gitlabcis 1.3.2__py3-none-any.whl

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (218) hide show
  1. gitlabcis/__init__.py +12 -0
  2. gitlabcis/__main__.py +7 -0
  3. gitlabcis/benchmarks/__init__.py +8 -0
  4. gitlabcis/benchmarks/artifacts_4/__init__.py +4 -0
  5. gitlabcis/benchmarks/artifacts_4/access_to_artifacts_4_2.py +139 -0
  6. gitlabcis/benchmarks/artifacts_4/origin_traceability_4_4.py +11 -0
  7. gitlabcis/benchmarks/artifacts_4/package_registries_4_3.py +105 -0
  8. gitlabcis/benchmarks/artifacts_4/verification_4_1.py +83 -0
  9. gitlabcis/benchmarks/build_pipelines_2/__init__.py +4 -0
  10. gitlabcis/benchmarks/build_pipelines_2/build_environment_2_1.py +268 -0
  11. gitlabcis/benchmarks/build_pipelines_2/build_worker_2_2.py +129 -0
  12. gitlabcis/benchmarks/build_pipelines_2/pipeline_instructions_2_3.py +444 -0
  13. gitlabcis/benchmarks/build_pipelines_2/pipeline_integrity_2_4.py +146 -0
  14. gitlabcis/benchmarks/dependencies_3/__init__.py +2 -0
  15. gitlabcis/benchmarks/dependencies_3/third_party_packages_3_1.py +171 -0
  16. gitlabcis/benchmarks/dependencies_3/validate_packages_3_2.py +182 -0
  17. gitlabcis/benchmarks/deployment_5/__init__.py +2 -0
  18. gitlabcis/benchmarks/deployment_5/deployment_configuration_5_1.py +165 -0
  19. gitlabcis/benchmarks/deployment_5/deployment_environment_5_2.py +66 -0
  20. gitlabcis/benchmarks/source_code_1/__init__.py +6 -0
  21. gitlabcis/benchmarks/source_code_1/code_changes_1_1.py +665 -0
  22. gitlabcis/benchmarks/source_code_1/code_risks_1_5.py +506 -0
  23. gitlabcis/benchmarks/source_code_1/contribution_access_1_3.py +334 -0
  24. gitlabcis/benchmarks/source_code_1/repository_management_1_2.py +168 -0
  25. gitlabcis/benchmarks/source_code_1/third_party_1_4.py +139 -0
  26. gitlabcis/cli/__init__.py +0 -0
  27. gitlabcis/cli/log.py +30 -0
  28. gitlabcis/cli/main.py +541 -0
  29. gitlabcis/cli/output.py +151 -0
  30. gitlabcis/recommendations/artifacts_4/access_to_artifacts_4_2/external_auth_server.yml +51 -0
  31. gitlabcis/recommendations/artifacts_4/access_to_artifacts_4_2/limit_artifact_uploaders.yml +57 -0
  32. gitlabcis/recommendations/artifacts_4/access_to_artifacts_4_2/limit_certifying_artifacts.yml +53 -0
  33. gitlabcis/recommendations/artifacts_4/access_to_artifacts_4_2/minimum_package_registry_admins.yml +54 -0
  34. gitlabcis/recommendations/artifacts_4/access_to_artifacts_4_2/readme.md +14 -0
  35. gitlabcis/recommendations/artifacts_4/access_to_artifacts_4_2/require_mfa_to_package_registry.yml +52 -0
  36. gitlabcis/recommendations/artifacts_4/access_to_artifacts_4_2/restrict_anonymous_access.yml +67 -0
  37. gitlabcis/recommendations/artifacts_4/origin_traceability_4_4/artifact_origin_info.yml +56 -0
  38. gitlabcis/recommendations/artifacts_4/origin_traceability_4_4/readme.md +7 -0
  39. gitlabcis/recommendations/artifacts_4/package_registries_4_3/all_artifact_versions_signed.yml +70 -0
  40. gitlabcis/recommendations/artifacts_4/package_registries_4_3/audit_package_registry_config.yml +46 -0
  41. gitlabcis/recommendations/artifacts_4/package_registries_4_3/readme.md +12 -0
  42. gitlabcis/recommendations/artifacts_4/package_registries_4_3/secure_repo_webhooks.yml +50 -0
  43. gitlabcis/recommendations/artifacts_4/package_registries_4_3/validate_signed_artifacts_on_upload.yml +72 -0
  44. gitlabcis/recommendations/artifacts_4/readme.md +12 -0
  45. gitlabcis/recommendations/artifacts_4/verification_4_1/encrypt_artifacts_before_distribution.yml +47 -0
  46. gitlabcis/recommendations/artifacts_4/verification_4_1/only_authorized_platforms_can_decrypt_artifacts.yml +59 -0
  47. gitlabcis/recommendations/artifacts_4/verification_4_1/readme.md +11 -0
  48. gitlabcis/recommendations/artifacts_4/verification_4_1/sign_artifacts_in_build_pipeline.yml +40 -0
  49. gitlabcis/recommendations/build_pipelines_2/build_environment_2_1/authenticate_build_access.yml +55 -0
  50. gitlabcis/recommendations/build_pipelines_2/build_environment_2_1/build_automation.yml +54 -0
  51. gitlabcis/recommendations/build_pipelines_2/build_environment_2_1/build_env_admins.yml +55 -0
  52. gitlabcis/recommendations/build_pipelines_2/build_environment_2_1/build_logging.yml +49 -0
  53. gitlabcis/recommendations/build_pipelines_2/build_environment_2_1/disable_build_tools_default_passwords.yml +54 -0
  54. gitlabcis/recommendations/build_pipelines_2/build_environment_2_1/immutable_pipeline_infrastructure.yml +60 -0
  55. gitlabcis/recommendations/build_pipelines_2/build_environment_2_1/limit_build_access.yml +64 -0
  56. gitlabcis/recommendations/build_pipelines_2/build_environment_2_1/limit_build_secrets_scope.yml +56 -0
  57. gitlabcis/recommendations/build_pipelines_2/build_environment_2_1/readme.md +19 -0
  58. gitlabcis/recommendations/build_pipelines_2/build_environment_2_1/secure_build_env_webhooks.yml +43 -0
  59. gitlabcis/recommendations/build_pipelines_2/build_environment_2_1/single_responsibility_pipeline.yml +58 -0
  60. gitlabcis/recommendations/build_pipelines_2/build_environment_2_1/vuln_scanning.yml +64 -0
  61. gitlabcis/recommendations/build_pipelines_2/build_worker_2_2/build_worker_vuln_scanning.yml +58 -0
  62. gitlabcis/recommendations/build_pipelines_2/build_worker_2_2/monitor_worker_resource_consumption.yml +59 -0
  63. gitlabcis/recommendations/build_pipelines_2/build_worker_2_2/pass_worker_envs_and_commands.yml +48 -0
