Compliance Adherence Reporting

This page contains information related to upcoming products, features, and functionality. It is important to note that the information presented is for informational purposes only. Please do not rely on this information for purchasing or planning purposes. The development, release, and timing of any products, features, or functionality may be subject to change or delay and remain at the sole discretion of GitLab Inc.
Status Authors Coach DRIs Owning Stage Created
ongoing nrosandich huzaifaiftikhar1 theoretick govern compliance 2024-07-08

Summary

This blueprint serves as living documentation of the technical considerations in the implementation of Compliance Adherence Reporting. This includes functionality in Compliance Frameworks, the Compliance Center and the relationship with Security Policies.

Proposal

Outline how compliance enforcement and visibility will be handled through Compliance Frameworks as an evolution from Compliance Standards Adherence.

Motivation

There are three main parts to compliance posture of a customer Enforcement, Visibility, and Audit History.

Enforcement

Enforcement within GitLab is currently done through Security Policies and Compliance Pipelines. This gives users two very different ways of implementing the same functionality, which has been described as confusing for users. Compliance pipelines also have some inherent technical limitation, see epic.

Visibility

Currently the Standards are hard coded in the Adherence report (renamed to Status report) and separate from Compliance Frameworks. This makes the system inflexible as we look to:

  1. Use Compliance Frameworks to include certain projects in the Adherence Report and distinguish which requirements those projects are complaint with.
  2. Add a Requirements level to the Adherence report
  3. Add more Standards and Checks
  4. Allow users to customise Standards
  5. Allow users to create their own Standards
  6. Allow users to create customisable Checks

Audit History

This is currently achieved through compliance events (Audit events and Violations within MRs).

Background

Deprecate compliance pipelines

We deprecated compliance pipelines in favour of pipeline execution policy in GitLab 17.3. This decision was taken to align with the future state of enforcing compliance through security policies.

Scope policies through compliance frameworks

We introduced the capability of scoping security policies allowing us to enforce policies against a specific set of projects or against projects applied a given set of compliance frameworks. This helped us move towards the goal of enforcing compliance through frameworks.

Multiple compliance frameworks

Before GitLab 17.3 it was not possible to apply more than one compliance framework to a project. To work towards the future state of allowing users to customise the adherence dashboard, we created the ability to apply multiple compliance frameworks in GitLab 17.3.

Goals

  1. Provide support need for multiple frameworks
  2. Incongruence with compliance pipelines and security policies
  3. Use Compliance Frameworks to include certain projects in the Adherence Report and distinguish which requirements those projects are complaint with.
  4. Add a Requirements level to the Adherence report
  5. Add more Standards and Controls
  6. Allow users to customise Standards
  7. Allow users to create their own Standards

Non-Goals

  1. Allow users to create customisable Controls
  2. Compliance events
    1. Violations within MRs
    2. Audit events

Terminology/Glossary

  1. Framework
    1. A Compliance Framework is a user-modifiable capability within GitLab to identify projects that have certain compliance requirements or need additional oversight. Compliance Frameworks generally align with established industry compliance frameworks such as SOC2 or ISO 27001.
  2. Standard - deprecated in favor of framework
    1. A standard groups together compliance checks in the Adherence report. Compliance standards align with established compliance frameworks/standards such as SOC2 or ISO 27001
  3. Adherence
    1. Reports the percentage of a projects compliance posture against a compliance framework. For example if Project A is 50% complaint towards Framework A.
  4. Policy
  5. Requirement
    1. A particular requirement from an industry standard compliance frameworks/standards such as SOC2 or ISO 27001. Usually a statement of intent for a particular part of the compliance framework. These are broken down into specific Controls.
  6. Check
    1. A Check is a review of a project’s settings, to confirm that it is in a particular position. Checks compose a percentage of a project’s compliance posture against a Control.
  7. Control
    1. A control is a specific compliance rule that needs to be met to meet a compliance requirement. Enforcement of this is achieved in GitLab through settings, Security Policies or Compliance Pipelines.

Decisions

Design Details

See Scalability review document for further details.

We decided to use Sidekiq workers for creating checks and storing the adherence configuration in database as relational data. It was decided to combine compliance_checks and compliance_requirements tables to reduce redundancy.

