@@ -29,6 +29,7 @@ _Delete these reviewers if they do not apply_
- Development: {+ reviewer name +} _you may want to consider a review from the team members who were closely involved in the development of this work to ensure that the details match their mental model_
- Scalability: {+ reviewer name +} _if there are concerns about how this will operate at scale, the Scalability group can help assess_
- Database: {+ reviewer name +} _if there are complex migrations or queries, the Database group to determine if these are safe to run_
- Application Security: {+ reviewer name +} _if there are concerns about application security, the group's Application Security stable counterpart can help_
## Readiness Checklist
...
...
@@ -83,7 +84,7 @@ _The items below will be reviewed by the Reliability team._
- List the member(s) of the team who built the feature will be on call for the launch.
- List the external and internal dependencies to the application (ex: redis, postgres, etc) for this feature and how the service will be impacted by a failure of that dependency.
## Infrastructure
### Infrastructure
_The items below will be reviewed by the Reliability team._
...
...
@@ -124,6 +125,7 @@ _The items below will be reviewed by the Infrasec team._
- Entry-points exposed to the internet (Public IPs, Load-Balancers, Buckets, etc...):
- Other (anything relevant that might be worth mention):
-[ ] Were the [GitLab security development guidelines](https://docs.gitlab.com/ee/development/secure_coding_guidelines.html) followed for this feature?
-[ ] Was an [Application Security Review](https://handbook.gitlab.com/handbook/security/security-engineering/application-security/appsec-reviews/) requested, if appropriate? Link it here.
-[ ] Do we have an automatic procedure to update the infrastructure (OS, container images, packages, etc...). For example, using unattended upgrade or [renovate bot](https://github.com/renovatebot/renovate) to keep dependencies up-to-date?
-[ ] For IaC (e.g., Terraform), is there any secure static code analysis tools like ([kics](https://github.com/Checkmarx/kics) or [checkov](https://github.com/bridgecrewio/checkov))? If not and new IaC is being introduced, please explain why.
-[ ] If we're creating new containers (e.g., a Dockerfile with an image build pipeline), are we using `kics` or `checkov` to scan Dockerfiles or [GitLab's container](https://docs.gitlab.com/ee/user/application_security/container_scanning/#configuration) scanner for vulnerabilities?
...
...
@@ -175,6 +177,13 @@ _The items below will be reviewed by the Delivery team._
-[ ] Is this feature validated by our [QA blackbox tests](https://gitlab.com/gitlab-org/gitlab-qa)?
- [ ] Will it be possible to roll back this feature? If so explain how it will be possible.
### Security
_The items below will be reviewed by the InfraSec team._
- [ ] Put yourself in an attacker's shoes and list some examples of "What could possibly go wrong?". Are you OK going into Beta knowing that?
- [ ] Link to any outstanding security-related epics & issues for this feature. Are you OK going into Beta with those still on the TODO list?