  64. gitlabcis/recommendations/build_pipelines_2/build_worker_2_2/readme.md +16 -0
  65. gitlabcis/recommendations/build_pipelines_2/build_worker_2_2/restrict_worker_connectivity.yml +61 -0
  66. gitlabcis/recommendations/build_pipelines_2/build_worker_2_2/segregate_worker_duties.yml +78 -0
  67. gitlabcis/recommendations/build_pipelines_2/build_worker_2_2/single_use_workers.yml +47 -0
  68. gitlabcis/recommendations/build_pipelines_2/build_worker_2_2/store_worker_config.yml +62 -0
  69. gitlabcis/recommendations/build_pipelines_2/build_worker_2_2/worker_runtime_security.yml +37 -0
  70. gitlabcis/recommendations/build_pipelines_2/pipeline_instructions_2_3/build_stage_io.yml +49 -0
  71. gitlabcis/recommendations/build_pipelines_2/pipeline_instructions_2_3/build_steps_as_code.yml +42 -0
  72. gitlabcis/recommendations/build_pipelines_2/pipeline_instructions_2_3/limit_pipeline_triggers.yml +76 -0
  73. gitlabcis/recommendations/build_pipelines_2/pipeline_instructions_2_3/pipeline_misconfiguration_scanning.yml +48 -0
  74. gitlabcis/recommendations/build_pipelines_2/pipeline_instructions_2_3/pipeline_secret_scanning.yml +56 -0
  75. gitlabcis/recommendations/build_pipelines_2/pipeline_instructions_2_3/pipeline_vuln_scanning.yml +44 -0
  76. gitlabcis/recommendations/build_pipelines_2/pipeline_instructions_2_3/readme.md +16 -0
  77. gitlabcis/recommendations/build_pipelines_2/pipeline_instructions_2_3/secure_pipeline_output.yml +52 -0
  78. gitlabcis/recommendations/build_pipelines_2/pipeline_instructions_2_3/track_pipeline_files.yml +48 -0
  79. gitlabcis/recommendations/build_pipelines_2/pipeline_integrity_2_4/create_reproducible_artifacts.yml +52 -0
  80. gitlabcis/recommendations/build_pipelines_2/pipeline_integrity_2_4/lock_dependencies.yml +59 -0
  81. gitlabcis/recommendations/build_pipelines_2/pipeline_integrity_2_4/pipeline_produces_sbom.yml +81 -0
  82. gitlabcis/recommendations/build_pipelines_2/pipeline_integrity_2_4/pipeline_signs_sbom.yml +38 -0
  83. gitlabcis/recommendations/build_pipelines_2/pipeline_integrity_2_4/readme.md +14 -0
  84. gitlabcis/recommendations/build_pipelines_2/pipeline_integrity_2_4/sign_artifacts.yml +35 -0
  85. gitlabcis/recommendations/build_pipelines_2/pipeline_integrity_2_4/validate_dependencies.yml +63 -0
  86. gitlabcis/recommendations/build_pipelines_2/readme.md +12 -0
  87. gitlabcis/recommendations/dependencies_3/readme.md +10 -0
  88. gitlabcis/recommendations/dependencies_3/third_party_packages_3_1/define_package_managers.yml +84 -0
  89. gitlabcis/recommendations/dependencies_3/third_party_packages_3_1/dependency_sbom.yml +84 -0
  90. gitlabcis/recommendations/dependencies_3/third_party_packages_3_1/monitor_dependencies.yml +61 -0
  91. gitlabcis/recommendations/dependencies_3/third_party_packages_3_1/packages_over_60_days_old.yml +95 -0
  92. gitlabcis/recommendations/dependencies_3/third_party_packages_3_1/pin_dependency_version.yml +48 -0
  93. gitlabcis/recommendations/dependencies_3/third_party_packages_3_1/readme.md +14 -0
  94. gitlabcis/recommendations/dependencies_3/third_party_packages_3_1/third_party_sbom_required.yml +70 -0
  95. gitlabcis/recommendations/dependencies_3/third_party_packages_3_1/verify_artifacts.yml +45 -0
  96. gitlabcis/recommendations/dependencies_3/third_party_packages_3_1/verify_signed_metadata.yml +41 -0
  97. gitlabcis/recommendations/dependencies_3/validate_packages_3_2/org_wide_dependency_policy.yml +47 -0
  98. gitlabcis/recommendations/dependencies_3/validate_packages_3_2/package_license_scanning.yml +47 -0
  99. gitlabcis/recommendations/dependencies_3/validate_packages_3_2/package_ownership_change.yml +42 -0
  100. gitlabcis/recommendations/dependencies_3/validate_packages_3_2/package_vuln_scanning.yml +62 -0
  101. gitlabcis/recommendations/dependencies_3/validate_packages_3_2/readme.md +10 -0
  102. gitlabcis/recommendations/deployment_5/deployment_configuration_5_1/audit_deployment_config.yml +46 -0
  103. gitlabcis/recommendations/deployment_5/deployment_configuration_5_1/limit_deployment_config_access.yml +51 -0
  104. gitlabcis/recommendations/deployment_5/deployment_configuration_5_1/pin_deployment_config_manifests.yml +59 -0
  105. gitlabcis/recommendations/deployment_5/deployment_configuration_5_1/readme.md +13 -0
  106. gitlabcis/recommendations/deployment_5/deployment_configuration_5_1/scan_iac.yml +72 -0
  107. gitlabcis/recommendations/deployment_5/deployment_configuration_5_1/secret_scan_deployment_config.yml +45 -0
  108. gitlabcis/recommendations/deployment_5/deployment_configuration_5_1/separate_deployment_config.yml +50 -0
  109. gitlabcis/recommendations/deployment_5/deployment_configuration_5_1/verify_deployment_config.yml +49 -0
  110. gitlabcis/recommendations/deployment_5/deployment_environment_5_2/automate_deployment.yml +47 -0
  111. gitlabcis/recommendations/deployment_5/deployment_environment_5_2/disable_default_passwords.yml +63 -0
  112. gitlabcis/recommendations/deployment_5/deployment_environment_5_2/limit_prod_access.yml +45 -0
  113. gitlabcis/recommendations/deployment_5/deployment_environment_5_2/readme.md +12 -0
  114. gitlabcis/recommendations/deployment_5/deployment_environment_5_2/reproducible_deployment.yml +50 -0
  115. gitlabcis/recommendations/deployment_5/readme.md +10 -0
