Feature Request: Proactive Security Configuration Change Monitoring

Everyone can contribute. Help move this issue forward while earning points, leveling up and collecting rewards.

• Close this issue

Summary

Request for a proactive monitoring mechanism to detect when users disable or modify security configurations in GitLab, enabling real-time alerts and automated responses for security governance and compliance automation.

Problem Statement

Organizations implementing security automation and governance face a critical gap in monitoring capabilities:

• Current limitation: No proactive way to monitor when users disable security features (Secret Push Protection, SAST, etc.)
• Existing solutions are reactive: Audit events require manual querying and are limited in scope
• Governance challenges: Security teams cannot detect configuration drift or unauthorized security feature disabling in real-time
• Automation roadblocks: Prevents implementation of automated security governance and remediation workflows

Current State Analysis

Based on customer feedback and investigation:

1. Audit Events - Available but limited:
   • Events like group_secret_push_protection_updated and project_security_setting_updated exist
   • Require manual/scheduled querying via API
   • Reactive approach only
2. System Hooks - Not available for security configuration changes:
   • Would provide the proactive monitoring capability needed
   • Currently don't trigger for security setting modifications

Proposed Solution

Core Feature: Security Configuration Change Events

Implement proactive event generation for security configuration changes that can be consumed via:

1. System Hooks (Primary Request)
   • Real-time webhook notifications when security configurations are modified
   • Centralized monitoring across all groups/projects
   • Enable automated response workflows
2. Enhanced Push Events (Alternative/Additional)
   • Include security configuration change events in existing push event streams
   • Maintain consistency with current webhook architecture

Specific Events to Monitor

• Secret Push Protection enable/disable
• SAST configuration changes
• Dependency Scanning modifications
• Container Scanning settings
• License Compliance configuration
• Security policy changes
• Any security-related project/group setting modifications

Use Cases

Primary Use Case: Security Automation

• Stakeholder: DevSecOps teams, Security engineers
• Scenario: Automated security governance system that re-enables disabled security features
• Value: Maintain consistent security posture across all repositories without manual monitoring

Secondary Use Cases:

• Compliance Monitoring: Real-time compliance dashboard updates
• Audit Trail: Enhanced security audit capabilities
• Incident Response: Immediate notification of security configuration changes
• Reporting: Automated security posture reporting

Priority Justification

• High Impact: Enables automated security governance for enterprise customers
• Compliance Need: Required for organizations with strict security monitoring requirements
• Customer Request: Direct customer requirement blocking security automation initiatives
• Gap Closure: Addresses significant monitoring gap in current GitLab security features

Related Documentation

• Audit Events Documentation
• System Hooks Documentation
• Project Hooks API

Customer Context

This feature request originates from enterprise customer requirements for automated security governance and compliance monitoring, where proactive detection of security configuration changes is essential for maintaining organizational security standards.