# Geo security review (Q&A)
> 原文:[https://docs.gitlab.com/ee/administration/geo/replication/security_review.html](https://docs.gitlab.com/ee/administration/geo/replication/security_review.html)
* [Business Model](#business-model)
* [What geographic areas does the application service?](#what-geographic-areas-does-the-application-service)
* [Data Essentials](#data-essentials)
* [What data does the application receive, produce, and process?](#what-data-does-the-application-receive-produce-and-process)
* [How can the data be classified into categories according to its sensitivity?](#how-can-the-data-be-classified-into-categories-according-to-its-sensitivity)
* [What data backup and retention requirements have been defined for the application?](#what-data-backup-and-retention-requirements-have-been-defined-for-the-application)
* [End-Users](#end-users)
* [Who are the application’s end‐users?](#who-are-the-applications-endusers)
* [How do the end‐users interact with the application?](#how-do-the-endusers-interact-with-the-application)
* [What security expectations do the end‐users have?](#what-security-expectations-do-the-endusers-have)
* [Administrators](#administrators)
* [Who has administrative capabilities in the application?](#who-has-administrative-capabilities-in-the-application)
* [What administrative capabilities does the application offer?](#what-administrative-capabilities-does-the-application-offer)
* [Network](#network)
* [What details regarding routing, switching, firewalling, and load‐balancing have been defined?](#what-details-regarding-routing-switching-firewalling-and-loadbalancing-have-been-defined)
* [What core network devices support the application?](#what-core-network-devices-support-the-application)
* [What network performance requirements exist?](#what-network-performance-requirements-exist)
* [What private and public network links support the application?](#what-private-and-public-network-links-support-the-application)
* [Systems](#systems)
* [What operating systems support the application?](#what-operating-systems-support-the-application)
* [What details regarding required OS components and lock‐down needs have been defined?](#what-details-regarding-required-os-components-and-lockdown-needs-have-been-defined)
* [Infrastructure Monitoring](#infrastructure-monitoring)
* [What network and system performance monitoring requirements have been defined?](#what-network-and-system-performance-monitoring-requirements-have-been-defined)
* [What mechanisms exist to detect malicious code or compromised application components?](#what-mechanisms-exist-to-detect-malicious-code-or-compromised-application-components)
* [What network and system security monitoring requirements have been defined?](#what-network-and-system-security-monitoring-requirements-have-been-defined)
* [Virtualization and Externalization](#virtualization-and-externalization)
* [What aspects of the application lend themselves to virtualization?](#what-aspects-of-the-application-lend-themselves-to-virtualization)
* [What virtualization requirements have been defined for the application?](#what-virtualization-requirements-have-been-defined-for-the-application)
* [What aspects of the product may or may not be hosted via the cloud computing model?](#what-aspects-of-the-product-may-or-may-not-be-hosted-via-the-cloud-computing-model)
* [If applicable, what approach(es) to cloud computing will be taken (Managed Hosting versus “Pure” Cloud, a “full machine” approach such as AWS-EC2 versus a “hosted database” approach such as AWS-RDS and Azure, etc)?](#if-applicable-what-approaches-to-cloud-computing-will-be-taken-managed-hosting-versus-pure-cloud-a-full-machine-approach-such-as-aws-ec2-versus-a-hosted-database-approach-such-as-aws-rds-and-azure-etc)
* [Environment](#environment)
* [What frameworks and programming languages have been used to create the application?](#what-frameworks-and-programming-languages-have-been-used-to-create-the-application)
* [What process, code, or infrastructure dependencies have been defined for the application?](#what-process-code-or-infrastructure-dependencies-have-been-defined-for-the-application)
