►
From YouTube: How to setup Compliance Frameworks & Pipelines in GitLab
Description
Organizations spend a ton of time ensuring compliance with regulatory and self-imposed requirements. Enforcement of these requirements can, however, be a challenging exercise. GitLab provides a Compliance Framework feature, allowing organizations to label projects meeting specific compliance regulations. Security teams can enforce the requirements of the regulations by creating Compliance pipelines, which ensures specified security scans are executed in all projects with a compliance attached.
In this video, Abubakar will walk through how to setup a Compliance framework and pipeline.
Documentation: https://docs.gitlab.com/ee/user/group/compliance_frameworks.html
#devsecops #dast #gitlab #compliance #compliancemanagement #devops #appsec
A
Developer
evangelism
program
manager
at
gitlab
in
this
video
I'll
be
showing
you
how
to
set
up
compliance.
Frameworks
and
compliance
pipelines
in
gitlab
compliance
is
a
huge
deal.
There
are
lots
of
regulatory
requirements
that
organizations
need
to
meet
in
order
to
ensure
in
order
to
avoid
risks.
Now
that
can
be
especially
when
operationid
regulated
Industries,
like
Health
Care,
like
Financial,
Services,
critical
infrastructure
as
well
and
more
government
are
introducing
more
policies
and
more
regulatory
requirements,
regulations
to
meet,
and
that
can
be
for
privacy
reasons
like
gdpr
or
localized
regulatory
requirements.
A
At
any
point
in
time
now-
and
this
is
aside
from
just
label-
you
can
take
it
further
by
implementing
compliance
pipelines
so
that
every
project
that
has
been
labeled
by
a
certain
compliance
framework
most
be
tested
or
scanned
with
certain
jobs
that
has
been
specified
for
that
compliance
framework.
Even
if
a
project
has
its
own
local
CI,
it
is
ignored
and
only
the
jobs
are
specified
by
the
compliance
worker
executed,
except
if
it
is
specified
that
the
local
CI
of
the
project
should
also
be
executed.
A
A
No,
if
we
go
to
secure,
I
will
go
to
compliance
Center
we
can
have,
we
can
see
Frameworks
projects
and
what
Frameworks
are
attached
to
them,
and
we
can
also
see
violations
within
the
entire
group
and
which,
for
which
projects
those
violations
are
happening.
For
example,
if
we
click
here,
you
can
see
who
changed,
who
made
the
change,
who
reviewed
it,
who
matched
it
where
what
match
requests?
A
What
security
violation
do
they
miss
and
so
on,
and
what
projects
did
they
work
on
so
that
you
can
have
an
audit
of
what
is
going
on
within
your
organization?
Then
we
have
a
section
for
Frameworks.
This
is
where
you
can
attach
a
framework
to
a
particular
project.
Now,
where
do
you
create
Frameworks?
You
can
create
a
framework
by
going
to
settings
and
for
the
top
level
group
and
general
under
the
general
settings,
you
see
compliance
Frameworks
now
here
you
see,
we
already
have
four
compliance
Frameworks
that
have
been
created.
A
If
you
want
to
add
a
new
one,
you
can
specify
the
name
description
and
also
the
complex
pipeline
configuration
where
it's
located
within
your
group
that
you
can
set
the
color
now
I'll
be
using
an
existing
one
here,
PCI
DSS,
it's
a
major
regulatory
requirements
for
organizations
within
the
financial
sector.
Now
using
this,
you
see
already
specified
in
PCI
DSS
description,
definitely
red
so
that
organizations.
We
know
that
it's
serious
and
we
can.
A
A
Let's
say
this
specifies
to
it
and
so
on
now,
but
let's
review
this
project
critical,
which
already
has
the
PCI
DSS
attached
to
it.
Now
this
project
normally
has
its
own
gitlab
CI
file,
but
we
want
the
CI
jobs
of
the
compliance
framework
to
be
executed
instead
of
two
specified
between
the
CI
file.
So
if
we
go
back
to
our
top
level
group-
and
we
go
to
the
settings
General
and
we
come
to
compliance
Frameworks
here,
then
we
have
PCI
DSS,
let's
change
here.
