MVC: Apply compliance framework labels to projects
Problem to solve
Compliance-minded organizations rely on services like GitLab to surface insights about their environment to achieve certain goals. A top-of-mind goal for many of our customers is managing the compliance of their GitLab projects. Currently, there's no easy way to determine the compliance status of projects, let alone a way to easily view this status in aggregate. There's no mechanism to identify a project as one that has certain compliance requirements or additional oversight, which is a fundamental need to tracking compliance status.
Intended users
- Delaney (Development Team Lead)
- Sam (Security Analyst)
- Dana (Data Analyst)
- Sidney (Systems Administrator)
- All management stakeholders who adhere to any auditing process. For example in a finance institution (Security, Quality, Development department heads)
Further details
The original discovery issue for this issue provided valuable insight into our direction and allowed us to determine the better MVC for this feature.
Given light of new learnings from our research with customers, we've pivoted this MVC to a more appropriate first iteration.
Proposal
Create a new Project Setting, which is a pre-defined list of compliance frameworks, to enable customers to identify projects as compliant with those specific frameworks.
The list should initially contain the following frameworks:
-
SOX(Sarbanes-Oxley) -
SOC 2(Service Organization Control 2) -
PCI-DSS(Payment Card Industry-Data Security Standard) -
HIPAA(Health Insurance Portability and Accountability Act) -
GDPR(General Data Protection Regulation) NIST(National Institute of Standards and Technology)ISO(International Organization for Standardization)
This selection should only permit one option to be chosen for now.
The proposed workflow is:
- An
adminorgroup ownerselectsSOXinProject Asettings - The specific compliance label is rendered on the
project listas a badge - GitLab stores this association to report on in the Compliance Dashboard
Screenshots
| Project Settings-BEFORE | Project Settings-AFTER |
|---|---|
 |
 |
| Project Details-BEFORE | Project Details-AFTER |
|---|---|
 |
 |
| Projects listing-BEFORE | Projects listing-AFTER |
|---|---|
 |
 |
Original proposal
Add a **Compliance Controls** selection capability to the `Group` settings. The MVC selection could be GCF Change Management 2.01 (CM.2.01) for Separation of Duties.Helper text should indicate that GCF CM.2.01 is "aligned with SOC 2 CC8.1 and PCI-DSS 6.4".
On the backend, GitLab should attribute specific settings to "compliance" with this control. For example, the following settings being enabled are considered "compliant":
-
Remove all approvals in a merge request when new commits are pushed to its source branch -
Prevent approval of merge requests by merge request author -
Prevent approval of merge requests by merge request committers
If these settings are enabled at the time of a MR approval, the MR widget should show a positive indicator (
If 1 or more of these settings is disabled, the MR widget should show a warning indicator (
| Group Settings | MR Widget |
|---|---|
 |
 |
A settings area to specify the desired Compliance Controls to implement for a Group. |