* [What databases and application servers support the application?](#what-databases-and-application-servers-support-the-application)
* [How will database connection strings, encryption keys, and other sensitive components be stored, accessed, and protected from unauthorized detection?](#how-will-database-connection-strings-encryption-keys-and-other-sensitive-components-be-stored-accessed-and-protected-from-unauthorized-detection)
* [Data Processing](#data-processing)
* [What data entry paths does the application support?](#what-data-entry-paths-does-the-application-support)
* [What data output paths does the application support?](#what-data-output-paths-does-the-application-support)
* [How does data flow across the application’s internal components?](#how-does-data-flow-across-the-applications-internal-components)
* [What data input validation requirements have been defined?](#what-data-input-validation-requirements-have-been-defined)
* [What data does the application store and how?](#what-data-does-the-application-store-and-how)
* [What data is or may need to be encrypted and what key management requirements have been defined?](#what-data-is-or-may-need-to-be-encrypted-and-what-key-management-requirements-have-been-defined)
* [What capabilities exist to detect the leakage of sensitive data?](#what-capabilities-exist-to-detect-the-leakage-of-sensitive-data)
* [What encryption requirements have been defined for data in transit - including transmission over WAN, LAN, SecureFTP, or publicly accessible protocols such as http: and https:?](#what-encryption-requirements-have-been-defined-for-data-in-transit---including-transmission-over-wan-lan-secureftp-or-publicly-accessible-protocols-such-as-http-and-https)
* [Access](#access)
* [What user privilege levels does the application support?](#what-user-privilege-levels-does-the-application-support)
* [What user identification and authentication requirements have been defined?](#what-user-identification-and-authentication-requirements-have-been-defined)
* [What user authorization requirements have been defined?](#what-user-authorization-requirements-have-been-defined)
* [What session management requirements have been defined?](#what-session-management-requirements-have-been-defined)
* [What access requirements have been defined for URI and Service calls?](#what-access-requirements-have-been-defined-for-uri-and-service-calls)
* [Application Monitoring](#application-monitoring)
* [What application auditing requirements have been defined? How are audit and debug logs accessed, stored, and secured?](#what-application-auditing-requirements-have-been-defined-how-are-audit-and-debug-logs-accessed-stored-and-secured)
# Geo security review (Q&A)[](#geo-security-review-qa-premium-only "Permalink")
以下對地理功能集的安全性審查集中于該功能的安全性方面,因為它們適用于運行自己的 GitLab 實例的客戶. 復習題部分基于[owasp.org](https://owasp.org/)的[OWASP 應用程序安全驗證標準項目](https://owasp.org/www-project-application-security-verification-standard/) .
## Business Model[](#business-model "Permalink")
### What geographic areas does the application service?[](#what-geographic-areas-does-the-application-service "Permalink")
* 這因客戶而異. Geo 使客戶可以部署到多個區域,然后他們可以選擇自己的位置.
* 區域和節點選擇完全是手動的.
## Data Essentials[](#data-essentials "Permalink")
### What data does the application receive, produce, and process?[](#what-data-does-the-application-receive-produce-and-process "Permalink")
* Geo 幾乎在站點之間流傳輸 GitLab 實例保存的所有數據. 這包括完整的數據庫復制,大多數文件(用戶上傳的附件等)以及存儲庫+ Wiki 數據. 在典型的配置中,這將在公共 Internet 上發生,并經過 TLS 加密.
* PostgreSQL 復制是 TLS 加密的.
* 另請參閱: [僅應支持 TLSv1.2](https://gitlab.com/gitlab-org/omnibus-gitlab/-/issues/2948)
### How can the data be classified into categories according to its sensitivity?[](#how-can-the-data-be-classified-into-categories-according-to-its-sensitivity "Permalink")
* GitLab’s model of sensitivity is centered around public vs. internal vs. private projects. Geo replicates them all indiscriminately. “Selective sync” exists for files and repositories (but not database content), which would permit only less-sensitive projects to be replicated to a **secondary** node if desired.
* 另請參閱: [GitLab 數據分類策略](https://about.gitlab.com/handbook/engineering/security/data-classification-policy.html) .
