Continuous Software Compliance with GitLab
Building applications that meet common regulatory standards with a secure software supply chain
Building applications that meet common regulatory standards with a secure software supply chain
Software compliance is no longer just about checking boxes. Cloud native applications present entirely new attack surfaces via containers, orchestrators, web APIs, and other infrastructure-as-code. These new attack surfaces, along with complex DevOps toolchains have resulted in notorious software supply chain attacks and led to new regulatory requirements. Continuous software compliance is becoming a critical way to manage risk inherent in Cloud Native applications and DevOps automation - beyond merely reducing security flaws within the code itself.
DevOps automation requires a new level of sophistication to monitor and protect what has become the modern software factory. Continuous software compliance can be difficult when it is disconnected from the software development process. Organizations need a compliance program that is built-in, not bolted-on, to their existing workflows and processes. "Traditional compliance practices are incompatible with continuous software delivery processes, leading to slower delivery and unexpected, expensive remediation work." (Gartner®, Hype Cycle™ for Agile and DevOps, 2021, Herschmann, Joachim and Spafford, George, 2021)
Learn more by downloading the Guide to Software Supply Chain Security
GitLab's compliance management capabilities aim to create an experience that's simple, friendly, and as frictionless as possible by enabling you to define, enforce and report on compliance policies and frameworks. Our platform approach simplifies the effort.
As a complete DevOps platform, GitLab is a great choice for compliance teams to provide compliance guardrails that allow rapid software development while ensuring compliance is integrated into development and deployment processes early, in a manner somewhat similar to the movement to shift security left.
Policy Management helps you define rules and policies to adhere to compliance frameworks and common controls
Compliant Workflow Automation helps you enforce the defined rules and policies
Audit Management helps you log activities throughout your DevOps automation to identify incidents and prove adherence to compliance rules and defined policies. Visibility is greater with one platform and no toolchain silos.
Security testing and vulnerability management helps you ensure security scanning and license compliance for every code change and allows DevOps engineers and Security Pros alike to track and manage vulnerabilities.
Software Supply Chain Security helps you manage the end-to-end attack surfaces of Cloud Native applications and DevOps automation - beyond traditional application security testing.
Policy Management helps you define rules and policies to adhere to - either internal company policies or policies based on legal or regulatory frameworks such as GDPR, SOC2, PCI-DSS, SOX, HIPAA, ISO, COBIT, FedRAMP, and so on.
Granular User Roles and Permissions GitLab supports multiple different user roles with permissions according to the user's role, rather than access required to a repository.
Compliance Settings Define and enforce compliance policies on specific projects, groups, and users.
Credentials Inventory Keep track of all the credentials that can be used to access the GitLab self-managed instance.
Protected Branches Control unauthorized modifications to specific branches - including creating, pushing, deleting of a branch - without adequate permissions or approvers.
GitLab enables powerful compliance automation through enforcing policies and separation of duties while reducing overall business risk.
Granular User Roles and Permissions GitLab supports multiple different user roles with permissions according to the user's role, rather than access required to a repository.
Compliance Framework Project Templates Create projects that map to specific audit protocols such as HIPAA - to help maintain an audit trail & manage compliance programs. Templates are managed by admins to ensure consistent and compliant use.
Compliance Framework Pipelines Define compliance jobs that should be run in every pipeline to ensure that security scans are run, artifacts are created and stored, or any other steps required by your organizational requirements. These jobs are automatically merged with the project's jobs, enabling developers to stay focused on adding business value while still remaining compliant.
Audits require traceability of compliance events to show what happened, when it happened, and who did it. GitLab's robust audit event system records this for the most important actions and provides mulitple ways to consume the results.
Compliance Framework Project Labels Clearly delineate which projects need certain compliance controls and which do not. Easily apply common compliance settings to a project with a label.
Audit Events Aims to satisfy organizational audit logging requirements within the UI or via API.
Compliance Dashboard Provide compliance insights in a consolidated view with all relevant compliance signals such as segregation of duties, framework compliance, license compliance, pipeline and MR results. Currently, the dashboard focuses on most recently merged MR activity.
GitLab's approach to DevSecOps directly integrates required compliance jobs into developer pipelines, ensures proper seperation of duties, audit systems, and more This makes it possible to implement a 'shift-left' approach for both security and compliance.
Visit the DevSecOps page to learn more.
Vulnerability scanning automatically applies comprehensive scan types at every code commit and upon merge
License compliance scanning automatically looks for unapproved use of third party code with results alongside security scans
MR approvals allows you to determine if approvals are required for severe vulnerabilities
Vulnerability management helps you assess risk, triage unresolved vulnerabilities, and track their remediation.
GitLab Continous Software Compliance capabilities help organizations adhere to policies and regulatory requirements while ensuring development velocity, providing necessary simplicity, visibility, and control.
Visibility and control
Audits require traceability of compliance events to show what happened, when it happened, and who did it. GitLab's robust audit event system records this for the most important actions and provides mulitple ways to consume the results. Easily apply common compliance settings to a project with a label.
Customer story: Chorus.ai
During a recent audit for SOC2 compliance, the auditors said that Chorus had the fastest auditing process they have seen and most of that is due to the capabilities of GitLab.
Russell Levy
Co-Founder, and Chief Technology Officer, Chorus.ai
Help and More Information
GARTNER and HYPE CYCLE are registered trademark and service mark of Gartner, Inc. and/or its affiliates in the U.S. and internationally and are used herein with permission. All rights reserved..