Global AllowList

Once AllowList is available in GitLab, we can imagine a global AllowList managed at the group level. This list could contain security issues to be always ignored, and never ignored. That way, Security teams (@kathyw, @jritchey, ...) could define rules at a higher level.

This file could be mounted in the job (to avoid someone overriding it in the repo), and merged with the local one (based on the always/never rules).

Or we can let the users host this file somewhere, and specify the URL to the job. It's a good way to track changes on global settings, and we don't need to manage all the authorizations. A job can be scheduled in the repo hosting this file, to ensure it's being used in every project to be monitored. I suggest this implementation, which is easier to implement and maintain.

This feature will be helpful for large companies.

/cc @bikebilly

Edited May 10, 2020 by Taylor McCaslin