Git Client Policy Based Configuration Via GitLab Policy Git Hook

Release notes

There are many pre-commit and/or pre-push challenges that crop up for Git repositories. One of the most challenging is secrets scanning, but there are others as well.

GitLab introduces Git Client Policy Based Management.

This one local git hook allows many different policies to be pushed to git clients by source repositories.

Configuring gitleaks is the first policy offered with this new agent to handle precommit and prepush secrets detection.

Problem to solve

Managed git client configuration to do pre-commit and pre-push operations.

IMPORTANT But also to tap into distributed compute for intensive operations like scanning all source code or diffs. Imagine the amount of shared compute required just for secrets scanning - and yet that same compute is zero burden on a developer's workstation.

Proposal

MVC 1

1. Define a single standard githook as the root for all gitlab policies.
   1. True MVC Adherence: Do NOT create new DSLs and processing engine in golang or anything else, but reuse popular multi-platform options. For example AWS venerable CDK for multilanguage IaC uses a bundled NodeJS runtime to translate the many supported languages into native AWS IaC. Maybe there is a generic typescript engine across platforms.
2. Allow policy files to be stored in a repos ".gitlab" directory.
3. Maybe allow company wide policies in gitaly.
4. Enhance push rules to reject commits from clients that don't attest that they have the policy agent running and it's healthy (a header that attests this?).
5. If the client needs a OS agnostic scripting engine, ensure the isolated, secured installation of such runtimes happens along with the "GitLab Git Policy Configuration Engine" installer.
6. Provide sensible and specific policy violation errors back to the git client.
7. Day 1 provide a gitleaks configuration. Perhaps the installer target is an GitLab repository so that it can be version locked to a known good.

MVC 2

1. Search existing issues for other use cases that could be adequately handled this way.

MVC 3

1. See if online editing environments can be accommodated with the same model. Perhaps choose a scripting runtime for policies that is compatible with gitpod, Web IDE and other compute models so that that policies can be universal.

Intended users

Feature Usage Metrics

Does this feature require an audit event?

This page may contain information related to upcoming products, features and functionality. It is important to note that the information presented is for informational purposes only, so please do not rely on the information for purchasing or planning purposes. Just like with all projects, the items mentioned on the page are subject to change or delay, and the development, release, and timing of any products, features, or functionality remain at the sole discretion of GitLab Inc.

This page may contain information related to upcoming products, features and functionality. It is important to note that the information presented is for informational purposes only, so please do not rely on the information for purchasing or planning purposes. Just like with all projects, the items mentioned on the page are subject to change or delay, and the development, release, and timing of any products, features, or functionality remain at the sole discretion of GitLab Inc.

This page may contain information related to upcoming products, features and functionality. It is important to note that the information presented is for informational purposes only, so please do not rely on the information for purchasing or planning purposes. Just like with all projects, the items mentioned on the page are subject to change or delay, and the development, release, and timing of any products, features, or functionality remain at the sole discretion of GitLab Inc.

This page may contain information related to upcoming products, features and functionality. It is important to note that the information presented is for informational purposes only, so please do not rely on the information for purchasing or planning purposes. Just like with all projects, the items mentioned on the page are subject to change or delay, and the development, release, and timing of any products, features, or functionality remain at the sole discretion of GitLab Inc.