Many projects depend on packages that may come from unknown or unverified providers, introducing potential security vulnerabilities. GitLab already provides dependency scanning across a variety of languages to alert users of any known security vulnerabilities. But we currently do not allow organizations to prevent those vulnerabilities from being downloaded to begin with.
The goal of this category will be to leverage the dependency proxy, which proxies and caches dependencies, to give more control and visibility to security and compliance teams. We will do this by allowing users to create and maintain an approved/banned list of dependencies, providing more insight into the usage and impact of external dependencies and by ensuring the GitLab Security Dashboard is the single source of truth for all security related issues.
By preventing the introduction of security vulnerabilities further upstream, organizations can let their development teams work faster and more efficiently.
Interested in joining the conversation for this category? Please join us in our public epic where we discuss this topic and can answer any questions you may have. Your contributions are more than welcome.
This is a new category that is still in the planning stage. Many of the features we are planning in this category are dependent on the dependency proxy reaching the viable maturity level However, we can take some preliminary steps, such as gitlab-ee#13754 which will introduce
npm audit to the NPM Registry.
gitlab-ee#13761 will introduce the concept of approved/banned lists for external dependencies.
This category is currently at the "Planned" maturity level, and our next maturity target is Minimal (see our definitions of maturity levels). Key deliverables to achieve this are:
JFrog utilizes a combination of their Bintray and XRay products, to proxy, cache and screen dependencies. They also provide dependency graphs across multiple languages and centralized dashboards for the review and remediation of vulnerabilities. It is a mature product, that is generally well received by users.
GitHub's new package registry does a really nice job of creating visibility into the dependency graph for a given package, but they do not give users the ability to control which packages are used in a given group/project.
This is a new category and does not yet have any customer success or sales issues.
The top user issue is gitlab-ce#55374 which aims to capture and make use of the various meta data associated with images and packages.
This is a new category and has not yet received any internal customer issues.
Our top vision item is gitlab-ee#13761 which will introduce the concept of approved and banned dependencies to Gitlab.