Security Gates for new dependencies
Problem to solve
We don't highlight the introduction of dependencies in Merge Requests.
Intended users
- Delaney (Development Team Lead)
- Sasha (Software Developer)
- Devon (DevOps Engineer)
- Sidney (Systems Administrator)
- Sam (Security Analyst)
Further details
Introducing a new dependency in a project is a decision to balance wisely. Not only the new dependency can be incompatible with the project license, but it can also bring its own share of security and performance issues. GitLab also provides dependency scanning for vulnerabilities, license compliance for checking licenses, and guidelines for the development of GitLab itself. Nevertheless, some users will want to be notified on new dependencies introduction, and we can leverage the same process as the security gates.
This feature was mentioned during our AppSec Office Hours by @estrike.
Proposal
If a group with the right name (Dependency-Check?) is added as part of the approvers, they will need to approve the Merge Request if at least one dependency is introduced.
Permissions and Security
To be defined.
Documentation
Todo
Testing
Todo
What does success look like, and how can we measure that?
- New dependencies can't be added without the approval of the right people.
- New dependencies are not false alerts (https://gitlab.com/gitlab-org/gitlab-ee/issues/4913)
What is the type of buyer?
Links / references
/cc @NicoleSchwartz