SOC2 Merge Request Standards
Everyone can contribute. Help move this issue forward while earning points, leveling up and collecting rewards.
I have almost gotten gitlab approved in my company, but my auditors came up with one last issue. It seems that there is nothing in gitlab to prevent a master user from completing their own merge request into the master branch. This is a violation of the SOC2 standards that state that a developer's code must be reviewed by a person other than the developer. What this means for us is we need to figure out a way that prevents a master (the only ones allowed to complete merge requests) from completing a request that has code they themselves have changed or a request they themselves have started.
EDIT**** I figured I better outline why this is in SOC2. This particular chapter in SOC2 is designed to prevent developers from introducing trojan horses into the code base. Think Office Space and Superman 2. So with an enterprise like mine where we have a code base of about 103 million lines (last time we counted) across both our platforms and about 1200 - 1300 developers with about 1.5% churn annually, its not particularly hard for a disgruntled employee to bury code that can do bad things. This requirement from SOC2 is intended to make it impossible for any single person to put code onto a server that hasn't been looked at by a minimum of two sets of eyes. In the world im trying to build, only code in the master branch goes to a server. And code only gets into the master branch by a pull request. Therefore, a master can't review their own code. That coupled with this https://gitlab.com/gitlab-org/gitlab-ce/issues/12736 to close other major security gaps that exist in the permissions system (Like the master being able to turn off the code review checks, people other than admins able to create repositories, etc), we may actually get this thing SOC2 compliant.