Gitlab hero border pattern left svg Gitlab hero border pattern right svg

VUL.2.01 - Application Penetration Testing Control Guidance

VUL.2.01 - Application & Infrastructure Penetration Testing

Control Statement

GitLab conducts penetration tests according to the service risk rating assignment.


This control is meant to formalize the way GitLab prioritizes our penetration tests. The rating assignment mentioned in this control is detailed in a separate control linked below. It isn't feasible to test 100% of GitLab systems and since penetration tests are meant to reduce risk to the organization, it makes sense that risk is the method we use for prioritizing which systems we test in a given year.


This control applies to all systems within our production environment. The production environment includes all endpoints and cloud assets used in hosting and its subdomains. This may include third-party systems that support the business of


Control Owner:

Process Owner:


We will need to share our methodology for determining which systems to pen test and that methodology should align with the related control.

Additional control information and project tracking

Non-public information relating to this security control as well as links to the work associated with various phases of project work can be found in the Application & Infrastructure Penetration Testing control issue.

Policy Reference

Framework Mapping