►
From YouTube: Rob & Matt: Learning About Manage:Compliance
Description
Rob Hunt (Frontend Engineer) & Matt Gonzales (Product Manager) talk about the Manage:Compliance group to provide more context about the current state of the group, future plans, and what Compliance is and means for GitLab customers.
A
B
A
A
So
it's
a
bit
of
a
loaded
question
because
there's
a
few
facets,
we
have
internal
compliance
and
we
have
external
compliance
and
external
means,
like
our
customers
and
users,
using
our
platform
in
a
compliant
or
regulated
environment,
so
I'll
focus
on
the
latter,
so
compliance
for
our
customers
generally
is
they're
trying
to
solve
that
challenge
of
we
as
an
organization,
so
I'm
a
customer,
My
organization
cusp
or
a
has
a
set
of
policies.
Those
policies
dictate
everything
from
how
strong
your
password
has
to
be
to
how
they
handle
your
HR
data.
A
Deploy
I
have
to
actually
do
those
things,
so
that
I
can
then
number
three
prove
that
I
did
them.
So
the
auditor
will
ask
for
that.
Evidence
show
me
if
you
say
you
scan
every
code.
Deploy
show
me
a
code
deploy
from
today
from
a
week
ago,
from
a
month
ago,
from
43
days
ago,
from
six
minutes
and
23
seconds
ago,
like
they're
gonna,
pick
samples,
because
in
theory,
if
you
have
met
that
criteria,
you
do
that
for
every
step,
then
yes,
you
are
doing
what
you
say.
A
B
That
makes
sense
so
from
so
in
specifically
about
auditing.
This
is
very
dependent
on
which
compliance,
I
guess
is
called
a
framework.
Isn't
it
a
compliance
framework
that
they're
using
in
terms
of
the
frameworks
they
sign
up
to
them,
or
they
require
I,
assume
they're
required
to
do
them?
For
you
know,
business
reasons
like
financial
institutions
or
government
related
contracts,
whatever
they
have
to
comply
with
certain
regulations
to
be
able
to
work
in
their
fields
of
interest.
A
Yes,
so
for
clarity
there
there
are
a
series,
a
multitude
of
different
frameworks.
They
generally
spawn
out
of
legal
or
regulatory
requirements
at
kind
of
the
government
level.
So,
for
example,
sarbanes-oxley
in
the
US
was
I
believe
the
original
is
Enron,
but
largely
to
help
regulate
financial
institutions
to
prevent
that
kind
of
thing
and
in
still
best
accounting
practices
and
principles.
Things
like
the
GDP
are,
of
course,
spun
out
of
data
regulation
that
was
routed
back
and
I.
A
So
if
I'm,
a
financial
institution,
it's
gonna
be
sarbanes-oxley,
most
likely
gonna
be
PCI,
there's,
probably
even
some
elements
of
HIPAA
depending
on
the
type
of
financial
institution
you
are,
and
so
my
policies
are
gonna
do
the
best
to
find
that
middle
ground.
So
I
don't
have
the
same
policy,
but
a
slightly
different
flavor
for
each
framework,
it'll
be
a
they'll
find
generally
they'll
find
like
the
common
denominator
like
what's
the
most
strict
thing
we
can
do,
or
maybe
the
least
strict
thing,
depending
on
the
culture.
A
B
And
does
that
mean
that
gitlab
has
I
guess
in
Bill
these
four
built
these
frameworks
into
the
product
or
a
subset
of
frameworks,
or
is
it
more
about
picking
and
picking
out
the
requirements
of
individual
frameworks
and
integrating
those
in
so
like
security,
auditing
or
checking
that
you're
you've
got
the
right
kind
of
license
on
our
projects
or
whatever
it
may
be?
So,
rather
than
saying
we
support
HIPAA
blah,
we
say
we
support
these
features,
which
then
allow
you
to
meet
your
requirements
with
your
framework
right.
B
A
There
is
some
truth
and
the
yes
answer
to
the
first
part
as
well
right,
so,
like
the
second
part,
you
nailed
it
perfectly
well,
it
well
articulated
I.
Think
you've
got
that
perfect.
The
first
part
is
we're
working
on
some
ideas
around
like
in
the
kickoff
call
building
the
project
templates
that
have
pre-populated
audit
issues.
