Discovery: Add webhooks for additional audit events
Current Status
This has moved to this new epic - &5925 (closed). Please check out the epic!
Problem to Solve
The audit events API was recently extended to .com
to support Group-level reporting. This polling approach does not satisfy the event-based/webhook use cases employed by customers with services built outside of GitLab.
Older issue description
Target Audience
Internal Audit, Group Owner
Further Details
Audit Events is a focus for groupcompliance. The feature should be both comprehensive and easy to use. Adding webhook support for additional audit events (based on customer feedback) maintains feature parity across the Audit Events API, UI, and webhook experiences.
Proposal
- Add a "control panel" in the
Audit Events
view - Select the specific events you'd like to be notified about, e.g. project imports
- Provide an email address to receive the notifications (MVC)
- Provide a mechanism to accept an API endpoint (second iteration/evolution)
- Consider building in a Kafka-compatible way
Uses Cases
Customers rely on audit events via webhooks for the following use cases:
From Customer (internal link):
When a new project is created or deleted so they can automate set up configuration and clean up tasks
Having a webhook to facilitate automated paving of project/sub-group settings to org defaults would really help them remove friction for onboarding teams.
As a SaaS tenant who does not want to use GitLab's shared runners for security reasons, one of the potential applications of this webhook was previously identified above, but there are many good use cases beyond that
Customer 2 (internal link):
Currently, we have a process that periodically checks if there was any tampering with the project level settings. We are doing this by calling all the APIs we are interested in.
... it would be amazing if we could be more proactive against changes that happen at the project level.
... it will be nice if project level settings could be integrated with the system hooks. For example, when any project setting has changed an event should be triggered to which we can react to. This will allow us in real time to fix any issues we deem as a breach of our compliance rules.
we are interested in all the checks included in the following sections.
- Settings / General / Merge Requests / *
- Settings / General / Merge Requests Approvals / *
- Settings / Repository / Push Rules / *
- Settings / Repository / Protected Branches / *
- Settings / Repository / Protected Tags / *
Everything else will be nice to have. But all our compliance controls map to checks under the above sections
Original proposal
Add webhook support for additional Audit Events:- Project imports
userA creates ProjectA in groupA - groupA has a previously setup webhook to deliver audit events(project creation included) to webhook endpoint (kafka queue) - we have a kafka queue consumer that picks up the event and set default settings/permissions/etc.