summaryrefslogtreecommitdiff
path: root/doc/development/gemfile.md
diff options
context:
space:
mode:
Diffstat (limited to 'doc/development/gemfile.md')
-rw-r--r--doc/development/gemfile.md23
1 files changed, 20 insertions, 3 deletions
diff --git a/doc/development/gemfile.md b/doc/development/gemfile.md
index f9cf69020bb..87304a761ea 100644
--- a/doc/development/gemfile.md
+++ b/doc/development/gemfile.md
@@ -4,7 +4,7 @@ group: unassigned
info: To determine the technical writer assigned to the Stage/Group associated with this page, see https://about.gitlab.com/handbook/engineering/ux/technical-writing/#assignments
---
-# `Gemfile` guidelines
+# Gemfile guidelines
When adding a new entry to `Gemfile` or upgrading an existing dependency pay
attention to the following rules.
@@ -15,6 +15,23 @@ We do not allow gems that are fetched from Git repositories. All gems have
to be available in the RubyGems index. We want to minimize external build
dependencies and build times.
+## Request an Appsec review
+
+When adding a new gem to our `Gemfile` or even changing versions in
+`Gemfile.lock` it is strongly recommended that you
+[request a Security review](https://about.gitlab.com/handbook/engineering/security/#how-to-request-a-security-review).
+New gems add an extra security risk for GitLab, and it is important to
+evaluate this risk before we ship this to production. Technically, just adding
+a new gem and pushing to a branch in our main `gitlab` project is a security
+risk as it will run in CI using your GitLab.com credentials. As such you should
+evaluate early on if you think this gem seems legitimate before you even
+install it.
+
+Reviewers should also be aware of our related
+[recommendations for reviewing community contributions](code_review.md#community-contributions)
+and take care before running a pipeline for community contributions that
+contains changes to `Gemfile` or `Gemfile.lock`.
+
## License compliance
Refer to [licensing guidelines](licensing.md) for ensuring license compliance.
@@ -73,7 +90,7 @@ to a gem, go through these steps:
apply if someone who currently works at GitLab wants to maintain
the gem beyond their time working at GitLab.
-When publishing a gem to RubyGems.org, also note the section on
+When publishing a gem to RubyGems.org, also note the section on
[gem owners](https://about.gitlab.com/handbook/developer-onboarding/#ruby-gems)
in the handbook.
@@ -132,7 +149,7 @@ that also relied on `thor` but had its version pinned to a vulnerable
one. These changes are easy to miss in the `Gemfile.lock`. Pinning the
version would result in a conflict that would need to be solved.
-To avoid upgrading indirect dependencies, we can use
+To avoid upgrading indirect dependencies, we can use
[`bundle update --conservative`](https://bundler.io/man/bundle-update.1.html#OPTIONS).
When submitting a merge request including a dependency update,
View Lorry Controller Status