GitLab Security Resource Center

Commonly requested resources

Contacting GitLab for reporting security issues

• Reporting Abuse
• Coordinated Disclosure Process
• HackerOne Reporting Process

GitLab’s Customer Assurance Package (CAP)

Our Customer Assurance Package contains documents such as our SOC2 report, ISO 27001 certificate, penetration test executive summary, and pre-filled CAIQ and SIG questionnaires, among many other documents. Please see our CAP page to request the package.

GitLab’s Trust Center

Our Trust Center outlines the various compliance and assurance credentials that GitLab maintains. This page also contains links to important security, legal & privacy, and availability resources, such as an overview of our security practices, our Environmental, Social, and Governance strategy, and our production architecture.

Frequently asked questions

The following links contain frequently asked security, legal & privacy, and availability questions.

• Security FAQs
• Legal & Privacy FAQs
• Availability FAQs

Control topics

Table of contents

| Acceptable use | Access management | Business continuity | Cryptography | Data classification | Disaster recovery | Endpoint management | Hardening | Incident response and communication | Independent assurance | Logging and monitoring | Network security | Privacy | Security awareness | Third party risk management | Threat modeling | Vulnerability management |

Acceptable use

• Internal acceptable use policy
• GitLab’s terms of use

Access management

• Access Management Policy
• Access Review Procedure
• Access Request process

Business continuity

• Business Continuity Plan
• Business Impact Analysis
• Information System Contingency Plan

Cryptography

• GitLab cryptography standard
• Encryption policy

Data classification

• Data classification standard
• Record retention policy
• Records retention and disposal standard

Disaster recovery

• Disaster recovery plan
• Database disaster recovery
• Database overview

Endpoint management

• Endpoint management at GitLab
  • Jamf
  • EDR
• Use Gitleaks as a pre-commit git hook on laptops

GitLab.com hardening techniques

• GitLab projects baseline requirements
• GitLab security requirements for deployment and development
• How to harden your self-managed GitLab instance
• The ultimate guide to securing your code on GitLab.com

Incident response and communication

• Security incident communications plan procedure
• Security incident response guide

Independent assurance

• Independent Security Assurance

Logging and monitoring

• Monitoring of gitlab.com
• Log management for gitlab.com
• Logging and monitoring architecture
• GitLab audit logging policy
• Log and audit requests process
• Infrastructure department KPIs
• Infrastructure production runbooks

Network security

• Network security management procedure
• GitLab security requirements for deployment and development

Privacy

• GitLab Privacy Statement
• Team Member Privacy Notice
• U.S. State Privacy Rights and Disclosures
• Account deletion and data access requests workflow

Security awareness

• Security training
• Security awareness training program
• Security awareness training procedure
• Phishing program

Third party risk management

• Security third party risk management

Threat modeling

• Threat modeling at GitLab
• Threat modeling How To Guide
• Application security threat modeling process

Vulnerability management

• Vulnerability management standard
• Application vulnerability management procedure
• Infrastructure vulnerability management procedure

View page source - Edit this page - please contribute.