►
Description
We talk about GitLab's internal Security Compliance team's pain points in using GitLab for our own audits and compliance management. Steve highlights some of the challenges he has that provide great insight for the Manage:Compliance group.
A
A
Yeah,
of
course,
I'd
say
just
from
my
perspective,
one,
the
limitations,
I
see
is
marked
down
tables,
just
they're,
not
super
super
friendly
and
just
from
a
tracking
perspective.
I
have
historically
documented
a
lot
of
the
compliance
work
that
I
do
either
via
like
spreadsheets,
so
Excel
or
even
Google
sheets,
but
I
feel
like
I'm
missing
out
on
just
some
of
the
analytics.
I
can
get
like
being
able
to
filter
and
easily
have
a
repository
of
all
right
here.
A
Are
the
controls,
the
arcs
own
remediation
or
like
here,
controls
that
are
that
have
failed
in
our
path
sada
and
we
need
to
track
the
remediation,
so
I
feel
like
from
an
efficiency
perspective.
I
lose
time
having
to
dig
through
separate
control
issues
all
the
time
or
it's
like
creating
another
issue
as
a
master
issue
to
track.
You
know
a
bunch
of
child
issues,
so
I
was
wondering
if
or
what
are
you
working
on
like
what
are
big
features
that
you're
working
on
from
a
compliance
perspective
and
trying
to
build
them
to
get
loud.
B
B
The
idea
there
is
that
the
long-term
vision
is,
if
you
can
create
this
project
or
it's
populate
these
issues
in
some
way
and
you
can
use
labels
or
some
of
the
features
a
thing
get
lab
to
track
that,
then
we
could
eventually
report
in
the
compliance
dashboard
to
say:
hey
of
your
hundred
and
eighty
you're
80%
complete,
because
you
know
120
130,
whatever
issues
are
marked
with
the
complete
label,
so
there's
some
simple
tracking
stuff.
We
can
do
there.
B
That's
kind
of
the
extent
right
now
of
what's
planned
for
that
type
of
context,
there's
a
lot
of
other
things
that
are
happening
in
the
compliance
space,
but
it's
primarily
around
more
or
better
audit
ability
and
traceability
with
audit
events,
general
reporting,
with
the
dashboard
exporting
data
from
the
audit
events
tables
from
list
of
users
and
memberships.
That
kind
of
thing.
What
I
would
really
like
to
understand,
though,
is,
if
you
could
talk
to
me
about
why
linking
to
a
spreadsheet
is
not
ideal
and
what
you
envision
as
well.
A
A
So,
if
I
have,
if
I
have
like
a
workbook
or
a
spreadsheet,
that
I
can
open
up
and
I
can
see
every
single
control,
that
is
in
scope
for
for
our
audit
requirements
and
then
being
able
to
get
metrics
from
that
spreadsheet.
Looking
at
the
various
risk
that
we've
mapped
to
controls
or
various
compliance
requirements,
that
would
be
great.
It
sounds
like
some
of
that
would
already
be
accomplished
with
this
dashboard
that
you're
talking
about
that
would
be
able
to
see
so
I'd
be
interested.
A
B
Yeah,
absolutely
so
what
I
can
do?
Real
quick
is
I'll,
walk
you
through
the
interactive
prototype
that
we've
built
and
collect
kind
of,
get
you
to
give
me
some
feedback
on
that
and
then
I
think.
As
far
as
NBC's
yeah
absolutely
well,
I'll
I'll
be
sure.
If
you
wanna
I
can
ping
you
or
I
can
ping
a
list
of
folks.
You
just
let
me
know
on
the
issues
as
we
start
working
on
them,
so
that
you
can
chime
in
async
and
then
hop
on
sick
meetings
as
necessary.
B
So
the
dashboard
right
now
of
the
MVC
that
is
already
in
production
is
basically
this
right
and
all
it
shows
is
the
most
recent
merged
merge
requests
for
all
the
projects
in
a
group.
So
the
reason
we're
doing
that,
even
though
it's
somewhat
similar
to
an
existing
view
that
we
have.
The
idea
is
that
all
of
the
compliance
information
that
our
customers
need
is
already
in
get
lab
right
as
you,
as
you
all
know,
it's
a
matter
of
aggregating
all
of
that
into
one
place
so
that
you
don't
have
the
administrative
overhead
of
going
into.
B
You
know
multiple
hundreds,
dozens
of
projects,
multiple
groups
with
hundreds
of
projects
to
then
find
that
data
from
so
trying
to
surface
all
of
that
very
easily.
