Dogfood Security Approvals at GitLab
Problem to solve
With pending completion of https://gitlab.com/gitlab-org/gitlab-ee/issues/9928 we will now have Security Approvals built into GitLab. This provides a simple mechanism for requiring approval from a predefined security team if a MR contains a severe vulnerability.
As part of using our own product we should use this internally. This issue proposes we enable security approvals within company projects and discuss a rollout plan.
Intended users
gitlab-ce~9335216
Further details
Proposal
A couple options in ascending order of process complexity:
- Enable for
security-products/(sast|dast|dependency_scanning|container_scanning)
projects - Enable for all
security-products/**
projects - Enable for
gitlab-ce
/gitlab-ee
- Enable for all
gitlab-org
projects
Permissions and Security
We need to determine who will be members of the Vulnerability-Check
approval group
Documentation
Depends on https://gitlab.com/gitlab-org/gitlab-ce/merge_requests/30959
Testing
We should open a retrospective issue to discuss the impact after the process has been implemented
What does success look like, and how can we measure that?
Less high
, medium
, critical
, or unknown
severities are introduced into GitLab products