Allow group owners to define compliance pipeline templates at the group level

Problem to solve

Regulated customers create organizational policies that govern how they operate. These policies exist to manage risk for their organization and maintain compliance with a legal or regulatory framework. The policies they define must be able to translate into an application like GitLab to satisfy their internal security and compliance teams. Within GitLab, this manifests most within CI/CD pipelines.

Currently, regulated customers do not have a way to define the compliance requirements for their pipelines (scans, tests, or other jobs that are required to occur) at the group-level that each project consumes, but can then extend to provide developers with the flexibility to work.

Intended users

• Sidney (Systems Administrator)
• Cameron (Compliance Manager)

Further details

From speaking with a wide variety of customers, there are a multitude of nuances to this specific pain point. These are the factors we should consider for iterations on this solution, however it manifests:

• Information Security teams are driving the "hard-line" on requirements and there's no negotiation
• Customers want Developers to have flexibility to extend a default compliance pipeline template
• The templates should be easily consumable by Developers
• Jobs identified as "required" should block a merge if they fail
• Customers are supportive of an "override" mechanism, provided specific approvers greenlight it and it's documented for evidence

Proposal

This is a broad proposal intended to be broken up into multiple, smaller issues and stored in this to-be-promoted epic

Provide a group-level pipeline template repository to store compliance pipeline templates that can be consumed by Developers when creating new projects.

The group-level template should be included in each project created but should allow the developer to extend its functionality (potentially using custom ci config path).

The MR should surface a specific signal about the compliance pipeline template to enable approvers at the MR to provide a final ✅.

There should be an override mechanism built-in for scenarios where the change cannot afford to spend the time waiting on compliance checks that are baked into the compliance pipeline template.

Permissions and Security

• Group Owners should be able to create this template repository.
• Only members of the repository group should be able to modify the templates.

Documentation

Availability & Testing

What does success look like, and how can we measure that?

What is the type of buyer?

Is this a cross-stage feature?

Yes. This will require effort from devopsmanage devopsverify ~"devops::release"

Links / references