  116. gitlabcis/recommendations/readme.md +24 -0
  117. gitlabcis/recommendations/source_code_1/code_changes_1_1/audit_branch_protections.yml +56 -0
  118. gitlabcis/recommendations/source_code_1/code_changes_1_1/auto_risk_scan_merges.yml +62 -0
  119. gitlabcis/recommendations/source_code_1/code_changes_1_1/branch_protections_for_admins.yml +60 -0
  120. gitlabcis/recommendations/source_code_1/code_changes_1_1/branches_updated_before_merging.yml +56 -0
  121. gitlabcis/recommendations/source_code_1/code_changes_1_1/checks_pass_before_merging.yml +57 -0
  122. gitlabcis/recommendations/source_code_1/code_changes_1_1/code_approval_dismissals.yml +62 -0
  123. gitlabcis/recommendations/source_code_1/code_changes_1_1/code_approvals.yml +65 -0
  124. gitlabcis/recommendations/source_code_1/code_changes_1_1/code_changes_require_code_owners.yml +68 -0
  125. gitlabcis/recommendations/source_code_1/code_changes_1_1/code_dismissal_restrictions.yml +69 -0
  126. gitlabcis/recommendations/source_code_1/code_changes_1_1/code_owners.yml +61 -0
  127. gitlabcis/recommendations/source_code_1/code_changes_1_1/code_tracing.yml +52 -0
  128. gitlabcis/recommendations/source_code_1/code_changes_1_1/comments_resolved_before_merging.yml +59 -0
  129. gitlabcis/recommendations/source_code_1/code_changes_1_1/commits_must_be_signed_before_merging.yml +63 -0
  130. gitlabcis/recommendations/source_code_1/code_changes_1_1/default_branch_protected.yml +85 -0
  131. gitlabcis/recommendations/source_code_1/code_changes_1_1/deny_branch_deletions.yml +76 -0
  132. gitlabcis/recommendations/source_code_1/code_changes_1_1/ensure_force_push_is_denied.yml +59 -0
  133. gitlabcis/recommendations/source_code_1/code_changes_1_1/linear_history_required.yml +56 -0
  134. gitlabcis/recommendations/source_code_1/code_changes_1_1/merging_restrictions.yml +65 -0
  135. gitlabcis/recommendations/source_code_1/code_changes_1_1/readme.md +26 -0
  136. gitlabcis/recommendations/source_code_1/code_changes_1_1/stale_branch_reviews.yml +72 -0
  137. gitlabcis/recommendations/source_code_1/code_changes_1_1/version_control.yml +45 -0
  138. gitlabcis/recommendations/source_code_1/code_risks_1_5/dast_api_scanning.yml +50 -0
  139. gitlabcis/recommendations/source_code_1/code_risks_1_5/dast_web_scanning.yml +51 -0
  140. gitlabcis/recommendations/source_code_1/code_risks_1_5/dependency_scanning.yml +84 -0
  141. gitlabcis/recommendations/source_code_1/code_risks_1_5/enable_secret_detection.yml +45 -0
  142. gitlabcis/recommendations/source_code_1/code_risks_1_5/license_scanning.yml +47 -0
  143. gitlabcis/recommendations/source_code_1/code_risks_1_5/readme.md +14 -0
  144. gitlabcis/recommendations/source_code_1/code_risks_1_5/secure_iac_instructions.yml +81 -0
  145. gitlabcis/recommendations/source_code_1/code_risks_1_5/secure_pipeline_instructions.yml +62 -0
  146. gitlabcis/recommendations/source_code_1/code_risks_1_5/vulnerability_scanning.yml +48 -0
  147. gitlabcis/recommendations/source_code_1/contribution_access_1_3/domain_verification.yml +65 -0
  148. gitlabcis/recommendations/source_code_1/contribution_access_1_3/ensure_2_admins_per_repo.yml +56 -0
  149. gitlabcis/recommendations/source_code_1/contribution_access_1_3/limit_top_level_group_creation.yml +61 -0
  150. gitlabcis/recommendations/source_code_1/contribution_access_1_3/limit_user_registration_domain.yml +58 -0
  151. gitlabcis/recommendations/source_code_1/contribution_access_1_3/minimum_number_of_admins.yml +56 -0
  152. gitlabcis/recommendations/source_code_1/contribution_access_1_3/org_provided_ssh_certs.yml +70 -0
  153. gitlabcis/recommendations/source_code_1/contribution_access_1_3/readme.md +21 -0
  154. gitlabcis/recommendations/source_code_1/contribution_access_1_3/require_mfa_at_org_level.yml +89 -0
  155. gitlabcis/recommendations/source_code_1/contribution_access_1_3/require_mfa_for_contributors.yml +76 -0
  156. gitlabcis/recommendations/source_code_1/contribution_access_1_3/restrict_ip_addresses.yml +84 -0
  157. gitlabcis/recommendations/source_code_1/contribution_access_1_3/review_and_remove_inactive_users.yml +62 -0
  158. gitlabcis/recommendations/source_code_1/contribution_access_1_3/scm_notification_restriction.yml +46 -0
  159. gitlabcis/recommendations/source_code_1/contribution_access_1_3/strict_permissions_for_repo.yml +62 -0
  160. gitlabcis/recommendations/source_code_1/contribution_access_1_3/track_code_anomalies.yml +43 -0
  161. gitlabcis/recommendations/source_code_1/readme.md +13 -0
  162. gitlabcis/recommendations/source_code_1/repository_management_1_2/limit_issue_deletions.yml +57 -0
  163. gitlabcis/recommendations/source_code_1/repository_management_1_2/limit_repo_creations.yml +64 -0
  164. gitlabcis/recommendations/source_code_1/repository_management_1_2/limit_repo_deletions.yml +57 -0
  165. gitlabcis/recommendations/source_code_1/repository_management_1_2/public_repos_have_security_file.yml +59 -0
  166. gitlabcis/recommendations/source_code_1/repository_management_1_2/readme.md +15 -0
  167. gitlabcis/recommendations/source_code_1/repository_management_1_2/review_and_archive_stale_repos.yml +65 -0
  168. gitlabcis/recommendations/source_code_1/repository_management_1_2/track_forks.yml +74 -0
  169. gitlabcis/recommendations/source_code_1/repository_management_1_2/track_project_visibility_status.yml +74 -0
