Skip to main content

An official website of the United States government

Here’s how you know

Compliance Frameworks

Purpose of this guide

This guide will walk you through using GitLab's Compliance Frameworks feature to validate that controls are in place in your Workshop Namespace.

What is a Compliance Framework?

Compliance Frameworks serve as a list of compliance requirements that a given project must adhere to, as well as a mechanism for reporting when those requirements are met and applying security policies that handle implementation for each project.

Compliance Frameworks are created and managed at the Workshop Namespace level, allowing for consistency across different teams in how requirements are measured and met.

Creating your first Compliance Framework

Compliance Frameworks must be created at the Namespace level, by a Namespace Owner.

  1. Visit your Namespace's main page
  2. In the left sidebar, click Secure -> Compliance center
  3. Click the New framework button in the top right corner
  4. Follow the steps in Import framework if you want to start with an existing framework or click Create blank framework
  5. Add or edit any of the information in the Basic information and Requirements sections as needed
  6. Note the Name you gave this Compliance Framework, as it will be needed to connect projects to this framework

Import framework

Workshop publishes some starter frameworks that you can easily import.

  1. Visit Workshop's public compliance content project
  2. Download one or more of the json files from the compliance-frameworks folder
  3. Back in the New framework page, click Import framework and upload the json file you downloaded in step 2
  4. Continue the main instructions

Connecting Compliance Frameworks to Projects

Once you have created a Compliance Framework, you must use your Workshop Config project to register each project with that Framework.

To do this, edit your cg-workshop.yml file to add the compliance_frameworks key to each project that should have the Framework applied to it:

./cg-workshop.yml
projects:
  example-project-path:
    name: Example Project Name
    # other settings omitted for brevity
    compliance_frameworks:
      - Compliance Framework Name

Up to 20 compliance frameworks can be applied to a single project, and each one must already have been created before it can be added using the Config project.

GSA.gov

An official website of the U.S. General Services Administration

Looking for U.S. government information and services?
Visit USA.gov