Compliance

  • Tier: Ultimate
  • Offering: GitLab.com, GitLab Self-Managed, GitLab Dedicated

GitLab compliance features ensure your GitLab group meets common compliance standards, and are available at various pricing tiers. For more information about compliance management, see the compliance management solutions page.

The security features in GitLab may also help you meet relevant compliance standards.

For more information on all GitLab compliance features to ensure your GitLab instance meets common compliance standards, see Compliance features.

Compliant workflow automation

It is important for compliance teams to be confident that their controls and requirements are set up correctly, but also that they stay set up correctly. One way of doing this is manually checking settings periodically, but this is error prone and time consuming. A better approach is to use single-source-of-truth settings and automation to ensure that whatever a compliance team has configured, stays configured and working correctly. These features can help you automate compliance:

FeatureInstancesGroupsProjectsDescription
Compliance frameworksdotted-circle Nocheck-circle Yesdotted-circle NoDescribe the type of compliance requirements projects must follow.
Compliance pipelinesdotted-circle Nocheck-circle Yesdotted-circle NoDefine a pipeline configuration to run for any projects with a given compliance framework.
Merge request approval policy approval settingscheck-circle Yescheck-circle Yescheck-circle YesEnforce a merge request approval policy enforcing multiple approvers and override various project settings in all enforced groups or projects across your GitLab instance or group.

Audit management

An important part of any compliance program is being able to go back and understand what happened, when it happened, and who was responsible. You can use this in audit situations as well as for understanding the root cause of issues when they occur.

It is helpful to have both low-level, raw lists of audit data as well as high-level, summary lists of audit data. Between these two, compliance teams can quickly identify if problems exist and then drill down into the specifics of those issues. These features can help provide visibility into GitLab and audit what is happening:

FeatureInstancesGroupsProjectsDescription
Audit eventscheck-circle Yescheck-circle Yescheck-circle YesTo maintain the integrity of your code, audit events give administrators the ability to view any modifications made in the GitLab server in an advanced audit events system, so you can control, analyze, and track every change.
Audit reportscheck-circle Yescheck-circle Yescheck-circle YesCreate and access reports based on the audit events that have occurred. Use pre-built GitLab reports or the API to build your own.
Audit event streamingcheck-circle Yescheck-circle Yescheck-circle YesStream GitLab audit events to a HTTP endpoint or third party service, such as AWS S3 or GCP Logging.
Compliance centerdotted-circle Nocheck-circle Yescheck-circle YesQuickly get visibility into the compliance posture of your organization through compliance standards adherence reporting and violations reports. Manage your groups compliance frameworks centrally.

Policy management

Organizations have unique policy requirements, either due to organizational standards or mandates from regulatory bodies. The following features help you define rules and policies to adhere to workflow requirements, separation of duties, and secure supply chain best practices:

FeatureInstancesGroupsProjectsDescription
Granular user roles
and flexible permissions
check-circle Yescheck-circle Yescheck-circle YesManage access and permissions with five different user roles and settings for external users. Set permissions according to people’s role, rather than either read or write access to a repository. Don’t share the source code with people that only need access to the issue tracker.
Merge request approvalscheck-circle Yescheck-circle Yescheck-circle YesConfigure approvals required for merge requests.
Push rulescheck-circle Yescheck-circle Yescheck-circle YesControl pushes to your repositories.
Separation of duties using
protected branches and
custom CI/CD configuration paths
dotted-circle Nodotted-circle Nocheck-circle YesLeverage the GitLab cross-project YAML configurations to define deployers of code and developers of code. See how to use this setup to define these roles in the Separation of Duties deploy project and the Separation of Duties project.
Security policiescheck-circle Yescheck-circle Yescheck-circle YesConfigure customizable policies that require merge request approval based on policy rules, or enforce security scanners to execute in project pipelines for compliance requirements. Policies can be enforced granularly against specific projects, or all projects in a group or subgroup.

Other compliance features

These features can also help with compliance requirements:

FeatureInstancesGroupsProjectsDescription
External Status Checksdotted-circle Nodotted-circle Nocheck-circle YesInterface with third-party systems you already use during development to ensure you remain compliant.
License approval policiesdotted-circle Nodotted-circle Nocheck-circle YesSearch dependencies for their licenses. This lets you determine if the licenses of your project’s dependencies are compatible with your project’s license.
Lock project membership to groupdotted-circle Nocheck-circle Yesdotted-circle NoGroup owners can prevent new members from being added to projects in a group.