@@ -38,8 +38,7 @@ When creating a new project, please follow these steps:
1. Projects should have the minimum [Baseline Configurations setup for MR Approval Rules and Protected Branch Settings](/handbook/security/policies_and_standards/gitlab_projects_baseline_requirements/)
1. Projects should have [`Users can request access` setting disabled](https://docs.gitlab.com/ee/user/project/members/index.html#prevent-users-from-requesting-access-to-a-project) to discourage granting accidental external access.
1. If needed, make sure to [set up a default CI/CD configuration](#cicd-configuration).
1. If the project is part of work that is shipped to customers, add it to [projects_part_of_product.csv](https://gitlab.com/gitlab-data/analytics/blob/master/transform%2Fsnowflake-dbt%2Fdata%2Fprojects_part_of_product.csv) by opening an MR to that file or following the [process outlined by Engineering Productivity](/handbook/product/groups/product-analysis/engineering/dashboards).
1. Help [AppSec](/handbook/security/product-security/security-platforms-architecture/application-security/)[categorize your new project](/handbook/security/product-security/security-platforms-architecture/application-security/inventory.md#how-to-categorize-projects).
1. If the project is part of work that is shipped to customers, add it to [projects_part_of_product.csv](https://gitlab.com/gitlab-data/analytics/blob/master/transform%2Fsnowflake-dbt%2Fdata%2Fprojects_part_of_product.csv) by opening an MR to that file as per the [Engineering Productivity Metrics](/handbook/product/groups/product-analysis/engineering/metrics/#productivity-engineering-metrics). This data is used to classify our projects for security purposes using [security attributes](https://docs.gitlab.com/user/application_security/attributes/). For more information refer to [GitLab Security Project Classification](/handbook/security/product-security/security-platforms-architecture/application-security/classification.md).
1. Enable the appropriate [security scanners](https://docs.gitlab.com/ee/user/application_security/).
1. Onboard the project to Renovate (<https://gitlab.com/gitlab-org/frontend/renovate-gitlab-bot>), and set up a process to regularly triage findings and update dependencies
1. If the repository is public, set up a [security mirror](https://gitlab.com/gitlab-org/release/docs/blob/master/general/security/mirrors.md).
GitLab projects are classified using [security attributes](https://docs.gitlab.com/user/application_security/attributes/). This helps Security identify product-related projects, prioritize security work, and support security workflows that rely on project classification.
A centralized pipeline keeps security attributes aligned with the [Data team's product inventory](https://gitlab.com/gitlab-data/analytics/-/blob/master/transform/snowflake-dbt/seeds/seed_engineering/projects_part_of_product.csv). For implementation details, see the [related project](https://gitlab.com/gitlab-private/gl-security/engineering-and-research/security-research/sec-attributes/security-attribute-automation).
## Security attributes schema
The current schema covers product classification. Expansion is planned for future use cases.
| Classification | Product | Project contains code we ship to customers, or is part of building and delivering that code |
## Making changes
1.**New projects**: Follow the [creating a new project](/handbook/engineering/workflow/gitlab-repositories/#creating-a-new-project) guidelines. Classification will be applied automatically once the project appears in the product inventory.
1.**Incorrect or missing classification**: Submit an MR to the [Data team's product inventory](https://gitlab.com/gitlab-data/analytics/-/blob/master/transform/snowflake-dbt/seeds/seed_engineering/projects_part_of_product.csv) to add or correct the entry. The sync pipeline will apply the attribute change within 24 hours.
1.**Proposed schema changes**: Open an issue in [product-security-meta](https://gitlab.com/gitlab-com/gl-security/product-security/product-security-meta) to discuss with the product security team before making changes.
