Provide an exportable "chain of custody" csv report for projects
Problem to solve
Compliance-minded organizations need a way to show their internal teams or external auditors a holistic view of the components involved with any particular release. Within GitLab, this means connecting all of the dots: MRs, issues, pipelines, security scans, and other data about a release. Currently, piecing this information together has a large time and cost requirement either in digging through the GitLab application and/or building custom tooling to aggregate the information. There's no existing feature to programmatically collect and export this data to enable users to satisfy their internal or external auditing requirements.
Intended users
- Sidney (Systems Administrator)
- The management stakeholders who adhere to any auditing process. To be defined in a new Compliance Persona
Further details
A common evidence artifact for many audits is a documented chain of custody for changes that made it into production. Some organizations will also need this artifact for all environments or some combination of staging, production, test, etc.
Proposal
Add an export button to the Security & Compliance -> Compliance Dashboard view.
The export should aggregate the following related data:
| Merge Request | Pipeline(s) | Group | Project | Approver(s) |
|---|---|---|---|---|
| 4 | 3kjp9imx hiioxu59 cx4wny3u 24dgzlcx |
My-Group | awesome-project | Daffy Duck |
| 3 | 3c9mc3t1 b1czcqxx tvgwgzxm gggycbf1 |
My-Group | awesome-project | Daffy Duck Bugs Bunny |
| 2 | 2139y0lh sairv5go 92bdhomk lljktif7 |
My-Group | awesome-project | Bugs Bunny |
| 1 | pz6noun5 gicyewes ek3k1jos 130odb2w |
My-Group | awesome-project | Daffy Duck Bugs Bunny Yoesmite Sam |
Permissions and Security
This would be accessible only to Group Owners and Admins
Documentation
Availability & Testing
What does success look like, and how can we measure that?
- Number of times this report is exported