Aptible Comply Documentation

Gitlab integration logo

Description

GitLab is a web or self hosted source code version control tool used by engineering teams to manage code. Integrating with GitLab will create an inventory of your code repos in Comply and run automations to ensure they are configured securely.

📘

GitLab.com vs GitLab Self-Managed

Please note that at this time, our turn-key integration requires that your organization be subscribed to GitLab.com. GitLab Self-Managed users should contact support for assistance in getting set up.

Benefits

Up-to-date asset inventory
Not all of your code repos will be in scope of your ISMS. By maintaining this list over time, you’ll be able to more quickly react to requests from auditors when they are investigating your SDLC policies. Additionally, you can leverage procedures to automatically trigger processes when code repos are added or removed from GitLab (e.g. conduct a risk analysis when a code repo is created or remove sensitive data the code repository was utilizing).

Automatic SDLC monitoring and evidence
We automatically record every Merge Request which occurs as an event in Comply. These events are then processed by our customizable automations and recorded as evidence that you can use in an audit. Read more about events and automations here and scroll down to see details on the events provided.

Security

We use a read only API token and only access the group of repos you specify.

Automations

Automation

Description

Returns

Framework Mappings

Code Repo Pull Request Approval

Ensures that pull (merge) requests are reviewed by someone other than the author prior to merge.

Comply creates an issue if a pull (merge) request was either not approved or approved by the author.

ISO: A.12.1.2, A.12.1.4, A.14.2.2

SOC 2: CC3.4, CC7.1, CC8.1

Code Repo Pull Request CI

Ensures code tests using continuous integration ("CI") were run and were passing prior to merge.

Comply creates an issue if CI failed prior to merge.

SOC 2: CC8.1

Events

GitLab provides Pull Request Merged events. We automatically tag each one based on the review and CI status of the Merge Request.

Review Tags:

  • Approved - The Merge Request was approved before merging.
  • Approved by Author - The Merge Request was approved only by its author.
  • Not Approved - The Merge Request was not approved before merging.

CI Tags:

  • CI Success - All GitLab CI passed before merging.
  • CI Failure - All GitLab CI did not pass before merging.
  • We also generate a specific tag for each CI item in case you want more granular control.

Setup

  1. Navigate to the Integrations tab in Comply, click Add Integration, and select GitLab.
  1. Create a personal access token. In GitLab under Settings (top right corner) > Access Tokens (left navigation), fill out the form and select the “read_api” scope. Copy the resulting token into the form.
  1. Enter the GitLab Group ID you want us to read repos from. We will only look at repos in this group.

Automatic Evidence Setup
Once you've created your integration, you will need to configure a webhook before automated evidence of all merge requests will be catalogued in Comply.

  1. Copy your integration's ID. This is available on the detail page.
  1. Navigate to the GitLab Group you used in the integration setup. Go to Settings > Webhooks.
  1. Fill in the URL with https://comply-api.aptible.com/webhooks/gitlab/callback?integration_id={YOUR_INTEGRATION_ID}. Select the "Merge request events" box. Click "Add webhook".

Troubleshooting

The most common problems when setting up the integration are:

  • Incorrect scopes on the personal access token.
  • Mistakes entering the personal access token or group id.
  • You're using a self hosted GitLab instance. Please contact support in this case.

If you receive an error message when trying to sync your integration, please check the above items and contact [email protected] if the problem persists.

Updated 3 months ago



GitLab


Suggested Edits are limited on API Reference Pages

You can only suggest edits to Markdown body content, but not to the API spec.