Follow the "New Project" process
As per https://about.gitlab.com/handbook/engineering/gitlab-repositories/#creating-a-new-project
-
Add the project to the list of GitLab projects inprojects.yml
.- It's not that kind of project
-
Help AppSec categorizing your new project. -
💡 Add a license to the repository. Contact #legal as to which license to add. A sample license is here:gitlab-org/gitlab
MIT License, but contact legal before using it. -
💡 Add a section titled "Developer Certificate of Origin and License" toCONTRIBUTING.md
in the repository. It is easiest to simply copy-paste thegitlab-org/gitaly
DCO + License section verbatim.-
Add any further relevant details to the Contribution Guide. See Contribution Example.
-
-
Add a link to CONTRIBUTING.md
from the project'sREADME.md
. -
💡 Add a CODEOWNERS file, to make it easy for contributors to figure out which teams are best suited to review their changes.- Use teams rather than individuals as owners, to make it self updating over time and resilient to people taking time off
- You can scope ownership to subdirectories or individual files, but it should contain at the very least a top-level catch all for any new or non explicitly mentionned file.
-
When possible, projects should have the following Merge request settings enabled: -
When possible, projects should have the following Pipeline settings enabled: -
Projects should have the minimum Baseline Configurations setup for MR Approval Rules and Protected Branch Settings -
Projects should have Users can request access
setting disabled to discourage granting accidental external access. -
If needed, make sure to set up a default CI/CD configuration. -
If your project contains code that is distributed with GitLab or is executed in production, set up security jobs for your project and add your project to the AppSec team's triage rotation. The AppSec will triage security findings from the Security Dashboard and create issues for vulnerabilities.- SAST is enabled
Edited by Nick Malcolm