Review Group Controls
Description
This issue is to start detailing what controls exist for group input types. Start to scope out the work required in order to support groups.
This may include, making pull requests to python-gitlab, making feature requests to gitlab, or just adjusting our control conditions to meet existing functionality.
| Control ID | Control Name | Notes |
|---|---|---|
| 1.1.1 | version_control | Enabled |
| 1.1.2 | code_tracing | Enabled |
| 1.1.3 | code_approvals | Enabled in: v.1.14.0 (!172 (merged)) python-gitlab==5.6.0 (ref)) |
| 1.1.4 | code_approval_dismissals | PR Required for python-gitlab to add existing functionality (rest API) created MR approval settings Group Level #3165. |
| 1.1.5 | code_dismissal_restrictions | Pending !270 (merged) python-gitlab to add existing functionality (rest API) created Protected Branches Group Level #3164. |
| 1.1.6 | code_owners | Not applicable |
| 1.1.7 | code_changes_require_code_owners | Pending !270 (merged) python-gitlab to add existing functionality (rest API) created Protected Branches Group Level #3164 |
| 1.1.8 | stale_branch_reviews | Not applicable |
| 1.1.9 | checks_pass_before_merging | Not applicable |
| 1.1.10 | branches_updated_before_merging | Not applicable |
| 1.1.11 | comments_resolved_before_merging | Requires feature request on gitlab for only_allow_merge_if_all_discussions_are_resolved at rest API level. Pending: gitlab-org/gitlab#534608 (closed)
|
| 1.1.12 | commits_must_be_signed_before_merging | Enabled in: v.1.14.0 (!172 (merged)) |
| 1.1.13 | linear_history_required | Not applicable |
| 1.1.14 | branch_protections_for_admins | Enabled |
| 1.1.15 | merging_restrictions | Pending !270 (merged) python-gitlab to add existing functionality (rest API) created Protected Branches Group Level #3164 |
| 1.1.16 | ensure_force_push_is_denied | Pending !270 (merged) python-gitlab to add existing functionality (rest API) created Protected Branches Group Level #3164 |
| 1.1.17 | deny_branch_deletions | Pending !270 (merged) python-gitlab to add existing functionality (rest API) created Protected Branches Group Level #3164 |
| 1.1.18 | auto_risk_scan_merges | Enabled in: v.1.14.0 (!172 (merged)) |
| 1.1.19 | audit_branch_protections | Enabled |
| 1.1.20 | default_branch_protected | Not applicable |
| 2.1.1 | single_responsibility_pipeline | Not applicable |
| 2.1.2 | immutable_pipeline_infrastructure | Not applicable |
| 2.1.3 | build_logging | Not applicable |
| 2.1.4 | build_automation | Not applicable |
| 2.1.5 | limit_build_access | Enabled in: v.1.15.0 (!184 (merged)) |
| 2.1.6 | authenticate_build_access | Enabled in: v.1.15.0 (!184 (merged)) |
| 2.1.7 | limit_build_secrets_scope | Not applicable |
| 2.1.8 | vuln_scanning | Not applicable |
| 2.1.9 | disable_build_tools_default_passwords | Not applicable |
| 2.1.10 | secure_build_env_webhooks | Enabled in: v.1.15.0 (!184 (merged)) |
| 2.1.11 | build_env_admins | Enabled in: v.1.15.0 (!184 (merged)) |
| 2.2.1 | single_use_workers | Not applicable |
| 2.2.2 | pass_worker_envs_and_commands | Not applicable |
| 2.2.3 | segregate_worker_duties | Enabled in: v.1.15.0 (!184 (merged)) |
| 2.2.4 | restrict_worker_connectivity | Not applicable |
| 2.2.5 | worker_runtime_security | Not applicable |
| 2.2.6 | build_worker_vuln_scanning | Not applicable |
| 2.2.7 | store_worker_config | Not applicable |
| 2.2.8 | monitor_worker_resource_consumption | Not applicable |
| 2.3.1 | build_steps_as_code | Not applicable |
| 2.3.2 | build_stage_io | Not applicable |
| 2.3.3 | secure_pipeline_output | Not applicable |
| 2.3.4 | track_pipeline_files | Not applicable |
| 2.3.5 | limit_pipeline_triggers | PR Required for python-gitlab to add existing functionality (rest API) Protected Environments Group Level #3168
|
| 2.3.6 | pipeline_misconfiguration_scanning | Enabled in: v.1.15.0 (!184 (merged)) |
| 2.3.7 | pipeline_vuln_scanning | Enabled in: v.1.15.0 (!184 (merged)) |
| 2.3.8 | pipeline_secret_scanning | Not applicable |
| 2.4.1 | sign_artifacts | Not applicable |
| 2.4.2 | lock_dependencies | Not applicable |
| 2.4.3 | validate_dependencies | Not applicable |
| 2.4.4 | create_reproducible_artifacts | Not applicable |
| 2.4.5 | pipeline_produces_sbom | Not applicable |
| 2.4.6 | pipeline_sign_sbom | Not applicable |
| 3.1.1 | verify_artifacts | Not applicable |
| 3.1.2 | third_party_sbom_required | Not applicable |
| 3.1.3 | verify_signed_metadata | Not applicable |
| 3.1.4 | monitor_dependencies | Enabled in v.1.18.0 |
| 3.1.5 | define_package_managers | Not applicable |
| 3.1.6 | dependency_sbom | Not applicable |
| 3.1.7 | pin_dependency_version | Not applicable |
| 3.1.8 | packages_over_60_days_old | Not applicable |
| 3.2.1 | org_wide_dependency_policy | Enabled in v.1.18.0 |
| 3.2.2 | package_vuln_scanning | Enabled in v.1.18.0 |
| 3.2.3 | package_license_scanning | Enabled in v.1.18.0 |
| 3.2.4 | package_ownership_change | Not applicable |
| 4.1.1 | sign_artifacts_in_build_pipeline | Not applicable |
| 4.1.2 | encrypt_artifacts_before_distribution | Not applicable |
| 4.1.3 | only_authorized_platforms_can_decrypt_artifacts | Not applicable |
| 4.2.1 | limit_certifying_artifacts | Not applicable |
| 4.2.2 | limit_artifact_uploaders | Enabled in v1.17.0 |
| 4.2.3 | require_mfa_to_package_registry | Enabled in v1.1.0
|
| 4.2.4 | external_auth_server | Not applicable |
| 4.2.5 | restrict_anonymous_access | Enabled in v.1.1.0
|
| 4.2.6 | minimum_package_registry_admins | Enabled in v1.17.0 |
| 4.3.1 | validate_signed_artifacts_on_upload | Not applicable |
| 4.3.2 | all_artifact_versions_signed | Not applicable |
| 4.3.3 | audit_package_registry_config | Not applicable |
| 4.3.4 | secure_repo_webhooks | Enabled in v1.17.0 |
| 4.4.1 | artifact_origin_info | Not applicable |
| 5.1.1 | separate_deployment_config | Not applicable |
| 5.1.2 | audit_deployment_config | Not applicable |
| 5.1.3 | secret_scan_deployment_config | Not applicable |
| 5.1.4 | limit_deployment_config_access | Not applicable |
| 5.1.5 | scan_iac | Not applicable |
| 5.1.6 | verify_deployment_config | Not applicable |
| 5.1.7 | pin_deployment_config_manifests | Not applicable |
| 5.2.1 | automate_deployment | Not applicable |
| 5.2.2 | reproducible_deployment | Not applicable |
| 5.2.3 | limit_prod_access | Not applicable |
| 5.2.4 | disable_default_passwords | Not applicable |
Edited by Neil McDonald