### What data backup and retention requirements have been defined for the application?[](#what-data-backup-and-retention-requirements-have-been-defined-for-the-application "Permalink")
* Geo 旨在提供應用程序數據的某些子集的復制. 它是解決方案的一部分,而不是問題的一部分.
## End-Users[](#end-users "Permalink")
### Who are the application’s end‐users?[](#who-are-the-applications-endusers "Permalink")
* **輔助**節點在是遙遠(在互聯網延遲而言)從主 GitLab 安裝( **主**節點)區創建. 打算由通常使用**主**節點的任何人使用它們,他們發現**輔助**節點距離它們更近(就 Internet 延遲而言).
### How do the end‐users interact with the application?[](#how-do-the-endusers-interact-with-the-application "Permalink")
* **輔助**節點提供了**主**節點執行的所有接口(特別是 HTTP / HTTPS Web 應用程序以及 HTTP / HTTPS 或 SSH Git 存儲庫訪問),但僅限于只讀活動. 設想主要用例是從**輔助**節點克隆 Git 存儲庫以支持**主**節點,但是最終用戶可以使用 GitLab Web 界面查看項目,問題,合并請求,摘要等.
### What security expectations do the end‐users have?[](#what-security-expectations-do-the-endusers-have "Permalink")
* 復制過程必須是安全的. 例如,在整個公共 Internet 上以純文本格式傳輸整個數據庫內容或所有文件和存儲庫通常是不可接受的.
* **輔助**節點必須對其內容具有與**主**節點相同的訪問控制-未經身份驗證的用戶不能通過查詢**輔助**節點來獲得對**主**節點上特權信息的訪問.
* 攻擊者必須不能將**輔助**節點模擬為**主要**節點,從而不能訪問特權信息.
## Administrators[](#administrators "Permalink")
### Who has administrative capabilities in the application?[](#who-has-administrative-capabilities-in-the-application "Permalink")
* 沒有特定于地理位置的信息. 在數據庫中設置了`admin: true`任何用戶都被視為具有超級用戶特權的 admin.
* 另請參閱: [更詳細的訪問控制](https://gitlab.com/gitlab-org/gitlab/-/issues/18242) (不是特定于地理位置的).
* Geo 的許多集成(例如,數據庫復制)必須由應用程序配置,通常由系統管理員配置.
### What administrative capabilities does the application offer?[](#what-administrative-capabilities-does-the-application-offer "Permalink")
* 具有管理訪問權限的用戶可以添加,修改或刪除**輔助**節點.
* 復制過程可以通過 Sidekiq 管理控件進行控制(啟動/停止).
## Network[](#network "Permalink")
### What details regarding routing, switching, firewalling, and load‐balancing have been defined?[](#what-details-regarding-routing-switching-firewalling-and-loadbalancing-have-been-defined "Permalink")
* Geo 要求**主要**節點和**次要**節點能夠通過 TCP / IP 網絡相互通信. 特別是, **輔助**節點必須能夠訪問**主**節點上的 HTTP / HTTPS 和 PostgreSQL 服務.
### What core network devices support the application?[](#what-core-network-devices-support-the-application "Permalink")
* 因客戶而異.
### What network performance requirements exist?[](#what-network-performance-requirements-exist "Permalink")
* **主**節點和**輔助**節點之間的最大復制速度受到站點之間可用帶寬的限制. 沒有硬性要求-完成復制的時間(以及跟上**主**節點的更改的能力)取決于數據集的大小,對延遲的容忍度以及可用的網絡容量.
### What private and public network links support the application?[](#what-private-and-public-network-links-support-the-application "Permalink")
* 客戶選擇自己的網絡. 由于打算將站點在地理位置上分開,因此可以設想,復制流量將在典型部署中通過公共 Internet 傳遞,但這不是必需的.
## Systems[](#systems "Permalink")
### What operating systems support the application?[](#what-operating-systems-support-the-application "Permalink")
* Geo 對操作系統沒有任何其他限制(有關更多詳細信息,請參見[GitLab 安裝](https://about.gitlab.com/install/)頁面),但是我們建議您使用[Geo 文檔中](index.html#requirements-for-running-geo)列出的操作系統.