The compliance requirements would be stored in a separate table with the following schema:

    classDiagram
    class namespaces {
        id: bigint
        name: text
        path: text
        ...(more columns)
    }
    class projects {
        id: bigint,
        name: text
        path: text
        description: text
        ...(more columns)
    }
    class compliance_management_frameworks {
        id: bigint,
        name: text,
        description: text,
        ...(more columns)
    }

    class compliance_requirements {
        id: bigint
        created_at: timestamp
        updated_at: timestamp
        namespace_id: bigint
        framework_id: bigint
        name: text
        description: text
        requirement_type: smallint
        external_url: text
        expression: text
    }

    class project_compliance_status {
        id: bigint
        created_at: timestamp
        updated_at: timestamp
        project_id: bigint
        namespace_id: bigint
        compliance_requirement_id: bigint
        status: smallint
    }

    class compliance_framework_security_policies {
        id: bigint
        created_at: timestamp
        updated_at: timestamp
        framework_id: bigint
        policy_configuration_id: bigint
        policy_index: smallint
        project_id: bigint
        namespace_id: bigint
    }

    compliance_management_frameworks --> compliance_requirements : has_many
    compliance_management_frameworks <-- compliance_requirements : belongs_to
    compliance_management_frameworks <--> projects : many_to_many
    compliance_requirements <--> compliance_framework_security_policies : has_and_belongs_to_many
    projects <-- namespaces : has_many
    projects --> namespaces : belongs_to
    namespaces --> compliance_management_frameworks : has_many
    namespaces <-- compliance_management_frameworks : belongs_to
    projects --> project_compliance_status : has_many
    projects <-- project_compliance_status : belongs_to
    compliance_requirements --> project_compliance_status : has_one
    compliance_requirements <-- project_compliance_status : belongs_to

We created a new table project_compliance_configuration_status for storing the results of compliance requirements and plan on dropping the existing project_compliance_standards_adherence table. We no longer have a standard column as we don’t want to associate requirements directly with a standard, allowing the users to customise and group requirements as per their need.

Unlike the current implementation we would only store results for the projects that have compliance requirements configured. Instead of an enum we would store the compliance_requirement_id in the project_compliance_configuration_status table and would display these results at the compliance dashboard.

In the next iteration we would also allow importing and exporting the compliance requirement configurations.

Implementation Details

Issue Milestone MR Status

FAQ

Compliance Frameworks ADR 001: Triggering Checks

Context

We need to offer compliance tools to enable our customers to know if they adhere to certain rules, standards, regulations, and guidelines. For this we need to create checks within GitLab that can be related to the software development standards, frameworks, regulations or laws in the industry.

Approach

We thought of the following approaches for creating the concept of checks within GitLab:

  1. Use Audit Events as Checks
  2. Use Audit Events as trigger points for creating Checks
  3. Use Sidekiq workers for creating and updating Checks (selected approach)

Example

Let us assume that we have a compliance check called “Prevent approval by merge request authors”. To comply with this check, we must prevent users from approving their own merge requests.

Compliance Frameworks ADR 002: Custom Adherence Report

Context

We delivered compliance standards adherence report MVC. This was well received by our customers, however, we received feedbacks around the possibility of customising the compliance adherence dashboard. The existing compliance standards adherence report displays all the checks that are currently supported and displays the compliance status of all the projects within that group. Currently, users cannot configure this behaviour.

Approach

To allow customising the compliance standards adherence report we plan to introduce the concept of compliance requirements and compliance checks.

Compliance Frameworks ADR 003: Custom Controls

Context

We want the ability to create custom requirements so that users don’t need to rely only on the exhaustive list of controls that GitLab supports or would support in the future. Users could also have external services that might impact whether their projects are compliant to a standard or not.

Approach

To allow users to create controls on their own as per their requirements we need to have the following types of requirements:

Compliance Frameworks ADR 004: Time Based Triggers

Context

As outlined previously, we decided to enqueue Sidekiq workers for processing compliance with framework requirements and their checks. In the previous ADR it was decided to trigger a compliance evaluation when toggling relevant project or group settings, however there are several disadvantages to using such an approach.

Challenge 1: Requirements that do not map directly to settings

Certain requirements do not map 1-1 with project or group settings, for example ensuring all vulnerabilities have been triaged within a 30-day SLO. To perform such a check we need to evaluate a time-based sliding window, which requires enqueuing the compliance evaluation on recurring basis.

Compliance Standards Adherence Dashboard MVC

Context

We recently released compliance standards adherence dashboard MVC. In this iteration we introduced the concept of standard and checks. In the initial iteration we started with GitLab and SOC 2 standards.

GitLab Standard

The GitLab standard consists of three checks:

SOC 2 Standard

The SOC 2 standard consists of one check:

Approach

  1. We would create a service class for each of these checks and this class would be invoked by a Sidekiq worker in the background.

Compliance Standards Adherence Scalability Review

Context

In https://gitlab.com/groups/gitlab-org/-/epics/13295+ we are delivering a new experience where customer can configure their own compliance requirements through compliance frameworks and then report and enforce those requirements through the adherence report and security policies.

To accommodate large-scale implementation of compliance frameworks (1000+ projects), we must prioritize scalability and ensure the feature remains performant even under heavy workloads.

Due to the configurability and importance of these features it is critical to ensure a smooth experience and adaptability of the features.

Last modified October 23, 2024: doc: Add Compliance Adherence ADR 004 - time based triggers (ac8fc288)
View page source - Edit this page - please contribute. Creative Commons License