Dogfood Security Approvals at GitLab
Problem to solve
With pending completion of https://gitlab.com/gitlab-org/gitlab-ee/issues/9928 we will now have Security Approvals built into GitLab. This provides a simple mechanism for requiring approval from a predefined security team if a MR contains a severe vulnerability.
As part of using our own product we should use this internally. This issue proposes we enable security approvals within company projects and discuss a rollout plan.
Intended users
gitlab-ce~9335216
Further details
Proposal
A couple options in ascending order of process complexity:
- Enable for
security-products/(sast|dast|dependency_scanning|container_scanning)projects - Enable for all
security-products/**projects - Enable for
gitlab-ce/gitlab-ee - Enable for all
gitlab-orgprojects
Permissions and Security
We need to determine who will be members of the Vulnerability-Check approval group
Documentation
Depends on https://gitlab.com/gitlab-org/gitlab-ce/merge_requests/30959
Testing
We should open a retrospective issue to discuss the impact after the process has been implemented
What does success look like, and how can we measure that?
Less high, medium, critical, or unknown severities are introduced into GitLab products