Gitlab hero border pattern left svg Gitlab hero border pattern right svg

Category Vision - Dependency Firewall

Dependency Firewall

Many projects depend on packages that may come from unknown or unverified providers, introducing potential security vulnerabilities. GitLab already provides dependency scanning across a variety of languages to alert users of any known security vulnerabilities. But we currently do not allow organizations to prevent those vulnerabilities from being downloaded to begin with.

The goal of this category will be to leverage the dependency proxy, which proxies and caches dependencies, to give more control and visibility to security and compliance teams. We will do this by allowing users to create and maintain an approved/banned list of dependencies, providing more insight into the usage and impact of external dependencies and by ensuring the GitLab Security Dashboard is the single source of truth for all security related issues.

By preventing the introduction of security vulnerabilities further upstream, organizations can let their development teams work faster and more efficiently.

This page is maintained by the Product Manager for Package, Tim Rizzi (E-mail)

Use cases

  1. Verify package integrity from one single place. See what has been changed and test them for security vulnerabilities (part of black duck model).
  2. Filter the available upstream packages to include only approved, whitelisted packages.
  3. Enforce policies at the proxy layer (e.g. scan packages for licenses and only allow packages with compatible licenses).

What's next & why

This is a new category that is still in the planning stage. Many of the features we are planning in this category are dependent on the dependency proxy reaching the viable maturity level However, we can take some preliminary steps, such as gitlab-ee#13754 which will introduce npm audit to the NPM Registry.

gitlab-ee#13761 will introduce the concept of approved/banned lists for external dependencies.

Maturity Plan

This category is currently at the "Planned" maturity level, and our next maturity target is Minimal (see our definitions of maturity levels). Key deliverables to achieve this are:

Competitive landscape

JFrog utilizes a combination of their Bintray and XRay products, to proxy, cache and screen dependencies. They also provide dependency graphs across multiple languages and centralized dashboards for the review and remediation of vulnerabilities. It is a mature product, that is generally well received by users.

GitHub's new package registry does a really nice job of creating visibility into the dependency graph for a given package, but they do not give users the ability to control which packages are used in a given group/project. ​​

Top Customer Success/Sales issue(s)

This is a new category and does not yet have any customer success or sales issues.

Top user issue(s)

The top user issue is gitlab-ce#55374 which aims to capture and make use of the various meta data associated with images and packages.

Top internal customer issue(s)

This is a new category and has not yet received any internal customer issues.

Top Vision Item(s)

Our top vision item is gitlab-ee#13761 which will introduce the concept of approved and banned dependencies to Gitlab.