diff options
author | GitLab Bot <gitlab-bot@gitlab.com> | 2022-09-15 18:10:36 +0000 |
---|---|---|
committer | GitLab Bot <gitlab-bot@gitlab.com> | 2022-09-15 18:10:36 +0000 |
commit | 99aa31992d4398d35c9df4854f5fb494984a9e0b (patch) | |
tree | c2ca79f7ea8e5daaf8e62b5d523a986331d97647 /doc/development/gemfile.md | |
parent | 229395d3af51cd46a9179f2eba142c027d08b208 (diff) | |
download | gitlab-ce-99aa31992d4398d35c9df4854f5fb494984a9e0b.tar.gz |
Add latest changes from gitlab-org/gitlab@master
Diffstat (limited to 'doc/development/gemfile.md')
-rw-r--r-- | doc/development/gemfile.md | 17 |
1 files changed, 17 insertions, 0 deletions
diff --git a/doc/development/gemfile.md b/doc/development/gemfile.md index d993604ab7d..7383616af7d 100644 --- a/doc/development/gemfile.md +++ b/doc/development/gemfile.md @@ -15,6 +15,23 @@ We do not allow gems that are fetched from Git repositories. All gems have to be available in the RubyGems index. We want to minimize external build dependencies and build times. +## Request an Appsec review + +When adding a new gem to our `Gemfile` or even changing versions in +`Gemfile.lock` it is strongly recommended that you +[request a Security review](https://about.gitlab.com/handbook/engineering/security/#how-to-request-a-security-review). +New gems add an extra security risk for GitLab, and it is important to +evaluate this risk before we ship this to production. Technically, just adding +a new gem and pushing to a branch in our main `gitlab` project is a security +risk as it will run in CI using your GitLab.com credentials. As such you should +evaluate early on if you think this gem seems legitimate before you even +install it. + +Reviewers should also be aware of our related +[recommendations for reviewing community contributions](code_review.md#community-contributions) +and take care before running a pipeline for community contributions that +contains changes to `Gemfile` or `Gemfile.lock`. + ## License compliance Refer to [licensing guidelines](licensing.md) for ensuring license compliance. |