  170. gitlabcis/recommendations/source_code_1/third_party_1_4/README.md +12 -0
  171. gitlabcis/recommendations/source_code_1/third_party_1_4/admin_approval_for_app_installs.yml +83 -0
  172. gitlabcis/recommendations/source_code_1/third_party_1_4/least_privilge_app_permissions.yml +103 -0
  173. gitlabcis/recommendations/source_code_1/third_party_1_4/secure_webhooks.yml +73 -0
  174. gitlabcis/recommendations/source_code_1/third_party_1_4/stale_app_reviews.yml +66 -0
  175. gitlabcis/recommendations/template.yml +30 -0
  176. gitlabcis/tests/__init__.py +0 -0
  177. gitlabcis/tests/input/__init__.py +0 -0
  178. gitlabcis/tests/input/conftest.py +29 -0
  179. gitlabcis/tests/input/no_input_test.py +82 -0
  180. gitlabcis/tests/input/switch_test.py +19 -0
  181. gitlabcis/tests/input/version_test.py +7 -0
  182. gitlabcis/tests/unit/__init__.py +0 -0
  183. gitlabcis/tests/unit/benchmarks/artifacts_4/access_to_artifacts_4_2_test.py +131 -0
  184. gitlabcis/tests/unit/benchmarks/artifacts_4/origin_traceability_4_4_test.py +15 -0
  185. gitlabcis/tests/unit/benchmarks/artifacts_4/package_registries_4_3_test.py +102 -0
  186. gitlabcis/tests/unit/benchmarks/artifacts_4/verification_4_1_test.py +78 -0
  187. gitlabcis/tests/unit/benchmarks/build_pipelines_2/build_environment_2_1_test.py +239 -0
  188. gitlabcis/tests/unit/benchmarks/build_pipelines_2/build_worker_2_2_test.py +105 -0
  189. gitlabcis/tests/unit/benchmarks/build_pipelines_2/pipeline_instructions_2_3_test.py +340 -0
  190. gitlabcis/tests/unit/benchmarks/build_pipelines_2/pipeline_integrity_2_4_test.py +115 -0
  191. gitlabcis/tests/unit/benchmarks/conftest.py +47 -0
  192. gitlabcis/tests/unit/benchmarks/dependencies_3/third_party_packages_3_1_test.py +135 -0
  193. gitlabcis/tests/unit/benchmarks/dependencies_3/validate_packages_3_2_test.py +171 -0
  194. gitlabcis/tests/unit/benchmarks/deployment_5/deployment_configuration_5_1_test.py +140 -0
  195. gitlabcis/tests/unit/benchmarks/deployment_5/deployment_environment_5_2_test.py +60 -0
  196. gitlabcis/tests/unit/benchmarks/function_test.py +24 -0
  197. gitlabcis/tests/unit/benchmarks/source_code_1/code_changes_1_1_test.py +565 -0
  198. gitlabcis/tests/unit/benchmarks/source_code_1/code_risks_1_5_test.py +419 -0
  199. gitlabcis/tests/unit/benchmarks/source_code_1/contribution_access_1_3_test.py +265 -0
  200. gitlabcis/tests/unit/benchmarks/source_code_1/repository_management_1_2_test.py +142 -0
  201. gitlabcis/tests/unit/benchmarks/source_code_1/third_party_1_4_test.py +119 -0
  202. gitlabcis/tests/unit/conftest.py +94 -0
  203. gitlabcis/tests/unit/log/log_test.py +23 -0
  204. gitlabcis/tests/unit/utils/argfilters_test.py +9 -0
  205. gitlabcis/tests/unit/utils/ci_test.py +156 -0
  206. gitlabcis/tests/unit/utils/output_test.py +95 -0
  207. gitlabcis/tests/unit/utils/utils_general_test.py +149 -0
  208. gitlabcis/tests/unit/utils/version_test.py +11 -0
  209. gitlabcis/tests/unit/yaml/bad_file_test.py +15 -0
  210. gitlabcis/tests/unit/yaml/recommendation_test.py +123 -0
  211. gitlabcis/utils/__init__.py +146 -0
  212. gitlabcis/utils/ci.py +132 -0
  213. gitlabcis-1.3.2.dist-info/LICENSE +21 -0
  214. gitlabcis-1.3.2.dist-info/METADATA +241 -0
  215. gitlabcis-1.3.2.dist-info/RECORD +218 -0
  216. gitlabcis-1.3.2.dist-info/WHEEL +5 -0
  217. gitlabcis-1.3.2.dist-info/entry_points.txt +2 -0
  218. gitlabcis-1.3.2.dist-info/top_level.txt +1 -0
@@ -0,0 +1,47 @@
1
+ ---
2
+ id: 5.2.1
3
+ name: automate_deployment
4
+ title: Ensure deployments are automated
5
+ profile: 1
6
+ category: deployment
7
+ sub_category: deployment_environment
8
+ description: >-
9
+ Automate deployments of production environment and application.
10
+ rationale: >-
11
+ Automating the deployments of both production environment and applications reduces
12
+ the risk for human mistakes — such as a wrong configuration or exposure of sensitive
13
+ data — because it requires less human interaction or intervention. It also eases
14
+ redeployment of the environment. It is best to automate with Infrastructure as Code
15
+ (IaC) because it offers more control over changes made to the environment creation
16
+ configuration and stores to a version control platform.
17
+ impact: >-
18
+ audit: >-
19
+ For each deployment process, ensure it is automated.
20
+ remediation: >-
21
+ Automate each deployment process of the production environment and application.
22
+ default_value:
23
+ references:
24
+ cis_controls:
25
+ - id: 16.1
26
+ version: 8
27
+ name: Establish and Maintain a Secure Application Development Process
28
+ description: >-
29
+ Establish and maintain a secure application development process. In the
30
+ process, address such items as: secure application design standards, secure coding
31
+ practices, developer training, vulnerability management, security of third-party code,
32
+ and application security testing procedures. Review and update documentation
33
+ annually, or when significant enterprise changes occur that could impact this
34
+ Safeguard.
35
+ implementation_groups:
36
+ - IG2
37
+ - IG3
38
+ - id: 18.1
39
+ version: 7
40
+ name: Establish and Maintain a Secure Application Development Process
41
+ description: >-
42
+ Establish secure coding practices appropriate to the programming language and
43
+ development environment being used.