### What details regarding required OS components and lock‐down needs have been defined?[](#what-details-regarding-required-os-components-and-lockdown-needs-have-been-defined "Permalink")
* 受支持的安裝方法(Omnibus)打包了大多數組件本身.
* 系統安裝的 OpenSSH 守護程序(Geo 要求用戶設置自定義身份驗證方法)和 omnibus 或系統提供的 PostgreSQL 守護程序(必須配置為偵聽 TCP,必須添加其他用戶和復制插槽)之間存在很大的依賴關系,等等).
* 處理安全更新的過程(例如,如果 OpenSSH 或其他服務中存在重大漏洞,并且客戶希望在 OS 上修補這些服務)與非 Geo 情況相同:對 OpenSSH 的安全更新為通過通常的分發渠道提供給用戶. Geo 在那里沒有延遲.
## Infrastructure Monitoring[](#infrastructure-monitoring "Permalink")
### What network and system performance monitoring requirements have been defined?[](#what-network-and-system-performance-monitoring-requirements-have-been-defined "Permalink")
* 沒有特定于 Ge??o 的內容.
### What mechanisms exist to detect malicious code or compromised application components?[](#what-mechanisms-exist-to-detect-malicious-code-or-compromised-application-components "Permalink")
* 沒有特定于 Ge??o 的內容.
### What network and system security monitoring requirements have been defined?[](#what-network-and-system-security-monitoring-requirements-have-been-defined "Permalink")
* 沒有特定于 Ge??o 的內容.
## Virtualization and Externalization[](#virtualization-and-externalization "Permalink")
### What aspects of the application lend themselves to virtualization?[](#what-aspects-of-the-application-lend-themselves-to-virtualization "Permalink")
* All.
## What virtualization requirements have been defined for the application?[](#what-virtualization-requirements-have-been-defined-for-the-application "Permalink")
* 沒有特定于地理位置的信息,但是在這樣的環境中,GitLab 中的所有內容都需要具有完整的功能.
### What aspects of the product may or may not be hosted via the cloud computing model?[](#what-aspects-of-the-product-may-or-may-not-be-hosted-via-the-cloud-computing-model "Permalink")
* GitLab 是"云原生"的,這不僅適用于 Geo,還適用于產品的其余部分. 在云中進行部署是常見且受支持的方案.
## If applicable, what approach(es) to cloud computing will be taken (Managed Hosting versus “Pure” Cloud, a “full machine” approach such as AWS-EC2 versus a “hosted database” approach such as AWS-RDS and Azure, etc)?[](#if-applicable-what-approaches-to-cloud-computing-will-be-taken-managed-hosting-versus-pure-cloud-a-full-machine-approach-such-as-aws-ec2-versus-a-hosted-database-approach-such-as-aws-rds-and-azure-etc "Permalink")
* 由我們的客戶根據他們的運營需求來決定.
## Environment[](#environment "Permalink")
### What frameworks and programming languages have been used to create the application?[](#what-frameworks-and-programming-languages-have-been-used-to-create-the-application "Permalink")
* Ruby on Rails,Ruby.
### What process, code, or infrastructure dependencies have been defined for the application?[](#what-process-code-or-infrastructure-dependencies-have-been-defined-for-the-application "Permalink")
* 沒有特定于 Ge??o 的內容.
### What databases and application servers support the application?[](#what-databases-and-application-servers-support-the-application "Permalink")
* PostgreSQL> = 11,Redis,Sidekiq,Puma.
