Continuous Software Compliance with GitLab
Building applications that meet common regulatory standards with a secure software supply chain
Continuous Software Compliance
Software compliance is no longer just about checking boxes. Cloud native applications present entirely new attack surfaces via containers, orchestrators, web APIs, and other infrastructure-as-code. These new attack surfaces, along with complex DevOps toolchains have resulted in notorious software supply chain attacks and led to new regulatory requirements. Continuous software compliance is becoming a critical way to manage risk inherent in Cloud Native applications and DevOps automation - beyond merely reducing security flaws within the code itself.
DevOps automation requires a new level of sophistication to monitor and protect what has become the modern software factory. Continuous software compliance can be difficult when it is disconnected from the software development process. Organizations need a compliance program that is built-in, not bolted-on, to their existing workflows and processes. "Traditional compliance practices are incompatible with continuous software delivery processes, leading to slower delivery and unexpected, expensive remediation work." (Gartner®, Hype Cycle™ for Agile and DevOps, 2021, Herschmann, Joachim and Spafford, George, 2021)
Learn more by downloading the Guide to Software Supply Chain Security
How GitLab simplifies Continuous Software Compliance
GitLab's compliance management capabilities aim to create an experience that's simple, friendly, and as frictionless as possible by enabling you to define, enforce and report on compliance policies and frameworks. Our platform approach simplifies the effort.
As a complete DevOps platform, GitLab is a great choice for compliance teams to provide compliance guardrails that allow rapid software development while ensuring compliance is integrated into development and deployment processes early, in a manner somewhat similar to the movement to shift security left.
-
Policy Management helps you define rules and policies to adhere to compliance frameworks and common controls
-
Compliant Workflow Automation helps you enforce the defined rules and policies
-
Audit Management helps you log activities throughout your DevOps automation to identify incidents and prove adherence to compliance rules and defined policies. Visibility is greater with one platform and no toolchain silos.
-
Security testing and vulnerability management helps you ensure security scanning and license compliance for every code change and allows DevOps engineers and Security Pros alike to track and manage vulnerabilities.
-
Software Supply Chain Security helps you manage the end-to-end attack surfaces of Cloud Native applications and DevOps automation - beyond traditional application security testing.
Policy Management
Policy Management helps you define rules and policies to adhere to - either internal company policies or policies based on legal or regulatory frameworks such as GDPR, SOC2, PCI-DSS, SOX, HIPAA, ISO, COBIT, FedRAMP, and so on.
-
Granular User Roles and Permissions GitLab supports multiple different user roles with permissions according to the user's role, rather than access required to a repository.
-
Compliance Settings Define and enforce compliance policies on specific projects, groups, and users.
-
Credentials Inventory Keep track of all the credentials that can be used to access the GitLab self-managed instance.
-
Protected Branches Control unauthorized modifications to specific branches - including creating, pushing, deleting of a branch - without adequate permissions or approvers.
Compliant Workflow Automation
GitLab enables powerful compliance automation through enforcing policies and separation of duties while reducing overall business risk.
-
Granular User Roles and Permissions GitLab supports multiple different user roles with permissions according to the user's role, rather than access required to a repository.
-
Compliance Framework Project Templates Create projects that map to specific audit protocols such as HIPAA - to help maintain an audit trail & manage compliance programs. Templates are managed by admins to ensure consistent and compliant use.
-
Compliance Framework Pipelines Define compliance jobs that should be run in every pipeline to ensure that security scans are run, artifacts are created and stored, or any other steps required by your organizational requirements. These jobs are automatically merged with the project's jobs, enabling developers to stay focused on adding business value while still remaining compliant.
Audit Management
Audits require traceability of compliance events to show what happened, when it happened, and who did it. GitLab's robust audit event system records this for the most important actions and provides mulitple ways to consume the results.
-
Compliance Framework Project Labels Clearly delineate which projects need certain compliance controls and which do not. Easily apply common compliance settings to a project with a label.
-
Audit Events Aims to satisfy organizational audit logging requirements within the UI or via API.
-
Compliance Dashboard Provide compliance insights in a consolidated view with all relevant compliance signals such as segregation of duties, framework compliance, license compliance, pipeline and MR results. Currently, the dashboard focuses on most recently merged MR activity.
Security scanning and vulnerability management with Gitlab
GitLab's approach to DevSecOps directly integrates required compliance jobs into developer pipelines, ensures proper seperation of duties, audit systems, and more This makes it possible to implement a 'shift-left' approach for both security and compliance.
Visit the DevSecOps page to learn more.
-
Vulnerability scanning automatically applies comprehensive scan types at every code commit and upon merge
-
License compliance scanning automatically looks for unapproved use of third party code with results alongside security scans
-
MR approvals allows you to determine if approvals are required for severe vulnerabilities
-
Vulnerability management helps you assess risk, triage unresolved vulnerabilities, and track their remediation.
Protecting your software supply chain is challenging.
GitLab Continous Software Compliance capabilities help organizations adhere to policies and regulatory requirements while ensuring development velocity, providing necessary simplicity, visibility, and control.
Visibility and control
Audits require traceability of compliance events to show what happened, when it happened, and who did it. GitLab's robust audit event system records this for the most important actions and provides mulitple ways to consume the results. Easily apply common compliance settings to a project with a label.
- PCI Compliance
- HIPAA Compliance
- Financial Services Regulatory Compliance
- GDPR
- IEC 62304:2006
- ISO 13485:2016
- ISO 26262-6:2018
- Your own policy framework
Customer story: Chorus.ai
During a recent audit for SOC2 compliance, the auditors said that Chorus had the fastest auditing process they have seen and most of that is due to the capabilities of GitLab.
Russell Levy
Co-Founder, and Chief Technology Officer, Chorus.ai
Help and More Information
- Please see Get help for GitLab if you have questions
- Docs: Compliance Features
- Docs: Compliance Dashboard
- Demo: Compliant pipelines
- Blog: Three things you may not know about GitLab security
- Webinar: Secure your software supply chain
- Roadmaps Audit Events | Audit Reports | Compliance Management | Authentication & Authorization | User Management
GARTNER and HYPE CYCLE are registered trademark and service mark of Gartner, Inc. and/or its affiliates in the U.S. and internationally and are used herein with permission. All rights reserved..
