Discovery: Group-level compliance dashboard
Problem to solve
Customers who adhere to compliance frameworks (e.g. SOC 2, ISO 27001, GDPR, SOX, HIPAA, PCI-DSS) have specific company policies that govern their operations. Customers currently lack the necessary tools to effectively manage their GitLab environment's compliance with these frameworks. Project-level activity is confined to each project and there's no easy, aggregate view of this information at the group-level. This lack of control and insight can create risk for customers by reducing their ability to manage compliance within GitLab.
Examples of governing policies:
- All Merge Requests (MRs) have a related issue with detailed information about the change(s)
- All MRs are reviewed and approved by someone who isn't the author
- All MRs pass QA and security testing
- Any exceptions to the requirements require separate approval
Intended users
Delaney (Development Team Lead)
Proposal
Provide a compliance overview ("dashboard") of activity that occurs within each project inside of the group. This dashboard would provide a quick summary of recent activity (MRs), an ability to dig into that activity (linked issues), and be aware of the compliance status of each activity (pass/fail).
The Minimum Viable Change (MVC) towards this goal is an activity view showing recent Merge Request (MR) activity within the Group's projects. This will show administrators and group owners a quick, high-level view of their group's activity, which we can use as a baseline to iterate upon later to add more, relevant detail.
| Rough Wireframe | Prototype |
|---|---|
 |
 |
The "Approved By" column refers to approvers of the Merge Request, which can be reconciled against a list of approvers in later iterations.
Implementation
An implementation issue is available here
Action Items
-
Determine level of frontend support required -
Create separate FE issue
-
Potential Challenges
It is possible GitLab will need to record additional events in order to present this detail in the UI.