Chain of Custody report

Tier: Ultimate Offering: GitLab.com, Self-managed, GitLab Dedicated
History
  • Introduced in GitLab 13.3.
  • Chain of Custody reports sent using email introduced in GitLab 15.3 with a flag named async_chain_of_custody_report. Disabled by default.
  • Generally available in GitLab 15.5. Feature flag async_chain_of_custody_report removed.
  • Chain of Custody report includes all commits (instead of just merge commits) introduced in GitLab 15.9 with a flag named all_commits_compliance_report. Disabled by default.
  • Generally available in GitLab 15.9. Feature flag all_commits_compliance_report removed.

The Chain of Custody report provides a 1 month trailing window of all commits to a project under the group.

To generate the report for all commits, GitLab:

  1. Fetches all projects under the group.
  2. For each project, fetches the last 1 month of commits. Each project is capped at 1024 commits. If there are more than 1024 commits in the 1-month window, they are truncated.
  3. Writes the commits to a CSV file. The file is truncated at 15 MB because the report is emailed as an attachment (GitLab 15.5 and later).

The report includes:

  • Commit SHA.
  • Commit author.
  • Committer.
  • Date committed.
  • Group.
  • Project.

If the commit has a related merge commit, then the following are also included:

  • Merge commit SHA.
  • Merge request ID.
  • User who merged the merge request.
  • Merge date.
  • Pipeline ID.
  • Merge request approvers.

Generate Chain of Custody report

To generate the Chain of Custody report:

  1. On the left sidebar, select Search or go to and find your group.
  2. Select Secure > Compliance center.
  3. In the top-right corner, select Export.
  4. Select Export chain of custody report.

Depending on your version of GitLab, the Chain of Custody report is either sent through email or available for download.

Generate commit-specific Chain of Custody report

History
  • Introduced in GitLab 13.6.
  • Support for including all commits instead of only merge commits added in GitLab 15.10.

You can generate a commit-specific Chain of Custody report for a given commit SHA. This report provides only the details for the provided commit SHA.

To generate a commit-specific Chain of Custody report:

  1. On the left sidebar, select Search or go to and find your group.
  2. Select Secure > Compliance center.
  3. In the top-right corner, select Export.
  4. Select Export custody report of a specific commit.
  5. Enter the commit SHA, and then select Export custody report.

Depending on your version of GitLab, the Chain of Custody report is either sent through email or available for download.

Alternatively, use a direct link: https://gitlab.com/groups/<group-name>/-/security/merge_commit_reports.csv?commit_sha={optional_commit_sha}, passing in an optional value to the commit_sha query parameter.