Application Security - Automation and Monitoring

1. You are here:
2. Handbook
3. Security at GitLab
4. Security Engineering
5. Application Security
6. Application Security - Automation and Monitoring

On this page

• Monitoring

Monitoring

The Application Security team uses a number of automation initiatives to help secure GitLab. These are not all authored by the AppSec team but they're all useful to us. The points are listed in no specific order.

• Gem Checker monitors suspicious activity on RubyGems.org for gems that we use at GitLab
• sec-appsec-mr-alerts identifies MRs that modify dependencies used in our projects
• public_merge_requests_referencing_confidential_issues monitors for public merge requests that should have been opened in our security mirror
• Custom SAST rules detecting known-vulnerable code patterns that alert the AppSec team in the MR (related MR)
• untamper-my-lockfile included in CI to prevent lockfile tampering
• Package Hunter detects suspicious activity in dependencies at runtime (related runbook)
• GitLab Inventory monitors our projects and violations of security best practices and standards
• GitLab's own application security features are running in CI
• Advanced Search Token Hunter monitors for leaked credentials
• AppSec Escalator which is a tool that…
  • monitors that security issues are labeled properly
  • sets appropriate due dates on security issues
  • escalates overdue issues
  • detects potentially sensitive files posted in public issues
• depSASTer runs SAST on the dependencies used by GitLab
• Maintainer Watcher monitors potentially compromisable dependency maintainer accounts