Centralized Security Configuration Management and Auditability

Problem to solve

Currently the only way to know if GitLab secure capabilities (SAST,DAST,Container Scanning, etc) have been configured/enabled is via the configuration panel within the UI per project/repo (-/security/configuration). This makes it extremely difficult to identify/manage/ensure projects are meeting compliance standards throughout an organization consisting of several >=100 projects/repos as one needs to select each to identify whats been configured and hope that it wasn't accidently or otherwise unconfigured. An additional challenge faced is one can not enforce compliant security scanning capabilities across all projects, as the functionality is opt-in and challenging to enforce opt-out behavior with current available options (Required Pipeline Configuration).

Intended users

• Cameron (Compliance Manager)

• Delaney (Development Team Lead)

• Sam (Security Analyst)

• Alex (Security Operations Engineer)

• Simone (Software Engineer in Test)

User experience goal

Users have the ability to centrally manage/identify security configurations within all projects or group of projects

Proposal

Further details

The goal would be to enforce and ensure security scanning capabilities across all projects in a way that does not affect or have an impact on existing project configurations and a way to call/view via an API or the UI what projects do or don't have security configuration enabled in a centralized way.

Links / references

cc: @mattgonzales @ggraves1 @jfullam