Optionally generate a tamper-proof chain of custody csv report

Problem to solve

Many organizations rely on a "data classification policy", or similar, as part of their Information Security program. An element of this policy defines the types of data that should be classified as public, internal use, confidential, etc. In situations where this policy extends to evidence artifacts pulled from GitLab, such as a chain of custody export, it may be necessary to provide capabilities to encrypt or otherwise safeguard these artifacts against tampering, misuse, or unauthorized access and dissemination.

Currently, there is no way to achieve this for GitLab exportable csv documents.

Intended users

• Sidney (Systems Administrator)
• Sam (Security Analyst)
• The management stakeholders who adhere to any auditing process. To be defined in a new Compliance Persona

Further details

Proposal

Provide an optional mechanism to encrypt or otherwise protect and audit the CSV exports. This implementation likely has two components:

• Encrypt or sha-sign the csv export (is one more feasible than the other?)
• Create an entry in the Audit Events table: User exported chain of custody report with SHA hash on date/time

Permissions and Security

Only admins and group owners should be able to access this feature.

Documentation

Availability & Testing

What does success look like, and how can we measure that?

What is the type of buyer?

Is this a cross-stage feature?

Links / references