Skip to main content
All CollectionsCompliance
Example Evidence Gitlab On-Prem
Example Evidence Gitlab On-Prem
Ashley Hyman avatar
Written by Ashley Hyman
Updated over a week ago

Below are a list of the tests that we normally conduct for Gitlab and the examples of evidence that will need to be uploaded for an audit:

MFA on Version Control - Associated control DCF-67 MFA on Accounts

Evidence here would be a screenshot showing all human users in your on-prem Gitlab have MFA enabled, or a screenshot of any settings that enforce MFA for all users, such as SSO required, etc.

Employees Have Unique Version Control Accounts - Associated control DCF-71 Unique Accounts Used and Only Authorized Employees Access Version Control - Associated control DCF-4 Version Control System

Evidence here could be a listing of all users with access to your on-prem Gitlab where each user is mapped to an employee or contractor. Putting together this list can also serve as the 'Authorization' piece, since the compliance person creating this document is essentially performing a review in order to put this together.

Version Control Accounts Properly Removed - Associated control DCF-70 Terminated Personnel Access Revoked Timely

Evidence would be screenshots showing that access to your on-prem Gitlab was revoked from terminated employees or contractors within the SLA defined in the System Access Control Policy.

Version Control System is Used - Associated control DCF-4 Version Control System

A screenshot should be provided showing that Gitlab is being used for version control. A dedicated screenshot would not be needed, as the other screenshots discussed here can fulfill this purpose.

Production Code Changes Are Restricted - Associated control DCF-6 Production Changes Restricted Evidence could be a list of screenshots of users that have 'Merge' access within Gitlab.
Note: this control only applies if code being Merged to the default branch in Gitlab triggers their automation to deploy the changes to Production.

Formal Code Review Process - Associated control DCF-5 Change Review Process

Evidence would be a list of all changes within the observation period along with evidence along with evidence to show that each change was peer reviewed or a screenshot of the settings on the relevant repositories that shows code review is enforced.

Only Authorized Employees Change Code - Associated control DCF-4 Version Control System Evidence would be a list of users that have 'Write' access within Gitlab and that those users are authorized/approved.

Did this answer your question?