Major software releases are subject to the Service Life Cycle, which requires acceptance via Concept Accept and Project Plan Commit phases prior to implementation.
The purpose of this control is to formalize the documentation and approval of software changes before those changes are implemented. This rigid process helps protect GitLab from insecure code being quickly pushed out into production without proper vetting.
This control applies to all major software releases to GitLab.com.
Most of this process is already captured in current GitLab workflow; the difficult part of this process will be 100% coverage of all software changes.
Non-public information relating to this security control as well as links to the work associated with various phases of project work can be found in the Service Lifecycle Workflow control issue.
Examples of evidence an auditor might request to satisfy this control: