focused companies. Happy creating text, videos, courses, and interactive learning experiences, in his spare time he writes games and interactive fiction.

10 Steps Every CISO Should Take to Secure Next-Gen Software Understand three software shifts impacting security, and the steps CISOs can take to protect their business. Get the eBook Arrow

Try all GitLab features - free for 30 days

GitLab is more than just source code management or CI/CD. It is a full software development lifecycle & DevOps tool in a single application.

Try GitLab for Free
Git is a trademark of Software Freedom Conservancy and our use of 'GitLab' is under license

Try GitLab risk-free for 30 days.

No credit card required. Have questions? Contact us.

Gitlab x icon svg