GitLab can help you with your SOX compliance
Building SOX Compliant Applications with GitLab
In 2002 the United States Congress passed the Sarbanes-Oxley Act, also known as SOX to help protect the public from fraudulent practices by corporations. For publicly traded companies, SOX compliance is critical. The software development process of these organizations must be designed, developed, tested, and deployed in ways that adhere to SOX compliance.
GitLab can help you meet SOX IT General Controls (ITGC) compliance requirements by providing you a powerful set of features that support best practice in software development from a single platform.
New features are added to GitLab on the 22nd of every month.
Access controls
GitLab provides an access control system that allows you to easily maintain the principle of least privilege, ensuring that your users only have access to what they need to do their job.
| Solution | Tier | Dedicated, SaaS / Self-Managed |
|---|---|---|
| LDAP synchronization | Premium | Self-Managed |
| SAML group sync | Premium | Dedicated, SaaS & Self-Managed |
| SCIM for Self-Managed Instances | Premium | Self-Managed |
| Users with Minimal access | Premium | Dedicated, SaaS & Self-Managed |
| User permissions export | Premium | Self-Managed |
| Account deletion | Premium | Dedicated, SaaS & Self-Managed |
| Group access and permissions | Premium | Dedicated, SaaS & Self-Managed |
| Restrict project and group access by using impersonation | Premium | Dedicated, SaaS & Self-Managed |
| Confidential issues | Premium | Dedicated, SaaS & Self-Managed |
| Protected branches | Premium | Dedicated, SaaS & Self-Managed |
| Auditor users | Premium | Self-Managed |
IT security
GitLab provides many built in capabilities such as Static Application Security Testing (SAST), Dynamic Application Security Testing (DAST), Container Scanning, Dependency Scanning, and Vulnerability Reporting.
| Solution | Tier | Dedicated / SaaS / Self-Managed |
|---|---|---|
| Disable signups | Premium | Self-Managed |
| Installation security | Premium | Dedicated, SaaS & Self-Managed |
| Two-factor auth | Premium | SaaS & Self-Managed |
| Verified authors with signed commits | Premium | Dedicated, SaaS & Self-Managed |
| Ensure removed users cannot invite themselves back | Premium | Dedicated, SaaS & Self-Managed |
| Secret detection | Premium | Dedicated, SaaS & Self-Managed |
| Group and project access report | Premium | SaaS & Self-Managed |
| Audit events | Premium | Dedicated, SaaS & Self-Managed |
| Log system | Premium | Self-Managed |
| Incident management | Premium | Dedicated, SaaS & Self-Managed |
| Alerts | Premium | Dedicated, SaaS & Self-Managed |
| Monitor GitLab with Prometheus | Premium | Self-Managed |
| Application security | Ultimate | Dedicated, SaaS & Self-Managed |
| Compliance reports | Ultimate | Dedicated, SaaS & Self-Managed |
| Security dashboard | Ultimate | Dedicated, SaaS & Self-Managed |
| Vulnerability reports | Ultimate | Dedicated, SaaS & Self-Managed |
| Vulnerability pages | Ultimate | Dedicated, SaaS & Self-Managed |
| Vulnerability severity levels | Ultimate | Dedicated, SaaS & Self-Managed |
| Dependency list | Ultimate | Dedicated, SaaS & Self-Managed |
| Credentials inventory | Ultimate | Self-Managed |
Data backup
GitLab provides backup and restore procedures to ensure your data is not lost.
| Solution | Tier | Dedicated / SaaS / Self-Managed |
|---|---|---|
| Backup and restore GitLab | Premium | Self-Managed |
| Encrypted system configuration | Premium | Self-Managed |
| SSL configuration | Premium | Self-Managed |
| PostgreSQL replication and failover | Premium | Self-Managed |
| Audit event streaming | Ultimate | Dedicated, SaaS & Self-Managed |
Change management
GitLab makes it easy to define and enforce policies for all software changes while maintaining a record of what was changed, when it was changed, and who changed it.
| Solution | Tier | Dedicated, SaaS / Self-Managed |
|---|---|---|
| MR approval rules | Premium | Dedicated, SaaS & Self-Managed |
| Push rules | Premium | Dedicated, SaaS & Self-Managed |
| Code owners | Premium | Dedicated, SaaS & Self-Managed |
| Enable delayed project deletion | Premium | Dedicated, SaaS & Self-Managed |
| View description of change history | Premium | Dedicated, SaaS & Self-Managed |
| Security policies | Ultimate | Dedicated, SaaS & Self-Managed |
| MR security approvals | Ultimate | Dedicated, SaaS & Self-Managed |
| Requirements management | Ultimate | Dedicated, SaaS & Self-Managed |
| Status checks | Ultimate | Dedicated, SaaS & Self-Managed |
| License approval policies | Ultimate | Dedicated, SaaS & Self-Managed |
THE INFORMATION PROVIDED ON THIS WEBSITE IS TO BE USED FOR INFORMATIONAL PURPOSES ONLY. THE INFORMATION SHOULD NOT BE RELIED UPON OR CONSTRUED AS LEGAL OR COMPLIANCE ADVICE OR OPINIONS. THE INFORMATION IS NOT COMPREHENSIVE AND WILL NOT GUARANTEE COMPLIANCE WITH ANY REGULATION OR INDUSTRY STANDARD. YOU MUST NOT RELY ON THE INFORMATION FOUND ON THIS WEBSITE AS AN ALTERNATIVE TO SEEKING PROFESSIONAL ADVICE FROM YOUR ATTORNEY AND/OR COMPLIANCE PROFESSIONAL.