Add SOC2 Compliance Controls

Andrew Jungrequested to merge
524723/soc2-complaince-controls into master

What does this MR do and why?

Adds compliance control checks for:

  • gitlab_license_level_ultimate
  • status_page_configured
  • has_valid_ci_config
  • error_tracking_enabled
  • default_branch_users_can_push
  • default_branch_protected_from_direct_push
  • terraform_enabled (already added)

References

How to set up and validate locally

(Example with one of the controls)

  • bundle exec rake compliance_management:control_schema:generate to run the new task
  • For terraform enabled work:
  1. Create a compliance framework for your project:
mutation createComplianceFramework {
  createComplianceFramework(
    input: {
      namespacePath: "flightjs/Flight",
      params: {
        name: "SSO Framework", 
        description: "Framework for security compliance requirements", 
        color: "#0000FF"
      }
    }
  ) {
    framework {
      id
      name
      description
      color
    }
    errors
  }
}
  1. Create a compliance requirement for using the framework ID from Step 1:
mutation createComplianceRequirement {
  createComplianceRequirement(
    input: {
      complianceFrameworkId: "gid://gitlab/ComplianceManagement::Framework/<FRAMEWORK_ID>",
      params: {
        name: "Custom req 1",
        description: "some description"
      },
    controls: []
    }) {
    errors
    requirement {
      id
      name
      description
    }
  }
}
  1. Create a control using the requirement ID from Step 2:
mutation createComplianceRequirementControl {
  createComplianceRequirementsControl(
    input: {
      complianceRequirementId: "gid://gitlab/ComplianceManagement::ComplianceFramework::ComplianceRequirement/<REQUIREMENT_ID>",
      params: {
        name: "terraform_enabled",
        expression: "{\"operator\":\"=\",\"field\":\"terraform_enabled\",\"value\":true}"
      }
    }) {
    errors
    requirementsControl {
      id
      name
      expression
    }
  }
}
  1. Open gdk rails console:

project = Project.find(PROJECT_ID) # The project used in Step 1)`
control = ComplianceManagement::ComplianceFramework::ComplianceRequirementsControl.find(CONTROL_ID) # ID returned from Step 3

ComplianceManagement::ComplianceRequirements::ExpressionEvaluator.new(control, project).evaluate

Note: There are projects from the initial reset-data on gdk like Flight have terraform states: This is the check I've added: project.terraform_states.exists?

MR acceptance checklist

Evaluate this MR against the MR acceptance checklist. It helps you analyze changes to reduce risks in quality, performance, reliability, security, and maintainability.

Edited by Andrew Jung

Merge request reports