A
We
can
then
specify
our
where
our
CI
compliance
compliance
pipeline
is
now
I've
already
created
a
compliance
pipeline
for
PCI
DSS.
Now
gitlab
has
a
page
where
we
already
documented
how
you
can
use
gitlab
to
be
PCI.
Compliance
now
I
will
add
a
link
to
this
in
the
description
of
this
video,
but
this
a
disclaimer.
This
is
not
professional
advice.
This
is
just
for
information
quality.
A
You
can
read
and
go
ahead
and
decide
on
how
you
want
to
implement
CI
within
git
love
for
PC
ideas,
but
these
are
just
information
recommendations
for
information
purposes
only
now
to
meet
PCI
to
be
pcid,
DSS
compliance.
Some
of
the
features
you
can
use
in
gitlab
to
ensure
that
you
meet
the
requirements
are
static:
application
security,
testing,
Dynamic
application,
security,
testing,
container
scanning
and
dependency
scanning,
and
you
can
already
do
all
that.
A
Ci
CI
templates
that
have
already
been
added,
we
mentioned
earlier
static
application
security,
testing,
Dynamic
application,
security,
testing,
container
scanning
and
dependency
scanning.
If
we
check
here,
we
have
dependency
scanning
security
detection,
secret
detection,
you
need
to
know
if
you're,
exposing
any
secret,
static
application
security
testing,
you
need
to
make
sure
the
application
is
fully
tested
license
scanning.
You
need
to
know
the
kind
of
licenses
dependencies
are
bringing
in
then
also
container
scanning
after
application
as
a
package.
A
What
if
you
are
using
a
base
container
or
you
build
on
top
of
a
container
that
is
not
secure,
then
Dust
Dynamic
application
security
testing.
You
need
to
test
how
your
application
responds
to
different
activity
with
different
data,
be
able
to
check
if
things
like
credit
card
information
have
been
exposed
or
are
handled
properly
within
the
application.
You
can
use
that
to
do
that
now
that
I'll
be
talking
about
Dynamic
application
security
test
in
a
different
video
which
will
be
linked
in
the
description
so
that
you
can
follow.
A
A
Can
test
your
website
at
what
URL
can
you
test
it
and
scan
apps
profile?
What
we
just
kind
of
how,
with
this
through
the
scanner,
scan
your
website?
Should
it
be
passive
or
should
it
be
active,
should
it
is
your
website
containing
JavaScript
and
so
on?
So
you
need
to
specify
all
of
that
now
so
for
us
to
specify
it
first
to
add
this
to
our
compliance
framework.
This
pipeline
the
conference
framework.
We
are
going
to
copy
the
path
and
okay.
This
is
where
it
is.
The
file
name
is
DOT
compliance.
A
A
A
A
All
of
them
are
from
the
compliance
framework
here
now,
but
what
if
the
test
in
the
project
itself,
are
important
and
needs
to
be
executed,
also,
that
is
where
you
can
change
the
compliance
pipeline
to
also
allow
the
local
CI
job
to
be
executed.
Now,
let's
change
our
compliance
pipeline
here
in
this
project.
A
What
this
is
basically
saying
is
look
at
the
project,
the
part
of
the
projects
that
this
pipeline
is
currently
executing
on,
and
the
file
this
file,
the
CI
file
and
also
this
particular
ref,
then
execute
the
jobs,
the
job
specifications
that
are
online.
So,
let's
save
this,
allow
local
CI
to
execute
the
less
commits
to
mean
that's
why
the
purpose
of
our
demo,
then,
if
we
go
back
here,
this
is
still
running.
A
A
A
A
Whoop
it's
working
now
now
you
can
see
that
it
now
has
build
job,
lint,
test
unit
tests
and
deploy
job.
So
it's
now,
including
the
local
CI
job,
along
with
the
compliance
pipeline
job.
So
this
is
how
you
can
set
up
compliance,
Frameworks
and
compliance
pipeline
in
your
project
to
ensure
that
you
always
meet
regulatory
requirements.