GitLab conducts vulnerability scans against the production environment; scan tools are updated prior to running scans.
This control is fairly straightforward. We have flexibility in how we perform these scans, but the burden of proof will be on GitLab to show that we are scanning all systems and that we are checking for the more relevant vulnerabilities. This control is meant to ensure we regularly assessing the state of all production systems. The update part of this control ensures we are always checking for the most recent vulnerabilities we know about. When properly applied, this control will help us generate a list of the risk associated with each GitLab system and help us prioritize security resources dedicated to remediation. This control can also be valuable in validating the device inventory (see control # AM.1.01).
This control applies to all systems within the GitLab production environment.
For detailed implementation guidance relevant to GitLab team-members, refer to the full guidance documentation.
For all reference links relevant to this control, refer to the full guidance documentation.
For examples of evidence an auditor might request, refer to the full guidance documentation.