What
we've,
what
we've
teased
out
from
customers
is
that
they
have
an
internal
auditor
compliance
team,
who's
asking
for
data
or
evidence
or
something
to
help
supplement
the
compliance
program.
B
Okay,
that
makes
sense
so
I
guess
that
kind
of
so
we've
already
disc,
of
discussed
compliance
for
users
and
so
I
guess
we
could
do
it
leads
on
quite
well
to
what
gitlab
is
offering
at
the
minute
full
compliance
to
then
or
and
then
further
on
to
that.
What
are
we
aiming
to
do
long
term
q1
q2,
whatever
for
the
remainder
of
this
fiscal
year,
yeah.
A
So
if
we
can
so
for
all
walk
you
through
one
example
that
kind
of
answers
second
part
of
like
q-1,
q-2
kind
of
thing,
so
one
thing
that
we're
trying
to
implement
the
project
topics
MVC,
where
customers
can
label.
What
that
allows
us
to
do
is
several
fold
one.
We
can
associate
certain
projects
with
those
frameworks
that
we
can
report
on
them
in
the
dashboard
for
general
visibility
play
two.
We
can
say,
as
we
implement
more
features
at
the
admin
or
group
level
that
restrict
certain
project,
behaviors
or
activity.
A
You
can
apply
it
selectively
to
projects
instead
of
a
heavy-handed
broad-stroke.
So
you
can
say
apply
this
setting
to
the
Sox
and
PCI
project
topics,
for
example.
So
it
gives
an
element
of
control
there,
which
we
can
also
report
on
those
relationships.
But
then
the
third
and
I
think
one
of
the
most
valuable
takeaways
is.
We
can
then
go
back
to
those
customers
and
do
very
targeted
research
and
say
of
the
ten
projects
you
have
labeled
as
Sox.
What
are
that?
A
What's
the
settings
that
are
enabled
for
that,
and
then
we
can
derive
that
common
ground
to
say.
Okay,
these
ten
projects
share
all
of
these
same
settings
and
values.
So
we
can
create
project
templates
that
are
geared
towards
Sox
so
now,
when
they
create
a
new
project,
its
create
a
project,
use
the
sarbanes
oxley
template
and
that
imports
the
settings.
A
Maybe
it
also
imports
the
audit
issues
that
we're
tackling
in
a
separate,
MVC
and
I
have
this
holistic
kind
of
out-of-the-box
project
template
that
just
sets
you
up
for
success
rather
than
the
current
workflow,
which
is
you
create
a
new
project?
You
have
to
maybe
build
a
custom
script
or
manually
go
in
and
the
overhead
of
making
sure
everything's
there,
maybe
creating
the
issues.
A
But
even
still,
we
have
a
lot
of
work
to
do
to
add
more
settings
that
give
admins
and
group
owners
the
control.
They
need
to
lock
things
down,
specify
certain
activities
like
that.
So
that's
a
core
focus,
because,
right
now
the
common
theme
is
just.
We
don't
have
enough
control
of
our
environment,
yeah.
B
That
makes
sense
and
I
guess
specifically
for
the
project
topics
we're
going
to
have
to
differentiate
compliance
topics
from
more
generic
ones.
Yeah,
so
does
that
mean
that
we're
gonna
run
for
the
budget
topic,
so
we're
gonna
is
the
aim
to
eventually
allow
them
to
define
any
topic
under
compliance
that
they
would
like,
or
are
we
going
to
be
very
specific
and
saying
these
are
the
frameworks
that
we
support?
So
then
we
can
do
the
automated
work
that
we
want
to
do.
Yeah.
A
B
Does
that
mean
we're
gonna
provide
a
way
for
users
to
say
to
ping
us
a
message
and
say:
can
you
support
this
framework
X
framework?
So
we
can
start
getting
stats
to
say
you
know,
I,
don't
know
you
know.
200
of
our
users
want
this
specific
ISO
thing.
Only
one
of
them
want
this
other
framework,
so
we
can
start
to
see
where
the
priorities
are.
A
Yeah
absolutely
so
I
think
that
that's
absolutely
a
path
we
should
be
on
to
collect
that
data
and
help
prioritize
the
frameworks
we
support
and
support
is
kind
of
general
right,
I.
