Application Security - Automation and Monitoring
Monitoring
The Application Security team uses a number of automation initiatives to help secure GitLab. These are not all authored by the AppSec team but they’re all useful to us. The points are listed in no specific order.
- Gem Checker monitors suspicious activity on RubyGems.org for gems that we use at GitLab
- sec-appsec-mr-alerts identifies MRs that modify dependencies used in our projects
- Public MR Confidential Issue Detector monitors for public merge requests that should have been opened in our security mirror
- Custom SAST rules detecting known-vulnerable code patterns that alert the AppSec team in the MR (related MR)
- untamper-my-lockfile included in CI to prevent lockfile tampering
- Package Hunter detects suspicious activity in dependencies at runtime (related runbook)
- GitLab Inventory monitors our projects and violations of security best practices and standards
- GitLab’s own application security features are running in CI
- Tokinator monitors for leaked credentials
- AppSec Escalator which is a tool that…
- monitors that security issues are labeled properly
- sets appropriate due dates on security issues
- escalates overdue issues
- detects potentially sensitive files posted in public issues
- depSASTer runs SAST on the dependencies used by GitLab
- Maintainer Watcher monitors potentially compromisable dependency maintainer accounts
- depscore runs dependency review checks on new/updated depndencies in
gitlab-org/gitlab
project.
Last modified April 17, 2024: Migrate AppSec under the Product Security namespace (
7009463b
)