Category Direction - Dependency Firewall


Many projects depend on packages that may come from unknown or unverified providers, introducing potential security vulnerabilities. GitLab already provides dependency scanning across a variety of languages to alert users of any known security vulnerabilities, but we currently do not allow organizations to prevent those vulnerabilities from being downloaded to begin with.

The goal of this category will be to leverage the dependency proxy, which proxies and caches dependencies, to give more control and visibility to security and compliance teams. We will do this by allowing users to create and maintain an approved/banned list of dependencies, providing more insight into the usage and impact of external dependencies and by ensuring the GitLab Security Dashboard is the single source of truth for all security related issues.

By preventing the introduction of security vulnerabilities further upstream, organizations can let their development teams work faster and more efficiently.

This page is maintained by the Product Manager for Package, Tim Rizzi (E-mail)

Use cases

What's next & why

gitlab-#215393 will flag any npm packages that are pulled through the Dependency Proxy that have recently had the author name or email updated to ensure that users are aware of any suspicious changes.introduce the concept of approved/banned lists for external dependencies.

Maturity Plan

This category is currently at the "Planned" maturity level, and our next maturity target is Minimal (see our definitions of maturity levels). Key deliverables to achieve this are:

Competitive landscape

JFrog utilizes a combination of their Bintray and XRay products, to proxy, cache and screen dependencies. They also provide dependency graphs across multiple languages and centralized dashboards for the review and remediation of vulnerabilities. It is a mature product, that is generally well received by users.

GitHub's new package registry does a really nice job of creating visibility into the dependency graph for a given package, but they do not give users the ability to control which packages are used in a given group/project. ​​

Top Customer Success/Sales issue(s)

This is a new category and does not yet have any customer success or sales issues.

Top user issue(s)

The top user issue is gitlab-ce#55374 which aims to capture and make use of the various meta data associated with images and packages.

Top internal customer issue(s)

This is a new category and has not yet received any internal customer issues.

Top Vision Item(s)

Our top vision item is gitlab-ee#13761 which will introduce the concept of approved and banned dependencies to Gitlab.