Compliance frameworks

Version history

You can create a compliance framework that is a label to identify that your project has certain compliance requirements or needs additional oversight. The label can optionally enforce compliance pipeline configuration to the projects on which it is applied.

Group owners can create, edit, and delete compliance frameworks:

  1. On the top bar, select Main menu > Groups > View all groups and find your group.
  2. On the left sidebar, select Settings > General.
  3. Expand the Compliance frameworks section.
  4. Create, edit, or delete compliance frameworks.

Default compliance frameworks

Introduced in GitLab 15.6.

Group owners can set a default compliance framework. The default framework is applied to all the new and imported projects that are created within that group. It does not affect the framework applied to the existing projects. The default framework cannot be deleted.

A compliance framework that is set to default has a default label.

Set and remove as default

Introduced in GitLab 15.7.

Group owners can set a compliance framework as default (or remove the setting):

  1. On the top bar, select Main menu > Groups > View all groups and find your group.
  2. On the left sidebar, select Settings > General.
  3. Expand the Compliance frameworks section and locate the compliance framework to set (or remove) as default.
  4. Select the vertical ellipsis () for the compliance frame and then select Set default (or Remove default).

Example GraphQL mutations for setting a default compliance framework

Creating a new compliance framework and setting it as the default framework for the group. 

mutation {
    createComplianceFramework(
        input: {params: {name: "SOX", description: "Sarbanes-Oxley Act", color: "#87CEEB", default: true}, namespacePath: "gitlab-org"}
    ) {
        framework {
            id
            name
            default
            description
            color
            pipelineConfigurationFullPath
        }
        errors
    }
}

Setting an existing compliance framework as the default framework the group. 

mutation {
    updateComplianceFramework(
        input: {id: "gid://gitlab/ComplianceManagement::Framework/<id>", params: {default: true}}
    ) {
        complianceFramework {
            id
            name
            default
            description
            color
            pipelineConfigurationFullPath
        }
    }
}

Configure a compliance pipeline

Version history

Group owners can configure a compliance pipeline in a project separate to other projects. By default, the compliance pipeline configuration (.gitlab-ci.yml file) is run instead of the pipeline configuration of labeled projects.

However, the compliance pipeline configuration can reference the .gitlab-ci.yml file of the labeled projects so that:

  • The compliance pipeline can also run jobs of labeled project pipelines. This allows for centralized control of pipeline configuration.
  • Jobs and variables defined in the compliance pipeline can’t be changed by variables in the labeled project’s .gitlab-ci.yml file.

See example configuration for help configuring a compliance pipeline that runs jobs from labeled project pipeline configuration.

To configure a compliance pipeline:

  1. On the top bar, select Main menu > Groups > View all groups and find your group.
  2. On the left sidebar, select Settings > General.
  3. Expand the Compliance frameworks section.

  4. In Compliance pipeline configuration (optional), add the path to the compliance framework configuration. Use the path/file.y[a]ml@group-name/project-name format. For example:

    • .compliance-ci.yml@gitlab-org/gitlab.
    • .compliance-ci.yaml@gitlab-org/gitlab.

This configuration is inherited by projects where the compliance framework label is applied. In projects with the applied compliance framework label, the compliance pipeline configuration is run instead of the labeled project’s own pipeline configuration.

The user running the pipeline in the labeled project must at least have the Reporter role on the compliance project.

When used to enforce scan execution, this feature has some overlap with scan execution policies. We have not unified the user experience for these two features. For details on the similarities and differences between these features, see Enforce scan execution.

Example configuration

The following example .compliance-gitlab-ci.yml includes the include keyword to ensure labeled project pipeline configuration is also executed. 

# Allows compliance team to control the ordering and interweaving of stages/jobs.
# Stages without jobs defined will remain hidden.
stages:
  - pre-compliance
  - build
  - test
  - pre-deploy-compliance
  - deploy
  - post-compliance

variables:  # Can be overridden by setting a job-specific variable in project's local .gitlab-ci.yml
  FOO: sast

sast:  # None of these attributes can be overridden by a project's local .gitlab-ci.yml
  variables:
    FOO: sast
  image: ruby:2.6
  stage: pre-compliance
  rules:
    - if: $CI_COMMIT_BRANCH && $CI_OPEN_MERGE_REQUESTS && $CI_PIPELINE_SOURCE == "push"
      when: never
    - when: always  # or when: on_success
  allow_failure: false
  before_script:
    - "# No before scripts."
  script:
    - echo "running $FOO"
  after_script:
    - "# No after scripts."

