Feature proposal: Reject commits with specific content

Context

Because of the private nature of security vulnerabilities, security fixes need to be developed in a private repository with limited access. For GitLab, security fixes are prepared and merged in the GitLab Security repository, then after the security release is ready to be published, the security fixes are pushed into the GitLab Canonical repo, which makes them visible to all users.

Problem to solve

Given the security release is performed during a monthly release, regular and security fixes are prepared at the same time. This has led to some security fixes accidentally being pushed to the Canonical repository, leaking the vulnerabilities to the public before the security release is out (see last production incident associated).

As a consequence of the vulnerabilities being exposed, Release Managers and the AppSec engineers have to expedite the security release. Rushing out a security release has undesirable side effects for the Release activities, from security fixes missing the security release up to the general release schedule being affected.

There are some checks in place that aim to prevent these situations:

• GitLab canonical repository rejects branches prefixed with security-*
• A Git pre-push hook that prevents pushing to any remote beside GitLab security repositories.

Albeit helpful, these checks are manual, for completeness it'd be better to have an automated check that rejects security commits until they're ready to be published.

Proposal

Gain control over the content that is pushed to a repository by extending the Push rules feature to allow rejecting commits based on content.

Use case example: GitLab security releases

During the security release, a file-content push rule could be enabled on the GitLab canonical repository to reject commits with changelog: security in their changes.

For context, the Changelog entry is a requirement on security merge requests.

This push rule should be enabled until the security release is ready to be published, and disabled as one of the last steps of this release.

Intended users

• Cameron (Compliance Manager)
• Delaney (Development Team Lead)
• Sasha (Software Developer)
• Sidney (Systems Administrator)
• Sam (Security Analyst)
• Rachel (Release Manager)