So
this
is
the
current
MVC
and
what
we're
thinking
in
terms
of
longer
term
but
well
I,
just
say,
shorter
or
longer
term.
Medium
term.
You
know
six
months
out
is
achieving
something
like
this.
Where
this
merger
quest
view
has
evolved
to
show
us
some
more
key
details,
we'll
probably
add
things
like
the
pipeline
results.
B
Excuse
me
things
like
maybe
allowing
customers
to
specify
external
systems
they
can
call
as
part
of
the
pipeline
or
as
far
as
a
merge
request
that
we
can
surface
here
and
the
intent
with
these
filters
is
to
is
to
be
able
to
give
them
the
ability
to
sort
those
views
because
oftentimes,
as
you
all
know,
the
auditor
will
say
show
me
this
specific
subset
of
data.
Show
it
for
the
last
week.
Show
it
for
the
last
six
months.
B
Show
me
random
sampling
over
the
last
six
months
and
so
being
able
to
add
that
filtering
in
here
and
then
even
ideally,
a
really
great
quality
of
life
improvement,
I
think
is
based
on
the
filtering
that
you
do
being
able
to
kind
of
favorite
or
bookmark
that
criteria
and
like
save
it.
So
you
can
just
one-click
pull
that
up
for
the
next
audit
or
the
next
audit
or
adding
widgets
like
the
license
compliance
so
that
you
can
see
for
your
projects,
which
ones
have
you
know,
exemptions,
pass/fail
or
approvals
on
certain
licenses.
B
We're
also
wanting
to
incorporate
project
tagging
so
that
you
can
tag
projects
as
Sox
PCI
HIPAA,
like
whatever
the
framework,
is
a
simple
visual
indicator
for
now,
as
an
MVC
I
think
is
valuable
because
it
communicates
to
everyone
like.
Oh,
this
project
is
gonna,
have
kind
of
a
heightened
sense
of
regulation
behind
it,
and
so
it's
not
gonna
operate
as
other
normal
projects,
but
then
will
be
able
to
filter
by
those
and
same
thing.
If
an
auditor
asks
okay
well,
show
me
your
projects
that
are
PCI
compliant.
B
It's
like
okay,
here's,
these
four
and
then
you
can
kind
of
delve
into
those
as
granularly
is
necessary.
But
then
the
most
important
for
last,
in
your
context,
is
this
issues.
Tab,
and
so
the
intent
here
is
to
make
this
much
more
verbose
right.
So,
like
the
this
bar
graph
is
really
just
symbolic
in
nature.
We
want
to
show
visuals
of
some
sort.
B
This
would
be
assuming
that
we
use
that
process.
I
talked
about
earlier,
where,
if
you're
labeling
with
our
label
system,
we
can
then
scrape
that
data
to
understand
how
can
we
filter
based
on
that
criteria,
but
then
this
could
evolve
further
to
say.
Well,
if
you
have,
let's
say
that
all
were
completed
for
example,
and
so
you
had
180
completed
issues
well,
because
those
hundred
and
eighty
are
completed,
we
could
add
a
widget
that
says
here
are
the
four
other
compliance
frameworks
or
regulations
that
you
are
1013,
forty-seven
percent
compliant
with
because
of
these
requirements.
B
A
Is
awesome,
this
is
super
cool
yeah.
This
is
a
type
of
information
that
I
like
I
know,
like
I
was
saying
earlier.
It's
part
of
my
workflow
one
thing
right
now
that
I'm
finding
is
toughest
if
I
want
like
an
up-to-date
status
of
where
any
control
is
that
that
we're
currently
working
on
I
have
to
navigate
specifically
to
that
issue.
A
We
do
use
labels,
but
I
guess.
One
of
the
issues
that
we
we
face
is
that
you're
talking
about
convert
being
verbose
here
and
the
information
presented
in
this
dashboard,
our
labels
are
very
high-level,
so
I
can
pull
a
consolidated
list
of
hey.
These
are
the
controls
that
are
either
still
open
or
controls
that
we're
blocked
on.
But
if
I
want
specific
information,
I
still
have
to
drill
down
a
little
bit
more,
but
this
is
this
is
super
cool
Wow.
B
Yeah,
the
there's
a
couple
other
dynamics
that
I
think
have
the
potential
to
solve
that
latter
problem
right
of
needing
granularity.
So
we
met
with
MEC
to
talk
about
this
yesterday
and
he
shared
that
they
have
a
git
lab
bot
that
helps
with
test
cases.
Excuse
me
and
the
what
happens
is
like
I
think
an
issue
is
created
for
each
test
case
and
then
I
think
the
bot
automatically
appends
data
to
those
issues
about
that
test
case.