Think
in
my
mind,
that
means
that
we
have
this
project
template.
We,
the
sensible
defaults
that
are
ready
to
go
as
our
settings.
It
comes
pre-loaded,
maybe
optionally,
with
the
issues
that
map
to
the
actual
framework,
and
maybe
there
are
other
workflows
or
experiences
we
create
that
complement
or
support
that
specific
framework
versus
just
oh
now.
You
can
just
create
the
topic.
A
It'll
be
interesting,
because
what
I
imagine
will
here
will
be
kind
of
like
this,
that
there
will
be
maybe
10
10
that
are
kind
of
commonly
applied,
and
then
everything
else
after
that
would
be.
You
know
smaller
much
smaller
volume.
That's
my
that's
my
assumption,
but
I
would
hope
that
we're
also
at
a
point
when
we're
ready
to
start
taking
that
input
that
it's
also
a
pretty
streamlined
process.
From
our
perspective.
A
B
B
So
this
sort
of
my
next
couple
of
questions
are
very
compliance.
Dashboard,
which
is
the
target
I
guess
for
q1
and
Beyond,
is
to
try
and
get
a
MVC
out
whereby
our
users
can
see
Ivor,
I,
guess
on
an
admin
group
project
I,
don't
know
which
all
free,
maybe
level
what
where
they
are
at
in
terms
of
meeting
their
requirements
for
their
compliance
framework
plus
seeing
any
issues
or
problems
that
may
arise
as
a
result.
B
A
That's
a
great
question,
so,
yes,
you
did
more
or
less
answer,
which
is
great
and
I'll
supplement
it
with
the
the
biggest
problem
we've
encountered
from
talking
to
customers
is
that
gitlab
already
has
a
lot
of
this
data
that
they
need
to
prove
or
monitor
compliance.
The
problem
is:
is
that
it's
not
aggregated
anywhere,
in
a
view,
that's
very
relevant
or
specific
to
their
context.
So
we
have
you
know
a
security
dashboard.
You
can
go
to
to
view
very
security,
specific
things
we
have
an
analytics
dashboard.
A
I
want
to
go
to
this
dashboard
and
then
answer
all
the
questions.
I
have
like
hey,
do
I,
have
any
merge
requests
and
you
detention
do
I,
have
any
projects
that
are
in
violation
of
policy.
Is
there
memberships
that
are
being
granted
that
shouldn't
be?
Is
there
something
configured
or
unconfigured
that
should
or
shouldn't
be,
and
the
in
the
moment
that
this
person
has
to
go
outside
of
the
dashboard?
To
answer
a
question,
we
should
be
able
to
capture
that
in
some
way
right.
A
Customer
interviews,
walkthroughs
that
sort
of
thing
to
say:
okay,
why
did
you
go
over
there?
Why'd
you
go
to
this
other
view
to
get
that
thing
and
if
that's
something
we
can
apply
broadly
to
the
compliance
person
or
a
use
case,
and
we
should
do
that.
So,
yes,
like
that's
the
core
problem,
is
that
this
compliance,
specific
data
is
not
currently
consolidated
into
one
view,
and
people
are
having
to
work
too
hard
to
write
custom
tooling
to
manually
click
through
groups
and
projects
to
find
that
information.
B
I
was
sort
of
targeting
or
thinking
about,
so
we've
got
the
concept
of
a
compliance
dashboard
and
we've
got
the
overarching
aim
of
providing
absolutely
everything
you
need
to
get
to
meet
your
what
you
need
to
do
to
make
sure
you
are
meeting
your
compliance
needs,
but
as
a
subset
of
that,
obviously,
that's
a
very
broad
topic
with
quite
a
lot
of
complicated
aspects
to
it
and
I
was
just
trying
to
dig
to
see.
Were
there
any
specific
ones
that
came
to
mind
in
terms
of
trying
to
solve
or
figure
out?
A
It's
another
great
question:
I,
don't
think
I
can't
think
of
anything
on
the
top
of
my
head.
That's
a
very
specific
challenge
in
terms
of
something
very
concrete.
I
can't
speak
broadly
to
two
challenges
in
particular.
