summaryrefslogtreecommitdiff
path: root/doc/administration/compliance.md
blob: 573ffbf4686f8d3ee18f6dc516b7b31f8af4004d (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
---
stage: Govern
group: Compliance
info: To determine the technical writer assigned to the Stage/Group associated with this page, see https://about.gitlab.com/handbook/engineering/ux/technical-writing/#assignments
---

# Compliance features **(FREE)**

GitLab compliance features ensure your GitLab instance meets common compliance standards, and are available at various pricing tiers. For more information about compliance management, see the compliance
management [solutions page](https://about.gitlab.com/solutions/compliance/).

The [security features](../security/index.md) in GitLab may also help you meet relevant compliance standards.

## Policy management

Organizations have unique policy requirements, either due to organizational
standards or mandates from regulatory bodies. The following features help you
define rules and policies to adhere to workflow requirements, separation of duties,
and secure supply chain best practices:

- [**Credentials inventory**](../user/admin_area/credentials_inventory.md) (for
  instances): With a credentials inventory, GitLab administrators can keep track
  of the credentials used by all of the users in their GitLab instance.
- [**Granular user roles and flexible permissions**](../user/permissions.md)
  (for instances, groups, and projects): Manage access and permissions with five
  different user roles and settings for external users. Set permissions according
  to people's role, rather than either read or write access to a repository. Don't
  share the source code with people that only need access to the issue tracker.
- [**Merge request approvals**](../user/project/merge_requests/approvals/index.md)
  (for instances, groups, and projects): Configure approvals required for
  merge requests.
- [**Push rules**](../user/project/repository/push_rules.md) (for instances, groups, and
  projects): Control pushes to your repositories.
- Separation of duties using [**protected branches**](../user/project/protected_branches.md#require-code-owner-approval-on-a-protected-branch)
  and [**custom CI/CD configuration paths**](../ci/pipelines/settings.md#specify-a-custom-cicd-configuration-file) (for projects): Users can leverage the GitLab cross-project YAML configurations
  to define deployers of code and developers of code. See how to use this setup
  to define these roles in:
  - The [Separation of Duties deploy project](https://gitlab.com/guided-explorations/separation-of-duties-deploy/blob/master/README.md).
  - The [Separation of Duties project](https://gitlab.com/guided-explorations/separation-of-duties/blob/master/README.md).

## Compliant workflow automation

It is important for compliance teams to be confident that their controls and
requirements are set up correctly, but also that they _stay_ set up correctly.
One way of doing this is manually checking settings periodically, but this is
error prone and time consuming. A better approach is to use single-source-of-truth
settings and automation to ensure that whatever a compliance team has configured,
stays configured and working correctly. These features can help you automate
compliance:

- [**Compliance frameworks**](../user/project/settings/index.md#compliance-frameworks) (for groups): Create a custom
  compliance framework at the group level to describe the type of compliance requirements any child project needs to follow.
- [**Compliance pipelines**](../user/project/settings/index.md#compliance-pipeline-configuration) (for groups): Define a
  pipeline configuration to run for any projects with a given compliance framework.

## Audit management

An important part of any compliance program is being able to go back and understand
what happened, when it happened, and who was responsible. This is useful in audit
situations as well as for understanding the root cause of issues when they occur.
It is useful to have both low-level, raw lists of audit data as well as high-level,
summary lists of audit data. Between these two, compliance teams can quickly
identify if problems exist and then drill down into the specifics of those issues.
These features can help provide visibility into GitLab and audit what is happening:

- [**Audit events**](audit_events.md) (for instances, groups, and projects): To
  maintain the integrity of your code, audit events give administrators the
  ability to view any modifications made within the GitLab server in an advanced
  audit events system, so you can control, analyze, and track every change.
- [**Audit reports**](audit_reports.md) (for instances, groups, and projects):
  Create and access reports based on the audit events that have occurred. Use
  pre-built GitLab reports or the API to build your own.
- [**Auditor users**](auditor_users.md) (for instances): Auditor users are users
  who are given read-only access to all projects, groups, and other resources on
  the GitLab instance.
- [**Compliance report**](../user/compliance/compliance_report/index.md) (for
  groups): Quickly get visibility into the compliance posture of your organization.

## Other compliance features

These features can also help with compliance requirements:

- [**Email all users of a project, group, or entire server**](../user/admin_area/email_from_gitlab.md)
  (for instances): An administrator can email groups of users based on project
  or group membership, or email everyone using the GitLab instance. These emails
  are great for scheduled maintenance or upgrades.
- [**Enforce ToS acceptance**](../user/admin_area/settings/terms.md) (for
  instances): Enforce your users accepting new terms of service by blocking GitLab
  traffic.
- [**External Status Checks**](../user/project/merge_requests/status_checks.md)
  (for projects): Interface with third-party systems you already use during
  development to ensure you remain compliant.
- [**Generate reports on permission levels of users**](../user/admin_area/index.md#user-permission-export)
  (for instances): Administrators can generate a report listing all users' access
  permissions for groups and projects in the instance.
- [**License compliance**](../user/compliance/license_compliance/index.md) (for
  projects): Search dependencies for their licenses. This lets you determine if
  the licenses of your project's dependencies are compatible with your project's
  license.
- [**Lock project membership to group**](../user/group/access_and_permissions.md#prevent-members-from-being-added-to-projects-in-a-group)
  (for groups): Group owners can prevent new members from being added to projects
  within a group.
- [**LDAP group sync**](auth/ldap/ldap_synchronization.md#group-sync) (for
  instances): Gives administrators the ability to automatically sync groups and
  manage SSH keys, permissions, and authentication, so you can focus on building
  your product, not configuring your tools.
- [**LDAP group sync filters**](auth/ldap/ldap_synchronization.md#group-sync)
  (for instances): Gives more flexibility to synchronize with LDAP based on
  filters, meaning you can leverage LDAP attributes to map GitLab permissions.
- [**Omnibus GitLab package supports log forwarding**](https://docs.gitlab.com/omnibus/settings/logs.html#udp-log-forwarding)
  (for instances): Forward your logs to a central system.
- [**Restrict SSH Keys**](../security/ssh_keys_restrictions.md) (for instances):
  Control the technology and key length of SSH keys used to access GitLab.