MVC: Chain of custody report, list of commits
Problem to solve
Compliance-minded organizations need a way to show their internal teams or external auditors a holistic view of the components involved with any particular commit. Within GitLab, this means connecting all of the dots: MRs, issues, pipelines, security scans, and other data about a commit. Currently, piecing this information together has a large time and cost requirement either in digging through the GitLab application and/or building custom tooling to aggregate the information. There's no existing feature to programmatically collect and export this data to enable users to satisfy their internal or external auditing requirements.
Intended users
- Sidney (Systems Administrator)
- The management stakeholders who adhere to any auditing process. To be defined in a new Compliance Persona
Further details
A common evidence artifact for many audits is a documented chain of custody for changes that made it into production. Some organizations will also need this artifact for all environments or some combination of staging, production, test, etc.
Solution
- In the Compliance Dashboard, add a new button for Merge Commits Export
- This action should communicate that it will only download the most recent merge commits from the parent group, capped at 15 MB
- This should be a streaming download
The export should provide a CSV of all merge commits to the maximum 15MB file size limit.
| Merge Commit | Author | Merge Request | Merged By | Pipeline | Group | Project | Approver(s) |
|---|---|---|---|---|---|---|---|
| SHA | Jeremy | !439858 | Matt | pipeline_id | My-Group | awesome-project | Daffy Duck |
| SHA | Jeremy | None | Jeremy | pipeline_id | My-Group | awesome-project | None |
| Open Figma |
|---|
 |
Permissions and Security
This would be accessible only to Group Owners and Admins
Documentation
Availability & Testing
What does success look like, and how can we measure that?
- Number of times this report is exported