Built-in automation and policy enforcement

Identity and access management (IAM) is one of the biggest attack vectors in the software supply chain. Secure access with GitLab by authenticating, authorizing, and continuously validating all human and machine identities operating in your environment.

• Implement granular access control including 2 factor authentication
• Establish token expiration policies
• Set up policies as per organizational or regulatory rules
• Generate comprehensive audit and governance reports for compliance adherence
• Enforce two-person approvals for additional guardrails

Ensure the security and integrity of your source code by managing who has access to the code and how changes to the code are reviewed and merged.

• Establish version control, code history, and access control to your source code
• Use automated code quality tests to analyze the performance impact of changes
• Enforce review and approval rules to control what goes into production
• Run automated security scans to capture vulnerabilities before your code is merged
• Ensure passwords and sensitive information are not in your source code through automated secrets detection
• Implement signed commits to prevent developer impersonation

Verify that all open source dependencies used in your projects contain no disclosed vulnerabilities, come from a trusted source, and have not been tampered with.

• Generate a software bill of materials in an automated manner to identify your projects’ dependencies
• Automatically identify vulnerabilities in any dependent software used through automated software composition analysis
• Run license compliance scans to ensure your project is using software with licenses within your organization’s policies

Prevent bad actors from injecting malicious code into the build process and gaining control over the software built by the pipeline or access to secrets used in the pipeline.

• Isolate your build environment to prevent unauthorized access or malicious code execution
• Maintain release evidence for everything that is included in the release
• Ensure your build artifacts are not compromised with build artifact attestation

Stop attackers from exploiting weaknesses in an application’s design or configurations to steal private data, gain unauthorized access to accounts, or impersonate legitimate users.

• Establish a secure connection with your cluster to deliver your release artifacts
• Identify security vulnerabilities in running applications before deploying
• Ensure your API interfaces do not expose your running application