Differences from GitLab.com
As an instance of GitLab Dedicated for Government (GDG), Workshop may differ from the experience on GitLab.com with respect to certain settings and features.
Some details about Workshop's particular settings can be found on our instance configuration page.
Platform version
To improve security and stability, and in light of the elevated compliance requirements of GDG, Workshop runs about one minor version behind the current GitLab.com release.
You can find current version numbers on Workshop's help page.
Security scanning
| Scanner | GitLab default behavior | Workshop default behavior | How to revert to GitLab behavior |
|---|---|---|---|
Dependency-Scanning.latest.gitlab-ci.yml | Uses the deprecated gemnasium-based scanner | Runs the updated SBOM-based scanner | Set the CI variable DS_ENFORCE_NEW_ANALYZER=false at the Project or Group level |
DAST.gitlab-ci.yml | Does not run scans on Merge Request pipelines | Runs scans on Merge Request Pipelines | Set the CI variable AST_ENABLE_MR_PIPELINES=false at the Project or Group level |
SAST.gitlab-ci.yml | Does not run scans on Merge Request pipelines | Runs scans on Merge Request Pipelines | Set the CI variable AST_ENABLE_MR_PIPELINES=false at the Project or Group level |
Workshop changes these behaviors by setting Instance-level variables. See the documents on CI/CD variable precedence for information on why you must override at the Project or Group level.
Egress traffic control
The Workshop Runner Service prevents uncontrolled egress traffic from your CI/CD runners. Send us a support request to request updates to your runner's allowlist.
The request should specify a list of program technologies you are using or individual hostnames you would like to allow or deny.
Uncontrolled egress
Send us a support request to request access to a runner that is allowed uncontrolled egress traffic. This is sometimes necessary to support jobs that are incompatible with egress proxies, but comes with security tradeoffs.
CI/CD
Workshop uses a custom CI/CD runner that executes jobs on Cloud.gov.
Connecting to services
If a service alias is not defined, Workshop will fallback to a random identifier.
| Service config | GitLab connection style | Workshop connection style |
|---|---|---|
services.0.name: postgres:latest | psql://postgres | N/A, alias is required to know host in advance |
services.0.alias: my_psql_db | psql://my_psql_db | psql://$WSR_SERVICE_HOST_my_psql_db |