44
+ implementation_groups:
45
+ - IG2
46
+ - IG3
47
+ additional_info: >-
@@ -0,0 +1,63 @@
1
+ ---
2
+ id: 5.2.4
3
+ name: disable_default_passwords
4
+ title: Ensure default passwords are not used
5
+ profile: 1
6
+ category: deployment
7
+ sub_category: deployment_environment
8
+ description: >-
9
+ Do not use default passwords of deployment tools and components.
10
+ rationale: >-
11
+ Many deployment tools and components are provided with default passwords for the
12
+ first login. This password is intended to be used only on the first login and should be
13
+ changed immediately after. Using the default password substantially increases the
14
+ attack risk. It is very important to ensure that default passwords are not used in
15
+ deployment tools and components.
16
+ impact: >-
17
+ audit: |
18
+ GitLab's default root password depends on the installation method, and when the installation occurred:
19
+ 1. When deploying a GitLab instance using the official AWS AMI, the root password to the instance is the EC2 Instance ID
20
+ 2. Most installation methods allow a non-default password to be provided as configuration
21
+ 3. Prior to 14.0 the default password was 5iveL!fe
22
+ 4. Otherwise the default password is unique and randomly generated.
23
+
24
+ Attempt to log in as root using a suspected default password to audit whether it has changed.
25
+ For any other external build tools, ensure the password used is not the default one.
26
+ remediation: >-
27
+ GitLab's root password can be changed by an administrator using the UI, the
28
+ “gitlab:password:reset” rake task, or by using the Rails console.
29
+ For each build tool with a default password, change to a unique cryptographically
30
+ secure pseudorandom password.
31
+ default_value:
32
+ references:
33
+ cis_controls:
34
+ - id: 5.2
35
+ version: 8
36
+ name: Use Unique Passwords
37
+ description: >-
38
+ Use unique passwords for all enterprise assets. Best practice implementation
39
+ includes, at a minimum, an 8-character password for accounts using MFA and a
40
+ 14-character password for accounts not using MFA.
41
+ implementation_groups:
42
+ - IG1
43
+ - IG2
44
+ - IG3
45
+ - id: 4.2
46
+ version: 7
47
+ name: Change Default Passwords
48
+ description: >-
49
+ Before deploying any new asset, change all default passwords to have values
50
+ consistent with administrative level accounts.
51
+ implementation_groups:
52
+ - IG1
53
+ - IG2
54
+ - IG3
55
+ - id: 4.4
56
+ version: 7
57
+ name: example
58
+ description: >-
59
+ Use Unique Passwords
60
+ implementation_groups:
61
+ - IG2
62
+ - IG3
63
+ additional_info: >-
@@ -0,0 +1,45 @@
1
+ ---
2
+ id: 5.2.3
3
+ name: limit_prod_access
4
+ title: Ensure access to production environment is limited
5
+ profile: 1
6
+ category: deployment
7
+ sub_category: deployment_environment
8
+ description: >-
9
+ Restrict access to the production environment to a few trusted and qualified users only.
10
+ rationale: >-
11
+ The production environment is an extremely sensitive one. It directly affects the
12
+ customer experience and trust in a product, which has serious effects on the
13
+ organization itself. Because of this sensitive nature, it is important to restrict access to
14
+ the production environment to only a few trusted and qualified users. This will reduce
15
+ the risk of mistakes such as exposure of secrets or misconfiguration. This restriction
16
+ also reduces the number of accounts that are vulnerable to hijacking in order to
17
+ potentially harm the production environment.
18
+ impact: >-
19
+ Reducing the number of users who have access to the production environment means
20
+ those users would lose their ability to make direct changes to that environment.
21
+ audit: >-
22
+ Verify that the production environment is accessible only to trusted and qualified users.
23
+ remediation: >-
24
+ Restrict access to the production environment to trusted and qualified users.
25
+ default_value:
26
+ references:
27
+ cis_controls:
28
+ - id: 16.8
29
+ version: 8
30
+ name: Separate Production and Non-Production Systems
31
+ description: >-
32
+ Maintain separate environments for production and non-production systems.
33
+ implementation_groups:
34
+ - IG2
35
+ - IG3
36
+ - id: 18.9
37
+ version: 7
38
+ name: Separate Production and Non-Production Systems
39
+ description: >-
40
+ Maintain separate environments for production and nonproduction systems.
41
+ Developers should not have unmonitored access to production environments.
42
+ implementation_groups:
43
+ - IG2
44
+ - IG3
45
+ additional_info: >-
@@ -0,0 +1,12 @@
1
+ # 5.2 Deployment Environment
2
+
3
+ This section consists of security recommendations for the management of the deployment environment.
4
+
5
+ The deployment environment is the orchestrator and the production environment where the application is deployed. It directly affects the customer experience and trust in a product, which has serious effects on the organization itself. Securing it varies from access management to automation.
6
+
7
+ ## Recommendations
8
+
9
+ * [5.2.1 - automate_deployment.yml](./automate_deployment.yml)
10
+ * [5.2.2 - reproducible_deployment.yml](./reproducible_deployment.yml)
11
+ * [5.2.3 - limit_prod_access.yml](./limit_prod_access.yml)
12
+ * [5.2.4 - disable_default_passwords.yml](./disable_default_passwords.yml)
@@ -0,0 +1,50 @@
1
+ ---
2
+ id: 5.2.2
3
+ name: reproducible_deployment
4
+ title: Ensure the deployment environment is reproducible
5
+ profile: 1
6
+ category: deployment
7
+ sub_category: deployment_environment
8
+ description: >-
9
+ Verify that the deployment environment - the orchestrator and the production
10
+ environment where the application is deployed - is reproducible. This means that the
11
+ environment stays the same in each deployment if the configuration has not changed.
12
+ rationale: >-
13
+ A reproducible build is a build that produces the same artifact when given the same
14
+ input data, and in this case the same environment. Ensuring that the same environment
15
+ is produced when given the same input helps verify that no change has been made to it.
16
+ This action allows an organization to trust that its deployment environment is built only
17
+ from safe code and configuration that has been reviewed and tested and has not been
18
+ tainted or changed abruptly.
19
+ impact: >-
20
+ audit: >-
21
+ Verify that the deployment/production environment is reproducible.
22
+ remediation: >-
23
+ Adjust the process that deploys the deployment/production environment to build the
24
+ same environment each time when the configuration has not changed.
25
+ default_value:
26
+ references:
27
+ cis_controls:
28
+ - id: 16.1
29
+ version: 8
30
+ name: Establish and Maintain a Secure Application Development Process
31
+ description: >-
32
+ Establish and maintain a secure application development process. In the
33
+ process, address such items as: secure application design standards, secure coding
34
+ practices, developer training, vulnerability management, security of third-party code,
35
+ and application security testing procedures. Review and update documentation
36
+ annually, or when significant enterprise changes occur that could impact this
37
+ Safeguard.
