Source: GitLab Blog | Author: Chris Ward
많은 기업들은 규제 기관과 같은 정부 기관에 의해 규정 준수 프레임워크나 표준을 충족해야 합니다. 예를 들어 SOC2, HIPAA, Sarbanes-Oxley, GDPR과 같은 규정입니다. 그리고 그 표준의 요건을 관리하고 있다고 말만 하면 충분하지 않아 그 사실을 증명할 수 있어야 합니다. GitLab의 컴플라이언스 기능은 자체 호스팅된 인스턴스 관리자가 공통 컴플라이언스 요구사항을 적용하고 관리자가 이러한 표준을 충족하고 있음을 인증하는 데 필요한 보고서와 아티팩트를 수집할 수 있도록 도와줍니다.
For this first iteration, the dashboard shows an aggregate view of approved merge requests in projects across your group, or across multiple groups. For each merge request, you can see the title, who approved it, when they approved it, and the project it’s part of. Clicking the merge request takes you to the full details in our standard merge request view. For other stakeholders involved in something like compliance audits, we have ways to visualize and export the data they need.
For example, you are an administrator responsible for compliance and you know that a project is not supposed to have any code deployments. On the dashboard you see a merge request that resulted in a code deployment, and you can look into the audit trail to see what happened.
Currently, the view looks similar to our existing project merge requests overview but abstracts it one or more levels up to group level(s), which is especially useful for those managing a lot of projects.
Future iterations on the Compliance Dashboard
We’re planning on adding more features to the dashboard, including:
- Merge request approval settings
- Security scanning data with each deploy
- Specific test results with each deploy
- The results of pipelines
We will also add an overview of compliance policies, and which your team are not currently meeting. For example, if your vulnerability management policy says that you scan every 90 days and it’s been 91 days since the last scan, but a merge request is still approved, we inform you of that policy violation. For more development-focused teams who are new to compliance, these notifications will help prompt them to items that need attention and action.
Projects hosted on GitLab are often an essential part of a business and their processes, and customers entrust us with their production environments and data. But Git repositories and code projects present a potentially easy way for internal and external parties to introduce intentional or unintentional vulnerabilities and security risks.
Another party could insert malicious code into your production environment that introduces further vulnerabilities to you, and your customers. With the Compliance Dashboard’s current features, you can see from a merge request who, when and what they added, and remove the code responsible quickly. Future iterations will detect any potentially malicious code automatically, and depending on your policy, prevent it from being merged, or alert you.
Another party could take secrets information for your production environment and share them outside of the company. Or more fundamentally, someone could invite them to a GitLab instance in the first place, leading to multiple other issues. Future iterations will show you who invited whom to your projects, and what level of access they have.
The product manager behind the feature, Matt Gonzales worked at a handful of smaller startups before joining GitLab. In those roles, he juggled multiple responsibilities, but also handled legal and regulatory issues. To begin with, Matt had to handle compliance with the U.S.-EU Safe Harbor Framework, which evolved into the EU-US Privacy Shield, which then became a supplement to the General Data Protection Regulation (GDPR). Add to that PCI-DSS if you handle payments, CASL (The Canadian Anti-Spam Legislation), CCPA for California, and myriad other regional and global policies, and a team can quickly become inundated with administrative tasks and requests for data. Matt knows how hard it is to manage these extra tasks in addition to their main work and hopes that the new features and dashboard are a helping hand to help lessen that work.
About the guest author
Chris is a freelance technical communicator for numerous developer-focused companies. Happy creating text, videos, courses, and interactive learning experiences, in his spare time he writes games and interactive fiction.