Security gates for merge requests
Problem to solve
Security checks are performed during the pipeline execution, and reports are available in the merge request widget. GitLab is able to determine if new vulnerabilities have been introduced into the code because of the specific changes of the feature branch.
Our security paradigm states that we don't want to make a pipeline fail and block the entire development process if some vulnerability is found. They could be false positive, or just something that is not more important than the development velocity.
On the other side, we're getting a lot of feedback that unsecure code should not be allowed unless previously approved by the security team. This is considered a strict requirement by some customer, and also a must-have by analysts. Security teams don't want to be involved in each and every merge request, but only if security flaws have been found.
We strongly believe that our security paradigm is valid, but we should consider something that allows companies to deal with their compliance requirements and ensure they are able to use GitLab.
- Sam, Security Analyst, https://design.gitlab.com/research/personas#persona-sam
We recently released multiple approval rules, and we can leverage this feature to build some advanced logic on top of it.
When new security vulnerabilities are discovered in the merge request, a new approval rule is automatically enabled. The approvers are the members of the security team.
The rule is enabled if:
- security gates are enabled in settings
- the security report diff (new vulnerabilities) contains at least one vulnerability with
The security team should be explicitly selected. So it could actually be any team. In-product suggestions can guide the user to add the relevant people.
The rule may be a generic "conditional approval rule", so in the future other gates can be defined, for example code quality.
What does success look like, and how can we measure that?
Security teams are able to use GitLab to manage security.
We can measure the number of projects with this security gate enabled.
What is the type of buyer?