PCI adherence checks

Everyone can contribute. Help move this issue forward while earning points, leveling up and collecting rewards.

• Close this issue

Release notes

Problem to solve

For PCI compliance, a number of requirements would be relevant for compliance adherence checks in GitLab. Possible requirements/checks could include:

1. Ensure that users that are able to contribute code have completed secure development training certifications.
2. Multiple approvers on merge requests
3. Develop and maintain secure systems and applications -- this could pertain to existing checks we are creating for ensuring security scans are enabled, or could also enforce vulnerability management workflows
4. Understand/control which users can access ssh and web logs for a project.

As another input, PCI-DSS v3 is retiring soon. PCI-DSS v4 brings SCM into scope and will have a larger impact on GitLab users.

A few references:

• https://www.pcisecuritystandards.org/merchants/
• https://blog.rsisecurity.com/deploying-secure-systems-and-applications-pci-dss-req-6/
• https://blog.pcisecuritystandards.org/pci-dss-v3-2-1-is-retiring-on-31-march-2024-are-you-ready

Intended users

User experience goal

Proposal

Further details

Permissions and Security

Documentation

Availability & Testing

Available Tier

Feature Usage Metrics

What does success look like, and how can we measure that?

What is the type of buyer?

Is this a cross-stage feature?

What is the competitive advantage or differentiation for this feature?

Links / references

This page may contain information related to upcoming products, features and functionality. It is important to note that the information presented is for informational purposes only, so please do not rely on the information for purchasing or planning purposes. Just like with all projects, the items mentioned on the page are subject to change or delay, and the development, release, and timing of any products, features, or functionality remain at the sole discretion of GitLab Inc.