VUL.5.01_code_security_check.html.md 1.57 KB
Newer Older
1
---
2
layout: handbook-page-toc
3 4 5 6
title: "VUL.5.01 - Code Security Check Control Guidance"
---

## On this page
7
{:.no_toc .hidden-md .hidden-lg}
8 9

- TOC
10
{:toc .hidden-md .hidden-lg}
11 12 13 14 15

# VUL.5.01 - Code Security Check

## Control Statement

Nik Sarosy's avatar
Nik Sarosy committed
16
GitLab conducts source code checks for vulnerabilities.
17 18 19 20 21 22 23 24 25 26 27

## Context

By manually and automatically reviewing our source code for security vulnerabilities and best-practices, we can preemptively identify and address risks to our customers, GitLab teammembers, and partners. Code security checks also help us evaluate the consistency of secure coding standards and improve our application security training.

## Scope

This control applies to all GitLab source code.

## Ownership

Nik Sarosy's avatar
Nik Sarosy committed
28 29
* Control Owner: 
    * `Application Security`
Luka Trbojevic's avatar
Luka Trbojevic committed
30
* Process owner(s): 
Nik Sarosy's avatar
Nik Sarosy committed
31
    * All GitLab Teams
32

33
## Guidance
34

Robert Orefice's avatar
Robert Orefice committed
35
SAST and Dependency Scanning are initiated by pipelines for production code. Pipelines are managed by all teams, not a single team.
36

37
## Additional control information and project tracking
38

Jeff Burrows's avatar
Jeff Burrows committed
39
Non-public information relating to this security control as well as links to the work associated with various phases of project work can be found in the [Code Security Check control issue](https://gitlab.com/gitlab-com/gl-security/security-assurance/sec-compliance/compliance/issues/944).
40

Luka Trbojevic's avatar
Luka Trbojevic committed
41 42 43 44 45
Examples of evidence an auditor might request to satisfy this control:

* Pipeline configurations showing security tool usage
* SAST and Dependency Scanning pipeline artifacts

Luka Trbojevic's avatar
Luka Trbojevic committed
46 47
### Policy Reference

48 49 50 51 52 53 54 55 56 57 58
## Framework Mapping

* ISO
  * A.14.2.1
  * A.14.2.5
* SOC2 CC
  * CC7.1
  * CC8.1
* PCI
  * 6.3.1
  * 6.4.4