Compliance Framework - Allow Namespaces to set own standard

Proposal

As raised in a ticket, there is no means by which to set a standard that deviates from the Gitlab standard in the Compliance Centre - thus customers that do not want to use this standard are forced to do so. In the specific example of the ticket,

• The project compliance center is showing violation of less than 2 approvers,
• Their policy would only require a standard of a single approver.

What success would look like:

Adding the ability to modify these at a Namespace level in the Compliance Dashboard:

• Prevent authors as approvers.
• Prevent committers as approvers.
• At least two approvals.
• Static Application Security Testing (SAST) scanner artifact.
• Dynamic Application Security Testing (DAST) scanner artifact.

These would be the default but should a customer wish to override these (with big warning flags), they should have the ability to.

Ultimately it comes down to, the customer standard might deviate from our own and giving them the option should they wish to use it would be worth considering.

Related, Compliance Frameworks Improvements Epic .

Implementation plan

In 17.11 we released Custom Compliance Frameworks which allows users to customise their frameworks with over 50 controls. Our next step is then to alter the Violations table to also use compliance frameworks.

We currently do not have a control for a single approver, only two approvers. We need to add a control for a single approver