Application Security Runbooks

Note for New team members

Whenever you are on a rotation (HackerOne or Triage Rotation or doing your onboarding process and need help or advice, reach out in the #security_help Slack channel or ask during an AppSec Sync meeting. Here are some examples on scenarios where you may need ask or need help:

  • You’re doing your onboarding tasks, threat modeling, or appsec reviews, and you’re stuck on it; or don’t know how to tackle something in particular
  • You’re on ping rotation and you don’t know how to deal with a particular situation or what to do with a specific question
  • You’re on HackerOne rotation and have to deal with a hard report
AppSec Engineer's Local Setup
When evaluating security issues or MRs, it can be useful to have a way to reproduce issues, dig in …
AppSec Frequently Asked Questions
A curated list of the most frequently asked AppSec related questions
AppSec Holiday and Friends and Family Day Coverage
This runbook describes the process for times when the Application Security team has team members …
AppSec Review Template Process
This review template is tailored to application security reviews of GitLab features. Parts of it might be applicable to other software, other parts might not.
AppSec Threat Modeling Process
This threat modeling process is tailored to GitLab features.
AppSec's Engagement Plan and Ways to Measure Usage of Secure Code Warrior
How can AppSec Engineers Contribute to the Secure Code Warrior Training Program? If anyone from the …
Bug Hunting Day Process
Bug Hunting Day Process The Application Security Team has a bug hunting day on the last Friday of …
Dependency review guidelines for AppSec engineers
This content has been moved to Supply Chain Security for Open Source Dependencies and Libraries.
Federal AppSec Container Scan Result Review Process
Certain customers scan containers that GitLab provides for known vulnerabilities and other security …
Investigating Package Hunter Findings
List of Package Hunter Findings Any Package Hunter related finding can be found on this dashboard …
JiHu Contribution Merge Monitor Reports
The Merge Monitor tool looks in public GitLab repositories that JiHu contributes to for merge …
Security Dashboard Review
Frequency: Daily AppSec engineers are responsible for triaging the findings of the GitLab security …
Triage Rotation
Application Security team members are alphabetically assigned as the responsible individual (DRI) …
Last modified December 11, 2025: Fix all references to (soon to be archived) #sec-appsec channel (d7426bba)
View page source - Edit this page - please contribute. Creative Commons License