sanity check:
  image: ruby:2.6
  stage: pre-deploy-compliance
  rules:
    - if: $CI_COMMIT_BRANCH && $CI_OPEN_MERGE_REQUESTS && $CI_PIPELINE_SOURCE == "push"
      when: never
    - when: always  # or when: on_success
  allow_failure: false
  before_script:
    - "# No before scripts."
  script:
    - echo "running $FOO"
  after_script:
    - "# No after scripts."

audit trail:
  image: ruby:2.7
  stage: post-compliance
  rules:
    - if: $CI_COMMIT_BRANCH && $CI_OPEN_MERGE_REQUESTS && $CI_PIPELINE_SOURCE == "push"
      when: never
    - when: always  # or when: on_success
  allow_failure: false
  before_script:
    - "# No before scripts."
  script:
    - echo "running $FOO"
  after_script:
    - "# No after scripts."

include:  # Execute individual project's configuration (if project contains .gitlab-ci.yml)
  project: '$CI_PROJECT_PATH'
  file: '$CI_CONFIG_PATH'
  ref: '$CI_COMMIT_REF_NAME' # Must be defined or MR pipelines always use the use default branch

CF pipelines in Merge Requests originating in project forks

When an MR originates in a fork, the branch to be merged usually only exists in the fork. When creating such an MR against a project with CF pipelines, the above snippet will fail with a Project <project-name> reference <branch-name> does not exist! error message. This is because in the context of the target project, $CI_COMMIT_REF_NAME evaluates to a non-existing branch name.

To get the correct context, use $CI_MERGE_REQUEST_SOURCE_PROJECT_PATH instead of $CI_PROJECT_PATH. This variable is only available in merge request pipelines.

For example, for a configuration that supports both merge request pipelines originating in project forks and branch pipelines, you need to combine both include directives with rules:if: 

include:  # Execute individual project's configuration (if project contains .gitlab-ci.yml)
  - project: '$CI_MERGE_REQUEST_SOURCE_PROJECT_PATH'
    file: '$CI_CONFIG_PATH'
    ref: '$CI_COMMIT_REF_NAME'
    rules:
      - if: $CI_PIPELINE_SOURCE == 'merge_request_event'
  - project: '$CI_PROJECT_PATH'
    file: '$CI_CONFIG_PATH'
    ref: '$CI_COMMIT_REF_NAME'
    rules:
      - if: $CI_PIPELINE_SOURCE != 'merge_request_event'

Ensure compliance jobs are always run

Compliance pipelines use GitLab CI/CD to give you an incredible amount of flexibility for defining any sort of compliance jobs you like. Depending on your goals, these jobs can be configured to be:

  • Modified by users.
  • Non-modifiable.

Generally, if a value in a compliance job:

  • Is set, it cannot be changed or overridden by project-level configurations.
  • Is not set, a project-level configuration may be set.

Either might be wanted or not depending on your use case.

There are a few best practices for ensuring that these jobs are always run exactly as you define them and that downstream, project-level pipeline configurations cannot change them:

  • Add a rules:when:always block to each of your compliance jobs. This ensures they are non-modifiable and are always run.
  • Explicitly set any variables the job references. This:
    • Ensures that project-level pipeline configurations do not set them and alter their behavior.
    • Includes any jobs that drive the logic of your job.
  • Explicitly set the container image to run the job in. This ensures that your script steps execute in the correct environment.
  • Explicitly set any relevant GitLab pre-defined job keywords. This ensures that your job uses the settings you intend and that they are not overridden by project-level pipelines.

Avoid parent and child pipelines in GitLab 14.7 and earlier

note
This advice does not apply to GitLab 14.8 and later because a fix added compatibility for combining compliance pipelines, and parent and child pipelines.

Compliance pipelines start on the run of every pipeline in a labeled project. This means that if a pipeline in the labeled project triggers a child pipeline, the compliance pipeline runs first. This can trigger the parent pipeline, instead of the child pipeline.

Therefore, in projects with compliance frameworks, we recommend replacing parent-child pipelines with the following:

  • Direct include statements that provide the parent pipeline with child pipeline configuration.
  • Child pipelines placed in another project that are run using the trigger API rather than the parent-child pipeline feature.

This alternative ensures the compliance pipeline does not re-start the parent pipeline.