The following page may contain information related to upcoming products, features and functionality. It is important to note that the information presented is for informational purposes only, so please do not rely on the information for purchasing or planning purposes. Just like with all projects, the items mentioned on the page are subject to change or delay, and the development, release, and timing of any products, features or functionality remain at the sole discretion of GitLab Inc.
Stage | Software Supply Chain Security |
Maturity | Minimal |
Content Last Updated | 2024-04-22 |
NOTE Please watch this video explaining the mission & vision of the Compliance group
Compliance is a group in the Software Supply Chain Security stage. It describes high-level goals and direction for our group. Check out the Software Supply Chain Security section page to see what the rest of our stage is working on, how we fit in, and our individual category pages to get fine-grained details.
NOTE: Please visit this link
Our vision in the next 10 years is to deliver on not just being a DevSecOps platform but to be an AllOps platform - which means being a single application for all R&D. To do this, we will invest in developing best-in-class features in areas such as security and compliance.
NOTE Please visit this link to read more about our fiscal year guiding principles respectively.
To help achieve the company vision, the company is focused on increasing the value of GitLab Ultimate by improving security and compliance functionality.
NOTE Pleaes visit this link to read more about the vision and goals of the Software Supply Chain Security stage
In line with the company vision and guiding principles, the Software Supply Chain Security stage provides the capabilities necessary to meet security and compliance requirements for organizations at any scale, from one project to tens of thousands of projects. These capabilities will not only ensure that compliance regulations are strictly followed in a way that they cannot be bypassed without the proper approvals, but will also serve as a connection point for a seamless workflow spanning across the DevSecOps lifecycle. It does this by, for example, centralizing security and compliance controls across GitLab, including merge request approvals, anomalous user activity, and anomalous pipeline/job activity.
Increase the value of GitLab Ultimate by giving compliance managers best-in-class features within GitLab to achieve compliance visibility of checks, violations and audit events throughout the entire DevSecOps lifecycle.
Term | Definition |
---|---|
Visibility | To provide compliance managers a simple, quick and efficient way to view, find and organize compliance issues that surface via checks, violations or policies |
Checks | To help compliance managers easily identify if settings are properly enforced for a standard requirement (e.g. for SOC2, are we enforcing multiple users on each MR?) |
Violations | To help compliance managers evidence of adherence to the checks (e.g. a violation event is created if an MR request is merged without multiple approvers) |
Audit events | To help compliance managers identify and capture the most important user-driven events within GitLab, making that data easily available (via APIs, webhooks, and exportable reports), and providing a reasonable duration of storage for the data that follows compliance requirements (7 years) |
At GitLab, we view the visibility of compliance under 3 prongs:
The combination of all 3 prongs will give compliance users a way to understand their compliance posture, to generate reports for auditors, as well as to create their own tooling and automation based on their events.
For example, let us say there is a requirement that every MR must be approved by two users, and the approvers must not be the author or committer of the MR:
Customers deal with many different challenges in compliance beyond GitLab. Governance, risk and compliance (GRC) describes the broader compliance space. There are many GRC tools that already exist today to help organizations understand risk and meet compliance requirements broadly across the organization. This includes multiple functional areas such as physical security; availability of services; and operations and people management.
Our opportunity is to focus on the areas where compliance and risk management meet up with the DevSecOps lifecycle. For many of our customers, they depend on the software applications they are building and maintaining, e.g. financial applications, healthcare software, telecommunications and government agencies. Disruption to their production apps or vulnerabilities that occur in the process of building them pose a great risk to their businesses. We want to empower customers and build confidence in GitLab as the only DevSecOps tool that truly addresses compliance. This strengthens our position in the market and solves real customer pain points.
To achieve our group mission, we will be focusing on the following ways to help our customers achieve compliance in the DevSecOps lifecycle:
Cameron, the Compliance Manager, is one of our key personas we focus on. Cameron has many different jobs, such as those listed above, and we want to ensure they can be effective in doing them and making those jobs easier.
We know that Compliance affects an entire organization when policies and business requirements are added. While not our primary personas, we focus on how our capabilities impact others, such as Sasha, Delaney, Devon. Our goal is to ensure those other personas are minimally impacted and can do their jobs while still remaining compliant with the organization's policies. Reducing the friction between the compliance needs of a business and team's needs to get work done will be a key way GitLab can add value for our users.
The problems and use cases we focus on can be quite large, so it helps to break them down into smaller pieces. As a result we focus on discovering the most minimal viable change possible that still solves a particular problem by trying "boring solutions" first.
Please view our tactical priorities here.
The Compliance group does not undertake any initiative or solve any customer problems that relate to the enforcement of compliance across the DevSecOps lifecycle. For example, in terms of enforcement, policies help us manage controls globally, maintain separation of duties and serve as a technical mechanism for taking a requirement from a compliance objective and turning it into a control in GitLab to influence particular behaviour. Policies fall under the scope of the Security Policies group in GitLab.