So,
where
that's
relevant
is
we
could
leverage
that
precedent
to
say?
B
Okay
for
these
hundred
eighty
audit
issues
whenever
certain
actions
are
taken,
let's
say:
there's
a
merge
request
that
bot
should
automatically
document
parts
of
that
merge,
request
activity
into
various
different
issues.
So,
let's
say
20
different
issues
requires
some
evidence
artifact,
maybe
it's
the
whole
merge
request
package,
which
includes,
like
pipelines,
the
link
tissues,
the
results
of
the
tests
and
scans
etc.
Maybe
that
goes
into
five
of
those
issues
within
subsets
of
that
are
only
required.
Only
subsets
of
that
are
required
for
the
other
ten
or
15.
You
can
then
programmatically.
Add
that,
but.
A
Sorry
so
I'm
just
making
sure
that
I'm
understanding
correctly
so
like
I'm,
add
request
that
would
be
used
to
support
like
a
change
management
process
and
let's
say
you
know
like
at
gate
lab.
We
have
like
four
or
five
different
change
management
controls
that
require
that
before
merge
request
is
merged.
There's
testing
there's
an
approval,
so
there's
like
a
bot
that
could
grab
that
information
from
the
mrs.
That
happens
then
populate
those
control
issues.
Accordingly,
to
make
sure
that
that
information
is
consolidated
at
the
control
level.
That's.
B
Because
even
right
because,
like
some
requirements
might
say,
I
just
want
to
see
that
you
have
at
least
one
more
set
of
eyes
on
approvals.
Okay,
well,
I,
don't
need
the
whole
evidence.
Artifact
I
just
need
you
to
show
me
that
for
this
merger
quest,
ID,
here's
the
approvers
that
are
listed
as
required,
and
here's
the
one
or
two
people
who
approved
it
before
it
was
pushed
into
production,
and
you
don't
necessarily
need
the
pipeline's
test,
results,
etc
for
that
specific
requirement,
but
those
artifacts
are
relevant
for
other
issue
or
requirements.
B
So
in
theory,
what
we
could
then
do
for
the
granularity
piece
is
as
that's
being
documented
in
the
issue.
We
could
figure
out
a
way
to
tag
that
or
programmatically
add
some
static
content
that
we
could
then
scrape
and
use
as
an
indicator
to
say.
Yes,
this
is
you
know
10
20
30,
40
%
complete.
So
if
we
need
for
one
requirement,
show
me
a
sample
of
six
of
these
well,
if
there's
only
five,
we
can
infer
that,
like
oh
there's,
only
five
comments
on
this
thread.
A
Awesome
I'm
curious
as
part
of
this
building
out
these
different
compliance
feature
sets.
Have
you
thought
anything
about
how
get
lab
is
configured
I
know.
For
me,
one
of
the
things
that
I
would
love
to
see
is
being
able
to
either
scan
what
we
would
consider
like
in
scope,
repositories
or
projects
and
being
able
to
quickly
see
if,
like
the
infrastructure
team,
has
configured
their
project
to
have
a
like
a
protected
branch
or
they
configure
the
merge
request.
Author
cannot
be
approver
a
setting
and
I.
A
B
B
B
There
are
some
limitations
there,
and
so
we
pivoted
to
a
much
simpler
MVC,
which
is
well
it's
just
label
projects.
Let's
let
our
customers
identify
these
projects
as
a
particular
framework,
and
so
one
of
the
motivations
there
was
that
we
have
a
setting
among
many
right
to
enforce
certain
things.
One
of
the
suddens
we
released
recently
was
disabling
self
approval.
B
But
what
but
to
your
point,
we
could
then
also
say:
okay
scan
only
projects
that
are
in
scope,
which
are
gonna,
be
labeled
with
a
compliance
framework
and
give
me
some
output
to
show
what
set
we
could
do
it.
One
of
two
ways
right,
like
here's,
a
baseline,
to
check
against
give
me
a
report
against
that,
or
we
can
say
just
show
me,
give
me
an
export
that
says
what
settings
are
enabled
for
this
project
kind
of
like
an
entire
data
dump,
so
that
customers
are
empowered
to
do
what
they
want
with
that.
A
No,
this
is
this
is
super
cool.
This
is
exciting
stuff,
I'm
new,
obviously
to
the
side
of
building
compliance
feature
sets
into
product
like
I've,
never
worked
in
a
product
management
type
capacity.
