Regular DevSecOps sanity check and reporting
Release notes
Problem to solve
As a CTO/CiSO, I want to make sure that teams follow the best practice processes, deploy frequenty, test and scan their build and containers regularly.
Meta’s Push4Push program enforces regular deployments through tickets. Service owners get a ticket if their services are not updated within certain days (42 days for low-traffic services and 30 days for high-traffic services), and it escalates to managers at 63 days. In practice, Push4Push results in 96% of services deploying weekly or more frequently. (source)
Proposal
Create organization/group/project-level settings that require all the lower levels to run specific actions with a predefined cadence. (e.g. deploy to an deployment_tier: production environment) In case of failing to do so, open an issue and assign it to the project owners+maintainers (or defined people). If the issue remains open by the next reporting round and a new issue would be created, assign the issue to the group owners (or defined people).
Possible actions to watch for:
- deployment job modifying an environment with
deployment_tier: production - CI runs
- security scan report generated
At the organization/group levels it would likely need to define exceptions to minimize noise.
Intended users
Feature Usage Metrics
- projects with a configured rule
- issues generated by the solution
Does this feature require an audit event?
- yes, creating an audit event first, instead of an issue might shrink the scope of the first iteration
This page may contain information related to upcoming products, features and functionality. It is important to note that the information presented is for informational purposes only, so please do not rely on the information for purchasing or planning purposes. Just like with all projects, the items mentioned on the page are subject to change or delay, and the development, release, and timing of any products, features, or functionality remain at the sole discretion of GitLab Inc.