The following page may contain information related to upcoming products, features and functionality. It is important to note that the information presented is for informational purposes only, so please do not rely on the information for purchasing or planning purposes. Just like with all projects, the items mentioned on the page are subject to change or delay, and the development, release, and timing of any products, features or functionality remain at the sole discretion of GitLab Inc.
Organization-wide security vulnerability, policy, and compliance management
The Govern stage extends your existing operation's practices to help organizations manage their security vulnerabilities, project dependencies, and compliance policies to reduce overall risk. Govern enables teams to identify risks by providing them with a high degree of visibility into their projects' dependencies, security findings, and user activities. This visibility is then coupled with management tools to respond to those risks. Lastly, policies can be used to automate compliance and to help secure the software supply chain.
The Govern stage provides the capabilities necessary to meet security and compliance requirements for organizations at any scale, from one project to tens of thousands of projects. This includes the ability to manage policies centrally, at scale, and have them apply to projects across the organization.
The Govern Stage is made up of three groups:
The existing team members for the Govern Stage can be found in the links below:
Govern capabilities will be pre-configured with reasonable defaults out-of-the-box whenever possible. When not possible, they will be easy to configure either through code or through a guided UI workflow that is friendly to users without coding knowledge. Regardless of how the capabilities are configured, they will be stored as code for ease of management.
For example, GitLab's security policy editor supports editing policies in both a rule mode and in yaml mode.
Govern capabilities will serve as a connection point for a seamless workflow spanning across the DevOps lifecycle. By enabling collaboration between types of users, Govern can help solidify the advantages GitLab has to offer as a single application. For example, these areas might include the following:
Govern capabilities will ensure that compliance regulations are strictly followed in a way that they cannot be bypassed without the proper approvals. This includes providing the necessary tools to audit, monitor, and manage the compliance controls that are enforced.
Building on those themes, some specific capabilities that we envision developing over the next 3 years include the following:
Compliance
Security Policies
Threat Insights
In addition to these areas specific to our individual groups, we also plan to expand our use of ML and AI across all of the Govern features.
Over the next 12 months, the Govern stage is focused on addressing critical needs for security and compliance teams. Some of the key initiatives include the following:
Although we will likely address many of these areas in the future (as described above in our 3 year strategy), we are not planning to make progress on the following initiatives in the next 12 months:
This area is currently being re-evaluated
The following metrics are used to evaluate the success of the Govern stage:
Note: We do not yet have a single metric to track the success of the Govern stage as a whole. This is being tracked in this issue.
GitLab identifies who our DevSecOps application is built for utilizing the following categorization. We list our view of who we will support when in priority order.
To capitalize on the opportunities listed above, the Govern Stage has features that make it useful to the following personas today.
As we execute our 3 year strategy, our medium term (1-2 year) goal is to provide a single DevSecOps application that enables SecOps to work collaboratively with DevOps and development to mitigate vulnerabilities in production environments.
Govern is focused on providing governance and compliance features that span across the DevOps lifecycle. Governβs tiering strategy aligns with the GitLab approach of selecting the tier based on who cares most about the feature. Because Executives generally care most about governance features, it is expected that most Govern features will land in the Ultimate tier.
This tier is the primary way to increase broad adoption of the Govern stage, as well as encouraging community contributions and improving security across the entire GitLab user base.
As a general rule of thumb, features will fall in the Free tier when they meet one or more of the following criteria:
This tier is not a significant part of Govern's pricing strategy; however, a few features features that primarily appeal to Directors rather than Executives may fall into the Premium tier. One example of this is our audit event functionality that is available in this tier.
This tier is the primary focus for the Govern stage as most Govern features enable executives to ensure that their organization meets compliance requirements and maintains an acceptable security posture.
As a general rule of thumb, features will fall in the Ultimate tier when they meet one or more of the following criteria:
There are a few product categories that are critical for success here; each one is intended to represent what you might find as an entire product out in the market. We want our single application to solve the important problems solved by other tools in this space - if you see an opportunity where we can deliver a specific solution that would be enough for you to switch over to GitLab, please reach out to the PM for this stage and let us know.
Each of these categories has a designated level of maturity; you can read more about our category maturity model to help you decide which categories you want to start using and when.
Track important events for review and compliance such as who performed certain actions and the time they happened. This category is at the "viable" level of maturity.
Priority: high β’ Documentation β’ Direction
Provide customers with the tools and features necessary to manage their compliance programs. This category is at the "viable" level of maturity.
Priority: high β’ Documentation β’ Direction
Unified security policy management capabilities across all of GitLab's scanners and security technologies. Apply policies to enforce scans and to require security approvals when vulnerabilities are found. This category is at the "minimal" level of maturity.
Priority: medium β’ Documentation β’ Direction
View, triage, trend, track, and resolve vulnerabilities detected in your applications. This category is at the "viable" level of maturity.
Priority: high β’ Documentation β’ Direction
Track dependencies detected in your applications. This category is at the "viable" level of maturity.
Priority: high β’ Documentation β’ Direction
Track dependencies detected in your applications. This category is at the "viable" level of maturity.
Priority: high β’ Documentation β’ Direction
Govern has several features that help teams provide necessary governance for their organizations.
GitLab's security policies page provides the flexibility of managing policies directly in code or in a streamlined UI editor. As part of the long-term vision for the policy management experience, users will be able to view a complete history of all changes and easily revert to a previous version. A two-step approval process can optionally be enforced for all policy changes. Eventually the policy management UI will be extended to provide visibility into the performance overhead of each policy. Suggestions into policy adjustments that might help either reduce false positives or increase overall security coverage will be provided in this section as well.
Security approvals define when and how security teams get involved in the development workflow. The vision for this area is to provide a highly granular level of approval definition functionality at the project, group, and workspace levels. These capabilities will be tightly integrated with the Security Policy editor to allow for separation of duties for security teams.
Security Dashboards, available at the group and project level, are the primary tool for Security Teams and Directors of Security. They can use those dashboards to access the current security status of their applications and to start a remediation process from there.
The dashboard also provides data and charts to summarize how the team is performing against their goals to maintain proper levels of security risk.
There are a number of other issues that we've identified as being interesting that we are potentially thinking about, but do not currently have planned by setting a milestone for delivery. Some are good ideas we want to do, but don't yet know when; some we may never get around to, some may be replaced by another idea, and some are just waiting for that right spark of inspiration to turn them into something special.
Remember that at GitLab, everyone can contribute! This is one of our fundamental values and something we truly believe in, so if you have feedback on any of these items you're more than welcome to jump into the discussion. Our vision and product are truly something we build together!
Last Reviewed: 2023-03-30
Last Updated: 2023-03-30
