Adding read events for Web UI and API access

Evan Baltmanrequested to merge
597263-repository-file-accessed-audit-event into master

What does this MR do and why?

Implements #597263

This MR adds a repository_file_accessed audit event for Web UI file views, enabling security teams to track when users access repository files through the GitLab interface.

Web UI File Access

  • repository_file_accessed (file views via blob controller's HTML show action)

Why: Tracking file access through the Web UI is critical for:

  • Monitoring unauthorized access to sensitive files
  • Detecting suspicious data access patterns
  • Providing audit trails for compliance requirements
  • Correlating file access with security incidents

Implementation Details

The audit event captures file access metadata including:

  • File path and ref (branch/tag)
  • Project information
  • Request metadata (IP address, user agent)
  • Follows the same pattern as project_ci_cd_settings_accessed
  • Configuration: saved_to_database: false, streamed: true to manage volume

References

GL_SIRT_7050 - Fireblocks Incident Analysis (internal only)

How to set up and validate locally

  1. Set up audit streaming to point to a webhook you control
  2. View a repository file through the Web UI in your local GDK instance
  3. Validate that the file access is recorded in the audit event

MR acceptance checklist

Evaluate this MR against the MR acceptance checklist. It helps you analyze changes to reduce risks in quality, performance, reliability, security, and maintainability.

Edited by Evan Baltman

Merge request reports