GitLab Security Resource Center

1. You are here:
2. Handbook
3. Security at GitLab
4. GitLab Security Resource Center

On this page

• Commonly requested resources
  • Contacting GitLab for reporting security issues
  • GitLab's Customer Assurance Package (CAP)
  • GitLab's Trust Center
• Frequently asked questions
• Control topics
  • Table of contents
  • Acceptable use
  • Access management
  • Business continuity
  • Cryptography
  • Data classification
  • Disaster recovery
  • Endpoint management
  • GitLab.com hardening techniques
  • Incident response and communication
  • Independent assurance
  • Logging and monitoring
  • Network security
  • Privacy
  • Security awareness
  • Third party risk management
  • Threat modeling
  • Vulnerability management

Commonly requested resources

Contacting GitLab for reporting security issues

• Reporting Abuse
• Coordinated Disclosure Process
• HackerOne Reporting Process

GitLab's Customer Assurance Package (CAP)

Our Customer Assurance Package contains documents such as our SOC2 report, ISO 27001 certificate, penetration test executive summary, and pre-filled CAIQ and SIG questionnaires, among many other documents. Please see our CAP page to request the package.

GitLab's Trust Center

Our Trust Center outlines the various compliance and assurance credentials that GitLab maintains. This page also contains links to important security, legal & privacy, and availability resources, such as an overview of our security practices, our Environmental, Social, and Governance strategy, and our production architecture.

Frequently asked questions

The following links contain frequently asked security, legal & privacy, and availability questions.

• Security FAQs
• Legal & Privacy FAQs
• Availability FAQs

Control topics

Table of contents

Acceptable use	Access management	Business continuity	Cryptography	Data classification
Disaster recovery	Endpoint management	Hardening	Incident response and communication	Independent assurance
Logging and monitoring	Network security	Privacy	Security awareness	Third party risk management
Threat modeling	Vulnerability management

Acceptable use

• Internal acceptable use policy
• GitLab's terms of use

Access management

• Access Management Policy
• Access Review Procedure
• Access Request process

Business continuity

• Business Continuity Plan
• Business Impact Analysis
• Information System Contingency Plan

Cryptography

• GitLab cryptography standard
• Encryption policy

Data classification

• Data classification standard
• Record retention policy
• Records retention and disposal standard

Disaster recovery

• Disaster recovery plan
• Database disaster recovery
• Database overview

Endpoint management

• Endpoint management at GitLab
  • Jamf
  • EDR
• Use Gitleaks as a pre-commit git hook on laptops

GitLab.com hardening techniques

• GitLab projects baseline requirements
• GitLab security requirements for deployment and development

Incident response and communication

• Security incident communications plan procedure
• Security incident response guide

Independent assurance

• Independent Security Assurance

Logging and monitoring

• Monitoring of gitlab.com
• Log management for gitlab.com
• Logging and monitoring architecture
• GitLab audit logging policy
• Log and audit requests process

Network security

• Network security management procedure
• GitLab security requirements for deployment and development

Privacy

• GitLab privacy
• Employee privacy policy
• Privacy laws and GitLab
• California privacy notice
• Data protection impact assessment (DPIA) policy *Account deletion and data access requests workflow

Security awareness

• Security training
• Security awareness training program
• Security awareness training procedure
• Phishing program

Third party risk management

• Security third party risk management

Threat modeling

• Threat modeling at GitLab
• Threat modeling How To Guide
• Application security threat modeling process

Vulnerability management

• Vulnerability management standard
• Application vulnerability management procedure
• Infrastructure vulnerability management procedure