38
+ implementation_groups:
39
+ - IG2
40
+ - IG3
41
+ - id: 18.1
42
+ version: 7
43
+ name: Establish and Maintain a Secure Application Development Process
44
+ description: >-
45
+ Establish secure coding practices appropriate to the programming language and
46
+ development environment being used.
47
+ implementation_groups:
48
+ - IG2
49
+ - IG3
50
+ additional_info: >-
@@ -0,0 +1,10 @@
1
+ # 5 Deployment
2
+
3
+ This section consists of security recommendations for management of the release process, the application deployment, and the configuration files that comes with it.
4
+
5
+ This is the final phase of the software supply chain. After that, the client already uses the application, and it is running in production. This phase contains the deployment orchestrator, the deployment configuration, the manifest files, and the deployment environment. It is important to secure all of these to deliver the software to the client safely.
6
+
7
+ ## Sections
8
+
9
+ - [5.1 - Deployment Configuration](./deployment_configuration_5_1)
10
+ - [5.2 - Deployment Environment](./deployment_environment_5_2)
@@ -0,0 +1,24 @@
1
+ # Controls
2
+
3
+ * [1 - Source Code](./source_code_1)
4
+ * [1.1 - Code Changes](./source_code_1/code_changes_1_1)
5
+ * [1.2 - Repository Management](./source_code_1/repository_management_1_2)
6
+ * [1.3 - Contribution Access](./source_code_1/contribution_access_1_3)
7
+ * [1.4 - Third-Party](./source_code_1/third_party_1_4)
8
+ * [1.5 - Code Risks](./source_code_1/code_risks_1_5)
9
+ * [2 - Build Pipelines](./build_pipelines_2)
10
+ * [2.1 - Build Environment](./build_pipelines_2/build_environment_2_1)
11
+ * [2.2 - Build Worker](./build_pipelines_2/build_worker_2_2)
12
+ * [2.3 - Pipeline Instructions](./build_pipelines_2/pipeline_instructions_2_3)
13
+ * [2.4 - Pipeline Integrity](./build_pipelines_2/pipeline_integrity_2_4)
14
+ * [3 - Dependencies](./dependencies_3)
15
+ * [3.1 - Third-Party Packages](./dependencies_3/third_party_packages_3_1)
16
+ * [3.2 - Validate Packages](./dependencies_3/validate_packages_3_2)
17
+ * [4 - Artifacts](./artifacts_4)
18
+ * [4.1 - Verification](./artifacts_4/verification_4_1)
19
+ * [4.2 - Access to Artifacts](./artifacts_4/access_to_artifacts_4_2)
20
+ * [4.3 - Package Registries](./artifacts_4/package_registries_4_3)
21
+ * [4.4 - Origin Traceability](./artifacts_4/origin_traceability_4_4)
22
+ * [5 - Deployment](./deployment_5)
23
+ * [5.1 - Deployment Configuration](./deployment_5/deployment_configuration_5_1)
24
+ * [5.2 - Deployment Environment](./deployment_5/deployment_environment_5_2)
@@ -0,0 +1,56 @@
1
+ ---
2
+ id: 1.1.19
3
+ name: audit_branch_protections
4
+ title: Ensure any changes to branch protection rules are audited
5
+ profile: 1
6
+ category: source_code
7
+ sub_category: code_changes
8
+ description: >-
9
+ Ensure that changes in the branch protection rules are audited.
10
+ rationale: >-
11
+ Branch protection rules should be configured on every repository. The only users who
12
+ may change such rules are administrators. In a case of an attack on an administrator
13
+ account or of human error on the part of an administrator, protection rules could be
14
+ disabled, and thus decrease source code confidentiality as a result. It is important to
15
+ track and audit such changes to prevent potential incidents as soon as possible.
16
+ impact: >-
17
+ audit: |
18
+ Ensure that changes in the branch protection rules are audited regularly. You can view audit events from user actions across an entire GitLab instance.
19
+
20
+ To view instance audit events:
21
+ 1. On the left sidebar, select Search or go to.
22
+ 2. Select Admin Area.
23
+ 3. On the left sidebar, select Monitoring > Audit Events.
24
+ 4. Filter by the following:Event Type protected_branch_updated. This event type is triggered when the setting for protected branches is updated.
25
+ 5. Ensure every action is reasonable and secure and is investigated if not.
26
+ remediation: |
27
+ Use the audit log to audit changes in branch protection rules by performing the following:
28
+ 1. On the left sidebar, select Search or go to.
29
+ 2. Select Admin Area.
30
+ 3. On the left sidebar, select Monitoring > Audit Events.
31
+ 4. Filter by the following:Event Type protected_branch_updated
32
+ 5. Ensure every action is reasonable and secure and is investigated if not.
33
+ default_value:
34
+ references:
35
+ - https://docs.gitlab.com/ee/administration/audit_event_streaming/audit_event_types.html
36
+ cis_controls:
37
+ - id: 8.5
38
+ version: 8
39
+ name: Collect Detailed Audit Logs
40
+ description: >-
41
+ Configure detailed audit logging for enterprise assets containing sensitive data.
42
+ Include event source, date, username, timestamp, source addresses, destination
43
+ addresses, and other useful elements that could assist in a forensic investigation.
44
+ implementation_groups:
45
+ - IG2
46
+ - IG3
47
+ - id: 6.2
48
+ version: 8
49
+ name: Activate audit logging
50
+ description: >-
51
+ Ensure that local logging has been enabled on all systems and networking devices.
52
+ implementation_groups:
53
+ - IG1
54
+ - IG2
55
+ - IG3
56
+ additional_info: >-
@@ -0,0 +1,62 @@
1
+ ---
2
+ id: 1.1.18
3
+ name: auto_risk_scan_merges
4
+ title: Ensure any merging of code is automatically scanned for risks
5
+ profile: 1
6
+ category: source_code
7
+ sub_category: code_changes
8
+ description: >-
9
+ Ensure that every merge request is required to be scanned for risks.
10
+ rationale: >-
11
+ Scanning merge requests to detect risks allows for early detection of vulnerable code
12
+ and/or dependencies and helps mitigate potentially malicious code.
13
+ impact: >-
14
+ audit: |
15
+ For each project in use, ensure that every merge request must be scanned for risks by performing the following:
16
+ On the left sidebar, select Search or go to and search for the go-example-a project.
17
+ 1. Go to Secure > Policies.
