Design: Dependency firewall

Everyone can contribute. Help move this issue forward while earning points, leveling up and collecting rewards.

Release notes

Problem to solve

Contrary to seeking a singular holistic security solution, users look to layer different solutions to improve their security posture for better threat management.

While package hunter as a solution helps users to analyze and identify existing malicious packages in their repository, there's no workflow for users to proactively set a rule to catch any new potential threat making its way into their registry.

Intended users

User experience goal

Users should be able to proactively identify a threat rather than reactively dealing with them.

Proposal

Allow users to set policies for their repositories that checks a new incoming package against a set of conditions and if found malicious, quarantine it.

Based on a teams appetite, they should be able to configure the requirements to best suit their security posture.

Defining a policy

As outlined by @trizzi in &5133 👇

A policy can do two things warn and fail. For the MVC, I propose focusing on the warning. A user can set up a dependency proxy policy that will warn them when certain conditions are met.

  • The warnings can be limited to the log files for the MVC.

For the MVC, the rule can be:

  1. When Security scan
  2. Select Scanners (dependency or container scanning)
  3. With No exceptions that finds Any vulnerabilities matching
  4. Critical severity

For the MVC, the action will be:

  1. Add a warning to the pipeline logs

Beyond the MVC we can add:

  1. Support for other level vulnerabilities.
  2. Add a warning to the package registry UI list view
  3. Rules to quarantine packages when rules are met.
  4. The ability to CRUD the quarantine.
  5. Consider adding a new type of warning to the security vulnerability report

Notifying users

  1. If a job is attempting to pull a quarantined package, present error in logs
  2. Notify maintainers if a package that is being published is quarantined

Managing quarantined policies

  1. Show quarantined dependencies at project level
  2. Present a report on why a dependency is quarantined
  3. Allow users to override the quarantine

Further details

&5133\ ux-research#2968 (closed)

#456970 (closed)

Permissions and Security

Documentation

Availability & Testing

Available Tier

Premium/Ultimate

Feature Usage Metrics

What does success look like, and how can we measure that?

Users have to attend to lesser number of security incidents.

What is the type of buyer?

Is this a cross-stage feature?

What is the competitive advantage or differentiation for this feature?

Links / references

This page may contain information related to upcoming products, features and functionality. It is important to note that the information presented is for informational purposes only, so please do not rely on the information for purchasing or planning purposes. Just like with all projects, the items mentioned on the page are subject to change or delay, and the development, release, and timing of any products, features, or functionality remain at the sole discretion of GitLab Inc.

This page may contain information related to upcoming products, features and functionality. It is important to note that the information presented is for informational purposes only, so please do not rely on the information for purchasing or planning purposes. Just like with all projects, the items mentioned on the page are subject to change or delay, and the development, release, and timing of any products, features, or functionality remain at the sole discretion of GitLab Inc.

Edited by 🤖 GitLab Bot 🤖