The following page may contain information related to upcoming products, features and functionality. It is important to note that the information presented is for informational purposes only, so please do not rely on the information for purchasing or planning purposes. Just like with all projects, the items mentioned on the page are subject to change or delay, and the development, release, and timing of any products, features or functionality remain at the sole discretion of GitLab Inc.
In early 2021, we witnessed the cryptomining CI co-evolution, where free SaaS continuous integration platforms are being seriously compromised by the cryptocurrency mining attacks. GitLab was no exception to this Industry-wide experience and we instrumented a few practices to mitigate abuse for on GitLab.com, which impacts the experience of free and trial users.
Going forward, we needed a more proactive approach for monitoring, detecting, evaluating, preventing, and reacting to pipeline abuse. Traditionally, product categories are single product group areas with one engineering team. As a result, we funded a cross-cutting Abuse group, and created this Instance Resiliency category as part of our Anti-Abuse stage.
Pipeline Abuse Prevention is focused on the proactive mitigation of CI abuse to ensure acceptable tolerances of business impact and human cost are not exceeded.
Many issues are intentionally confidential despite our value of transparency. This is because we don't want to make it obvious to abusers the exact details of our controls. We aren't relying on "security by obscurity"; however, we also don't want to make it easier for the abusers.
For specific information related to spam and abuse reduction initiatives, check out Trust and Safety.
We rely on several teams to make this program successful:
| DRI | EM | Trust & Safety | AppSec | Fulfillment PM | Engineering |
|---|---|---|---|---|---|
| Jensen Stava | Jay Swain | Charl de Wit | Nick Malcolm | Justin Farris | Stan Hu |
Anti-Abuse - Anything related to preventing abuse Fulfillment - Anything related to the collection and validation of credit cards/debit cards Verify - Anything related to triggering credit card/debit card validation
There are four areas of focus for Pipeline Abuse Prevention:
| Credit/Debit Card Validation for Free and Trial Users to block bad actors | Kibana Dashboard | Dashboard |
| Pipeline Validation Service which has rules that catch certain coding behaviors to stop bad actors before pipelines are run | Dashboard |
| Quota of compute units enforcement and limits across various levels of GitLab.com | Dashboard |
| Cost controls two dimensions: human cost and Infrastructure cost | CI Runner Costs | Blocking Dashboard |
We have a few items planned for follow-up enhancements to the rapid action efforts and credit card validation work via this confidential issue. We are exploring the usability of the credit card validation experience for legitimate users via this confidential epic.
We also are thinking about ways to make the validation more inclusive for legitimate users who don't have access to or don't want to provide a credit/debit card in this confidential issue.
Currently, the team is in open dialogue on ownership of PVS.
We are also looking at instrumenting methods of abuse control via this 1. Abuse tracking controls including confidential issue
As of 13.12, we have instrumented enforcement of limits in private projects where now pipelines fail when the quota of compute units are exceeded.
Up next, we are iterating toward enforcement across a public project by introducing limits to new public projects. While also taking into account how this impacts our Open Source projects in gitlab#330888.
This effort will then be expanded to all free, public users via gitlab#254231, where we hope to instrument counting of units of compute as well via gitlab#254231.
We have two issues to establish costs control mechanisms:
Cryptomining is impacting free CI providers industry-wide. GitHub has added several features to help combat bad actors in the wake of this shake up including:
We would like to implement more methods for abuse control like those discussed in this confidential issue. The AI Assisted Group is planning an MVC to apply models to detect CI abuse.
Last Reviewed: 2023-02-01
Last Updated: 2023-02-01