Skip to content

Add the FedRAMP::Vulnerability label to the standard AppSec triage labels

James Hebden requested to merge jhebden-add-fedramp-label-appsec-process into master

Why is this change being made?

The ~FedRAMP::Vulnerability label has been introduced to help in tracking vulnerabilities across GitLab, to aid in FedRAMP compliance initiatives.

As part of the AppSec triage process for vulnerabilities identified by scanners, the bugvulnerability and security labels are added, and it would be helpful to add ~FedRAMP::Vulnerability as part of this process to ensure vulnerabilities in GitLab maintained application codebases fall into scope for FedRAMP compliance initiatives and related reporting.

This helps team members involved in FedRAMP compliance & reporting accurately identify in-scope vulnerabilities and lessens the amount of manual work required in performing FedRAMP compliance tasks.

Author Checklist

  • Provided a concise title for this Merge Request (MR)
  • Added a description to this MR explaining the reasons for the proposed change, per say why, not just what
    • Copy/paste the Slack conversation to document it for later, or upload screenshots. Verify that no confidential data is added, and the content is SAFE
  • Assign reviewers for this MR to the correct Directly Responsible Individual/s (DRI)
    • If the DRI for the page/s being updated isn’t immediately clear, then assign it to one of the people listed in the Maintained by section on the page being edited
    • If your manager does not have merge rights, please ask someone to merge it AFTER it has been approved by your manager in #mr-buddies
    • The when to get approval handbook section explains the workflow in more detail
  • If the changes affect team members, or warrant an announcement in another way, please consider posting an update in #whats-happening-at-gitlab linking to this MR
    • If this is a change that directly impacts the majority of global team members, it should be a candidate for #company-fyi. Please work with internal communications and check the handbook for examples.

Merge request reports

Loading