18
+ 2. Review your list of existing policies. The Policy Type column will indicate whether you have enabled a Scan Execution Policy for the specified project.
19
+ 3. Click on the Name in order to view the policy details which specifies which scanners run when code is merged.
20
+ remediation: |
21
+ For each project in use, ensure that every merge request must be scanned for risks by creating a scan execution policy:
22
+ 1. On the left sidebar, select Search or go to and search for the go-example-a project.
23
+ 2. Go to Secure > Policies.
24
+ 3. Select New policy.
25
+ 4. In the Scan execution policy section, select Select policy.
26
+ 5. Complete the fields.
27
+ • Name: Enforce secret detection.
28
+ • Policy status: Enabled.
29
+ • Actions: Run a Secret Detection scan.
30
+ • Conditions: Triggers every time a pipeline runs for all branches.
31
+ 6. Select Configure with a merge request.
32
+ The policy project go-example-a - Security project is created, and a merge request is created.
33
+ 7. Optional. Review the generated policy YAML in the merge request's Changes tab.
34
+ 8. Go to the Overview tab and select Merge.
35
+ 9. On the left sidebar, select Search or go to and search for the go-example-a project.
36
+ 10. Go to Secure > Policies.
37
+
38
+ You now have a scan execution policy that runs a secret detection scan on every MR,
39
+ for any branch. Test the policy by creating a merge request in project A.
40
+ default_value:
41
+ references:
42
+ - https://docs.gitlab.com/ee/user/application_security/index.html#enforce-scan-execution
43
+ - https://docs.gitlab.com/ee/user/application_security/policies/scan-execution-policies.html
44
+ cis_controls:
45
+ - id: 16.12
46
+ version: 8
47
+ name: Implement Code-Level Security Checks
48
+ description: >-
49
+ Apply static and dynamic analysis tools within the application life cycle to
50
+ verify that secure coding practices are being followed.
51
+ implementation_groups:
52
+ - IG3
53
+ - id: 18.7
54
+ version: 8
55
+ name: Apply Static and Dynamic Code Analysis Tools
56
+ description: >-
57
+ Apply static and dynamic analysis tools to verify that secure coding
58
+ practices are being adhered to for internally developed software.
59
+ implementation_groups:
60
+ - IG2
61
+ - IG3
62
+ additional_info: >-
@@ -0,0 +1,60 @@
1
+ ---
2
+ id: 1.1.14
3
+ name: branch_protections_for_admins
4
+ title: Ensure branch protection rules are enforced for administrators
5
+ profile: 1
6
+ category: source_code
7
+ sub_category: code_changes
8
+ description: >-
9
+ Ensure administrators are subject to branch protection rules.
10
+ rationale: >-
11
+ Administrators by default are excluded from any branch protection rules. This means
12
+ these privileged users (both on the repository and organization levels) are not subject to
13
+ protections meant to prevent untrusted code insertion, including malicious code. This is
14
+ extremely important since administrator accounts are often targeted for account
15
+ hijacking due to their privileged role.
16
+ impact: >-
17
+ Administrator users won't be able to push code directly to the protected branch without
18
+ being compliant with listed branch protection rules.
19
+ audit: |
20
+ GitLab administrators can validate this privilege for group owners, enforcing the instance-level protection rule:
21
+ 1. Select Settings > Repository.
22
+ 2. On the left sidebar, at the bottom, select Admin Area.
23
+ 3. Expand the Default branch section.
24
+ 4. Ensure that the Allow owners to manage default branch protection per group is unchecked.
25
+ 5. Select Save changes.
26
+ remediation: |
27
+ GitLab administrators can disable this privilege for group owners, enforcing the instance-level protection rule:
28
+ 1. On the left sidebar, at the bottom, select Admin Area.
29
+ 2. Select Settings > Repository.
30
+ 3. Expand the Default branch section.
31
+ 4. Uncheck Allow owners to manage default branch protection per group checkbox.
32
+ 5. Select Save changes.
33
+ default_value: Administrator accounts are not subject to branch protection rules by default.
34
+ references:
35
+ - https://docs.gitlab.com/ee/user/project/repository/branches/default.html
36
+ - https://docs.gitlab.com/ee/user/project/protected_branches.html#who-can-modify-a-protected-branch
37
+ cis_controls:
38
+ - id: 16.1
39
+ version: 8
40
+ name: Establish and Maintain a Secure Application Development Process
41
+ description: >-
42
+ Establish and maintain a secure application development process. In the
43
+ process, address such items as: secure application design standards, secure coding
44
+ practices, developer training, vulnerability management, security of third-party code,
45
+ and application security testing procedures. Review and update documentation
46
+ annually, or when significant enterprise changes occur that could impact this
47
+ Safeguard.
48
+ implementation_groups:
49
+ - IG2
50
+ - IG3
51
+ - id: 18.1
52
+ version: 7
53
+ name: Establish Secure Coding Practices
54
+ description: >-
55
+ Establish secure coding practices appropriate to the programming language and
56
+ development environment being used.
57
+ implementation_groups:
58
+ - IG2
59
+ - IG3
60
+ additional_info: >-
@@ -0,0 +1,56 @@
1
+ ---
2
+ id: 1.1.10
3
+ name: branches_updated_before_merging
4
+ title: Ensure open Git branches are up to date before they can be merged into code base
5
+ profile: 1
6
+ category: source_code
7
+ sub_category: code_changes
8
+ description: >-
9
+ Organizations should make sure each suggested code change is in full sync with the
10
+ existing state of its origin code repository before allowing merging.
11
+ rationale: >-
12
+ Git branches can easily become outdated since the origin code repository is constantly
13
+ being edited. This means engineers working on separate code branches can
14
+ accidentally include outdated code with potential security issues which might have
15
+ already been fixed, overriding the potential solutions for those security issues when
16
+ merging their own changes.
17
+ impact: >-
18
+ If enforced, outdated branches would not be able to be merged into their origin
19
+ repository without first being updated to contain any recent changes.
20
+ audit: |
21
+ For each project, verify that open branches must be updated before merging by performing the following:
22
+ • Navigate to the main page of the project
23
+ • In the sidebar, select Settings > Merge requests
24
+ • Look at the 'Merge method'. If 'Merge commit with semi-linear history' or 'Fast-forward merge' is selected, the project is compliant.
25
+ remediation: |
26
+ For each project identified as being non-compliant, performing the following:
27
+ • Navigate to the main page of the project
28
+ • In the sidebar, select Settings > Merge requests
29
+ • Under the 'Merge method' select either 'Merge commit with semi-linear history' or 'Fast-forward merge'.