One
is
that
we
have
this
challenge.
We're
kind
of
what
I
alluded
to
earlier
organisations
might
be
in
the
same
industry
with
similar
operations,
but
they're
gonna
have
different
policies.
A
A
very
oversimplified
example
is
word
the
same
or
different
organisations
same
profile,
but
you
might
require
three
approvers
for
a
merger
quest
I
might
only
require
two,
and
so
even
nuances
like
that
are
just
difficult
to
surface
in
a
way,
that's
universally
alert,
a
bowl
so
trying
to
navigate
that
challenge.
The
second
challenge
on
our
and
the
technical
side
is
that,
because
get
lab
is
such
a
broad,
large,
massive
application
figuring
out.
How
do
we
bring
in
all
of
this
data
that
already
exists
in
a
way?
A
A
B
So
my
final
question
is
very
specific:
I
guess
to
my
situation,
but
I
beep.
Happily,
if
you
wish
to
coordinate
to
others
or
others
disciplines,
what
could
front-end
engineer
Engineers
be
doing
to
help
further
help
compliance
further
reach
these
goals?
Well,
not
necessarily
I'm,
not
targeting
the
per
se,
saying
we're
not
doing
these
more
generally.
A
And
I
appreciate
that
question
I
think
I.
Think.
From
my
perspective,
the
engineers
both
front-end
and
back-end
have
just
been
absolutely
phenomenal
right.
Asking
the
right
questions
at
the
right
times.
Pushing
back
challenging
seeking
clarification,
like
think
I,
think
that's
all
very
healthy
and
productive.
I
think
one
thing
I
would
add
on
to
it
as
kind
of
a
nice-to-have
would
be
trying
to
give
thought
to.
A
You
know
as
as
this
vision
forms
and
we
start
putting
out
more
design,
prototypes
and
validating
things
feeling
that
autonomy
and
that
freedom
to
suggest
hey,
I,
see
where
you're
going
with
this.
But
what
this
other
thing
and
like
I
have
this
other
idea
and
wouldn't
it
be
cool?
If
we
did
this
instead,
because
I'm
very
close
to
the
subject
matter,
so
is
Daniel,
you
know
as
a
product
designer
and
I
think.
A
What's
really
valuable
is
having
you,
as
the
technical
experts,
provide
that
insight
and
that
feedback,
because
even
an
idea
that
you
might
feel
might
be
silly
or
insignificant
could
manifest
as
something
really
important
and
valuable
for
our
customers.
It
could
trigger
a
different
idea
that
we
all
come
to
some
same
conclusion.
On
so
I
would
just
encourage
even
more
involvement,
wherever
you
feel
comfortable
doing
so,
for
the
entire
engineering
team
and
I
think
that'd
be
really
great.
B
Secondly,
I
guess
I
should
just
say
that
I'm
should
get
back
to
doing
some
coding
and
making
this
happen
unless
I
mean
I
can't
think
of
any
other
questions
off
top
of
my
head.
It
was
really
fara
unless
there's
anything
you
wanted
to
raise
or
say,
especially
since
we're
recording
this
and
other
people
might
have.
You
know,
if
there's
any
questions
that
you
think
could
be
better
raised
here,
so
it's
recorded
for
all
time
for.
B
A
You
did
a
very
thorough
job,
putting
together
some
questions
ahead
of
this
call,
I
really
dug
the
format
I
loved
that
we
were
able
to
share
the
the
thoughts
and
ideas
here.
I
think
it
was
really
productive,
I'd
like
to
maybe
make
it
a
regular
thing,
either
one-on-one
with
some
of
the
other
engineers
that
might
feel
that
they
don't
have
the
right
context
or
just
looking
for
the
clarifications
and
yeah.
B
Yeah
I,
yeah,
I
think
I'm
getting
other
engineers
involved.
Getting
them
to
ask
questions
or
even
getting
engineers
to
talk
to
Alfred
engineers
or
UX
to
the
engineers
mixing
up,
not
just
product
would
be
a
really
good
idea
to
try
and
you
know,
spread
knowledge
around
compliance,
make
it
less
of
a
complicated
scary
thing,
and
you
know
something
that
we
can
have
real
impact
on.
Our
customers
and
users
for
yeah.