So
this
is
awesome
stuff,
at
least
for
me,
I'd
love
to
participate
more
as
we
continue
to
iterate
and
talk
through
the
types
of
compliance
features
that
we
can
build
into
the
product
and
yeah.
A
But
let
me
know
if
there's
anything
I
can
do
in
terms
of
like
testing
or
getting
into
a
test
environment
and
adding
some
controls
that
I'm
working
on
and
try
to
work
out
of
the
features
that
we
have
and
I
can
provide
feedback
based
on
what
I'm
seeing
and
the
experience
that
I'm
having
working
with
on
these
speakers,
I'm
happy
to
do
that.
It'd
be
awesome.
A
B
More
than
happy
to
have
you
participate,
there's
a
couple
of
opportunities,
so
there's
the
planning
issue
that
I
create
every
month
and
then
I
have
one
that
kind
of
looks
forward.
A
few
milestones
that
you're
always
welcome
to
contribute
to
those
and
comment
on
those
with
whatever
you
want,
whether
it's
hey
this
is
really
cool.
Or
what
about
this
other
thing?
You
know
just
totally
open
forum.
Here's
the
compliance
sig,
the
special
interest
group,
which
has
some
customers
who
have
opted
into
it.
Jeff
Burroughs,
is
part
of
it.
B
That's
another
avenue
where
I
post
a
monthly
discussion,
I'm,
just
there's
not
a
whole
lot
of
participation,
I'm
hoping
to
change
that,
but
that's
another
forum
to
just
comment
because
I'll
just
kind
of
vary.
Some
succinctly
summarize
like
here's.
What
we
did
last
release:
here's
what
the
plans
are
for
the
next
one,
here's
what
I'm
asking
of
you
as
the
participants,
some
other
opportunities,
are.
We
have
a
weekly
compliance,
sync
meeting
every
Monday
somewhere
between
8
and
9
a.m.
it
varies
a
bit
you're
welcome
to
join
that
there's
all
those
are
also
recorded.
B
There's
a
product
designer
meeting,
which
is
usually
also
on
mondays,
where
I
talk
with
my
product,
designer
Daniel
Mora,
about
what
we're
working
on
and
we
kind
of
iterate
and
brainstorm
and
go
through
that
design
process
and
then
there's
also
the
G
manage
compliance,
slack
channel,
which
you're
welcome
to
hop
into
which
you'll
see
the
occasional
Tam
or
so
ask
questions
of
us.
Some
conversations
that
I'll
post
up
about
recordings
or
things
that
we're
working
on
and
then
I'm
also
open
to
any
other
suggestions.
A
B
A
A
Feel
free
to
shoot
me
a
link
and
then
I
can
also
solicit
that
to
my
team
just
to
see
if
anybody
else
is
interested
in
participating,
but
I
mean
I
figure
at
some
point.
Ultimately,
you
know
our
group
is
going
to
be
a
having
user
of
these
features,
so
it'd
just
be
really
cool
to
kind
of
jump
in
and
do
a
little
bit
of
testing
and
to
see
what
we
have
and
be
able
to
provide
feedback.
A
B
Ya
know
that
I'd
be
happy
to
invite
you
to
it
and
you
know,
might
even
help
spur
up
some
discussion.
I
think
kind
of
the
next
attempt
to
get
more
participation
would
be
to
set
up,
maybe
a
monthly
call.
What
I
might
do
is
I'll
probably
share
a
recording.
I
did
with
one
of
my
front
end
engineers,
Rob
and
then
maybe
post
like
put
this
on,
get
lab,
unfiltered
and
share
that
link
as
well
onto
that.
It's
that
cig,
just
so
they
can
see.
B
A
B
So
we
have
some
good
discussions
trying
to
collaborate
on
a
few
different
things.
So
there's
there's
actually
a
really
positive,
encouraging
collaborative
environment
around
this
particular
thing
or
as
I
think
I
know
where
you're
coming
from
how
like
compliance,
is
usually
this
like
big
headache,
nobody
wants
to
deal
with
it.
It's
an
expense.
It's
not
a
value-add,
and
so
there's
doesn't
seem
to
be
that
paradigm.
Here,
from
my
perspective,
that's.
A
Awesome
that
super
super
good
to
hear
I
know
we're
brushing
up
on
time
here.
What
I'll
do
is
once
just
recording,
there's
finished
like
finalizing
on
my
computer.
I
will
get
it
up
there
and
I'll
shoot
a
link
over
to
you,
so
you
can
have
it
and
then,
in
the
meantime,
yeah
I
would
love
an
invite
to
the
special
interest
group
for
compliance.
I'd
love
to
participate,
more
cool.