Document FIPS compliance at GitLab
What does this MR do?
Makes an initial pass at "FIPS compliance for GitLab developers", including a brief outline on what FIPS is, what it means for GitLab, current status, how to get a development environment together for it, what FIPS requires of us when designing features and writing code, and a few strategies for how to tackle FIPS-related issues.
The intention is to help bootstrap people working on FIPS-related issues, so they can investigate and solve those problems more easily.
My current level of knowledge about FIPS is very low, so I need to be cautious in what I add to this document. I'll seek review from security before getting it merged.
Screenshots (strongly suggested)
Does this MR meet the acceptance criteria?
Conformity
-
Changelog entry -
Documentation (if required) -
Code review guidelines -
Merge request performance guidelines -
Style guides -
Database guides -
Separation of EE specific content
Availability and Testing
-
Review and add/update tests for this feature/bug. Consider all test levels. See the Test Planning Process. -
Tested in all supported browsers -
Informed Infrastructure department of a default or new setting change, if applicable per definition of done
Security
If this MR contains changes to processing or storing of credentials or tokens, authorization and authentication methods and other items described in the security review guidelines:
-
Label as security and @ mention @gitlab-com/gl-security/appsec
-
The MR includes necessary changes to maintain consistency between UI, API, email, or other methods -
Security reports checked/validated by a reviewer from the AppSec team
Related to #295923 (closed)