Verify if lock file matches dependencies declared

Release notes

Problem to solve

Check if lock file is different than declared dependencies and alert on that (where?) and in future allow merge request approval on that.

This is a potential abuse vector at worst, and could lead to inconsistent results at least risk.

User experience goal

if they have dependency scanning enabled, they are alerted to such risks and can act based on that

Proposal

MVC

https://gitlab.com/dappelt/untamper-my-lockfile/

Note: this only works for yarn

How long does this take? if it's a long time it should be able to be disabled.

Further details

Permissions and Security

Documentation

Availability & Testing

Available Tier

What does success look like, and how can we measure that?

What is the type of buyer?

Is this a cross-stage feature?

Links / references

https://gitlab.com/gitlab-com/gl-security/security-operations/sirt/operations/-/issues/1266#note_487629312

Edited Jan 18, 2021 by Nicole Schwartz