30
+ default_value: By default, there is no requirement to update a branch before merging it.
31
+ references:
32
+ - https://docs.gitlab.com/ee/user/project/merge_requests/methods/
33
+ cis_controls:
34
+ - id: 16.1
35
+ version: 8
36
+ name: Establish and Maintain a Secure Application Development Process
37
+ description: >-
38
+ Establish and maintain a secure application development process. In the
39
+ process, address such items as: secure application design standards, secure coding
40
+ practices, developer training, vulnerability management, security of third-party code,
41
+ and application security testing procedures. Review and update documentation
42
+ annually, or when significant enterprise changes occur that could impact this
43
+ Safeguard.
44
+ implementation_groups:
45
+ - IG2
46
+ - IG3
47
+ - id: 18.1
48
+ version: 7
49
+ name: Establish Secure Coding Practices
50
+ description: >-
51
+ Establish secure coding practices appropriate to the programming language and
52
+ development environment being used.
53
+ implementation_groups:
54
+ - IG2
55
+ - IG3
56
+ additional_info: >-
@@ -0,0 +1,57 @@
1
+ ---
2
+ id: 1.1.9
3
+ name: checks_pass_before_merging
4
+ title: Ensure all checks have passed before merging new code
5
+ profile: 1
6
+ category: source_code
7
+ sub_category: code_changes
8
+ description: >-
9
+ Before a code change request can be merged to the code base, all predefined checks
10
+ must successfully pass.
11
+ rationale: >-
12
+ On top of manual reviews of code changes, a code protect should contain a set of
13
+ prescriptive checks which validate each change. Organizations should enforce those
14
+ status checks so that changes can only be introduced if all checks have successfully
15
+ passed. This set of checks should serve as the absolute quality, stability, and security
16
+ conditions which must be met in order to merge new code to a project.
17
+ impact: >-
18
+ Code changes in which all checks do not pass successfully would not be able to be
19
+ pushed into the code base of the specific code repository.
20
+ audit: |
21
+ Within each project's settings, you can see a list of status check services added to the project:
22
+ 1. In your project, go to Settings > Merge requests section.
23
+ 2. Scroll down to Status checks.
24
+ 3. Ensure that the Status checks must succeed checkbox has been selected.
25
+ remediation: |
26
+ To block the merging of merge requests when checks fail:
27
+ 1. On the left sidebar, select Search or go to and find your project.
28
+ 2. Select Settings > Merge requests.
29
+ 3. Select the Status checks must succeed checkbox.
30
+ 4. Select Save changes.
31
+ default_value: By default, no checks are defined per project, and thus no enforcement of checks is made.
32
+ references:
33
+ - https://docs.gitlab.com/ee/user/project/merge_requests/status_checks.html
34
+ cis_controls:
35
+ - id: 16.1
36
+ version: 8
37
+ name: Establish and Maintain a Secure Application Development Process
38
+ description: >-
39
+ Establish and maintain a secure application development process. In the
40
+ process, address such items as: secure application design standards, secure coding
41
+ practices, developer training, vulnerability management, security of third-party code,
42
+ and application security testing procedures. Review and update documentation
43
+ annually, or when significant enterprise changes occur that could impact this
44
+ Safeguard.
45
+ implementation_groups:
46
+ - IG2
47
+ - IG3
48
+ - id: 18.1
49
+ version: 7
50
+ name: Establish Secure Coding Practices
51
+ description: >-
52
+ Establish secure coding practices appropriate to the programming language and
53
+ development environment being used.
54
+ implementation_groups:
55
+ - IG2
56
+ - IG3
57
+ additional_info: >-
@@ -0,0 +1,62 @@
1
+ ---
2
+ id: 1.1.4
3
+ name: code_approval_dismissals
4
+ title: Ensure previous approvals are dismissed when updates are introduced to a code change proposal
5
+ profile: 1
6
+ category: source_code
7
+ sub_category: code_changes
8
+ description: >-
9
+ Ensure that when a proposed code change is updated, previous approvals are declined,
10
+ and new approvals are required.
11
+ rationale: >-
12
+ An approval process is necessary when code changes are suggested. Through this
13
+ approval process, however, changes can still be made to the original proposal even
14
+ after some approvals have already been given. This means malicious code can find its
15
+ way into the code base even if the organization has enforced a review policy. To ensure
16
+ this is not possible, outdated approvals must be declined when changes to the
17
+ suggestion are introduced.
18
+ impact: >-
19
+ If new code changes are pushed to a specific proposal, all previously accepted code
20
+ change proposals must be declined.
21
+ audit: |
22
+ For each code repository in use, perform the next steps to verify that each updated code suggestion declines the previously received approvals:
23
+ • On GitLab, navigate to the main page of a repository.
24
+ • Navigate to Settings > Merge Requests.
25
+ • Click Expand next to the Merge Request Approvals section.
26
+ • Verify the repository has merge request approvals configured on all protected branches.
27
+ • Verify that "Remove all approvals" is selected under Approval Settings for "When a commit is added".
28
+ remediation: |
29
+ For each code repository in use, perform the next steps to enforce dismissal of given approvals to code change suggestions if those suggestions were updated:
30
+ • On GitLab, navigate to the main page of a repository.
31
+ • Navigate to Settings > Merge Requests.
32
+ • Click Expand next to the Merge Request Approvals section.
33
+ • Configure approval rules and a list of eligible approvers for all protected branches (or all branches).
34
+ • Select Remove all approvals under "When a commit is added".
35
+ • Click Save changes
36
+ default_value:
37
+ references:
38
+ - https://docs.gitlab.com/ee/user/project/merge_requests/approvals/rules.html
39
+ cis_controls:
40
+ - id: 16.1
41
+ version: 8
42
+ name: Establish and Maintain a Secure Application Development Process
43
+ description: >-
44
+ Establish and maintain a secure application development process. In the
45
+ process, address such items as: secure application design standards, secure coding
46
+ practices, developer training, vulnerability management, security of third-party code,
47
+ and application security testing procedures. Review and update documentation
48
+ annually, or when significant enterprise changes occur that could impact this
49
+ Safeguard.
50
+ implementation_groups:
51
+ - IG2
52
+ - IG3
53
+ - id: 18.1
54
+ version: 7
55
+ name: Establish Secure Coding Practices
56
+ description: >-
57
+ Establish secure coding practices appropriate to the programming language and
58
+ development environment being used.
59
+ implementation_groups:
60
+ - IG2
61
+ - IG3
62
+ additional_info: >-