Track compliance violations when merges occur with failed status checks

Release notes

Allow compliance violations to be recorded in the violations center when merge requests are merged with failed status checks or external controls that are required by a compliance framework.

Problem to solve

Currently, when merge requests are merged while status checks or external controls are in a "failed" status, these violations do not enter the violations center. This creates a gap in compliance tracking and audit visibility, as non-compliant merges are not recorded or surfaced for review.

When external controls or status checks are required as part of a compliance framework, merge requests that bypass these requirements (by merging despite failed checks) should be tracked as violations. Without this tracking, compliance teams cannot:

• Identify when merges occurred in violation of compliance policies
• Generate accurate compliance reports
• Audit which changes entered protected branches without proper approval
• Enforce accountability for policy violations
• Demonstrate compliance to auditors and regulatory bodies

Intended users

• Compliance managers and officers
• Security teams
• Audit teams
• Development team leads responsible for compliance enforcement

User experience goal

When a merge request is merged with failed status checks or external controls that are required by a compliance framework, the merge should be automatically recorded as a violation in the compliance violations report, allowing compliance teams to track and audit non-compliant merges.

Proposal

Extend the compliance violations tracking to record violations when:

1. A merge request is merged while required status checks (specified in a compliance framework) have failed
2. A merge request is merged while required external controls (specified in a compliance framework) have failed
3. A merge request is merged despite failing checks that are mandatory for the compliance framework

These violations should appear in the compliance violations center with:

• Clear indication of which status check or external control failed
• The associated compliance framework
• The merge request details (author, approver, timestamp)
• The branch and project information
• The reason for the violation (failed check, missing approval, etc.)

Further details

The compliance violations report currently tracks separation of duties violations. This feature would extend that capability to include status check and external control violations when those checks/controls are required by a compliance framework, providing a more comprehensive view of compliance posture.

This would align with how other compliance tools (Vanta, Drata, Hyperproof) track and report on policy violations and failed controls.

Permissions and Security

• Violations should be visible to users with appropriate compliance or audit permissions
• Violations should be recorded at the group level for group-level compliance frameworks
• Violations should be recorded at the project level for project-level compliance frameworks

Documentation

Documentation should be updated to explain:

• How violations are recorded when required status checks/external controls fail
• How to view and filter violations by type (separation of duties vs. status check violations)
• How to generate compliance reports that include status check violations
• How compliance frameworks define required checks and controls

Availability & Testing

• Should work with both project-level and group-level compliance frameworks
• Should work with external status checks and external controls
• Should be testable via the compliance violations report UI

Available Tier

GitLab Ultimate (where compliance center is available)

Feature Usage Metrics

• Number of status check violations recorded
• Frequency of violations by project/group
• Correlation between failed checks and merge activity
• Compliance violation trends over time
• Breakdown of violations by compliance framework

What does success look like, and how can we measure that?

Success would be measured by:

1. Status check violations appearing in the compliance violations report
2. Compliance teams able to identify and audit non-compliant merges
3. Accurate compliance reporting that includes all types of violations
4. Reduced gaps in compliance tracking and audit trails
5. Clear visibility into which compliance frameworks have violations

What is the type of buyer?

Enterprise customers with compliance and regulatory requirements (SOC 2, ISO 27001, PCI DSS, etc.)

Is this a cross-stage feature?

No, this is specific to the Compliance stage.

What is the competitive advantage or differentiation for this feature?

This feature would provide GitLab with more comprehensive compliance violation tracking compared to competitors, enabling organizations to maintain complete audit trails of all policy violations, not just separation of duties issues.

Links / references

• Compliance violations report: https://docs.gitlab.com/user/compliance/compliance_center/compliance_violations_report/