Dependencies approval

Problem to solve

Like we can approve or blacklist licenses, we should be able to do the same for dependencies as part of our SCA offering.

Intended users

• Delaney
• Sasha
• Devon
• Sam (not sure about this one)

Further details

Some customers expressed the need to augment our current BOM feature with a way to approve/blacklist dependencies at the group of the instance level. We could even link this feature to our embedded packages registries (like NPM) to provide only these packages.

Proposal

Users would define a list of approved and/or blacklisted dependencies. In a MR, the security widget would raise an error if a blacklisted dependency is detected.

Permissions and Security

Same as vulnerabilities.

Documentation

TODO

Testing

We need to identify all dependencies, before they are actually detected.

What does success look like, and how can we measure that?

TODO.

What is the type of buyer?

GitLab Ultimate

Links / references