GitLab Feature Proposal - Bidirectional IP-based Repository Access Control

Proposal

Currently, GitLab SaaS offers IP-based access restrictions that can limit access TO specific repositories FROM certain IP addresses. However, in enterprise and financial environments, there's a critical security need to prevent data exfiltration by controlling repository access in both directions.

Proposed Feature: Bidirectional IP-based Repository Access Control

This feature would extend the current IP-based access control to work bidirectionally:

1. Current Functionality (Inbound Control)

• Restrict access TO specific repositories FROM certain IPs
• Configure allowed IP ranges for accessing enterprise repositories

2. New Functionality (Outbound Control)

• Restrict access FROM certain IPs TO only specific repositories/groups
• Block all other repository access from those IPs
• Prevent unauthorized repository cloning from corporate networks

3. Implementation Details

• Add new group-level setting: "Restrict outbound repository access"
• Allow administrators to specify allowed repository patterns/groups
• Block git operations to unauthorized repositories from restricted IPs
• Provide audit logs for attempted unauthorized access

4. Security Benefits

• Prevents source code exfiltration
• Enhances enterprise security controls
• Supports compliance requirements
• Reduces risk of intellectual property theft

5. Configuration Example

group_settings:
  restricted_ips:
    - range: "10.0.0.0/8"
      allowed_repositories:
        - "company-group/*"
        - "approved-external-group/*"