### How will database connection strings, encryption keys, and other sensitive components be stored, accessed, and protected from unauthorized detection?[](#how-will-database-connection-strings-encryption-keys-and-other-sensitive-components-be-stored-accessed-and-protected-from-unauthorized-detection "Permalink")
* 有一些特定于地理位置的值. 有些是共享機密,必須在設置時將其從**主**節點安全地傳輸到**輔助**節點. 我們的文檔建議通過 SSH 將它們從**主**節點傳輸到系統管理員,然后以相同方式回傳到**輔助**節點. 特別是,這包括 PostgreSQL 復制憑證和一個秘密密鑰( `db_key_base` ),該密鑰用于解密數據庫中的某些列. `db_key_base`秘密與其他許多秘密一起未加密地存儲在文件系統中的`/etc/gitlab/gitlab-secrets.json` . 他們沒有休息保護.
## Data Processing[](#data-processing "Permalink")
### What data entry paths does the application support?[](#what-data-entry-paths-does-the-application-support "Permalink")
* 數據是通過 GitLab 本身公開的 Web 應用程序輸入的. 使用 GitLab 服務器上的系統管理命令(例如`gitlab-ctl set-primary-node` )也輸入了一些數據.
* **輔助**節點還通過 PostgreSQL 流復制從**主**節點接收輸入.
### What data output paths does the application support?[](#what-data-output-paths-does-the-application-support "Permalink")
* **主**節點通過 PostgreSQL 流復制輸出到**輔助**節點. 否則,主要是通過 GitLab 本身公開的 Web 應用程序以及最終用戶啟動的 SSH `git clone`操作.
### How does data flow across the application’s internal components?[](#how-does-data-flow-across-the-applications-internal-components "Permalink")
* **輔助**節點和**主**節點通過 HTTP / HTTPS(受 JSON Web 令牌保護)和 PostgreSQL 流復制進行交互.
* 在**主**節點或**輔助**節點內,SSOT 是文件系統和數據庫(包括**輔助**節點上的 Geo 跟蹤數據庫). 精心安排了各種內部組件以對這些存儲進行更改.
### What data input validation requirements have been defined?[](#what-data-input-validation-requirements-have-been-defined "Permalink")
* **輔助**節點必須忠實地復制**主**節點的數據.
### What data does the application store and how?[](#what-data-does-the-application-store-and-how "Permalink")
* Git 存儲庫和文件,與它們相關的跟蹤信息以及 GitLab 數據庫內容.
### What data is or may need to be encrypted and what key management requirements have been defined?[](#what-data-is-or-may-need-to-be-encrypted-and-what-key-management-requirements-have-been-defined "Permalink")
* **主**節點或**輔助**節點都不會加密靜態的 Git 存儲庫或文件系統數據. 數據庫列的子集使用`db_otp_key`加密.
* 在 GitLab 部署中的所有主機之間共享的靜態機密.
* 在傳輸過程中,盡管應用程序確實允許通信以未加密的方式進行,但是數據應該被加密. 兩個主要過程是 PostgreSQL 和 Git 存儲庫/文件的**輔助**節點復制過程. 兩者均應使用 TLS 保護,并通過現有配置通過 Omnibus 管理該密鑰,以供最終用戶訪問 GitLab.
### What capabilities exist to detect the leakage of sensitive data?[](#what-capabilities-exist-to-detect-the-leakage-of-sensitive-data "Permalink")
* 存在全面的系統日志,跟蹤與 GitLab 和 PostgreSQL 的每個連接.
### What encryption requirements have been defined for data in transit - including transmission over WAN, LAN, SecureFTP, or publicly accessible protocols such as http: and https:?[](#what-encryption-requirements-have-been-defined-for-data-in-transit---including-transmission-over-wan-lan-secureftp-or-publicly-accessible-protocols-such-as-http-and-https "Permalink")
* 數據必須具有在傳輸過程中進行加密的選項,并且必須能夠抵抗被動和主動攻擊(例如,不可能進行 MITM 攻擊).
## Access[](#access "Permalink")
### What user privilege levels does the application support?[](#what-user-privilege-levels-does-the-application-support "Permalink")
* Geo 添加了一種類型的特權: **輔助**節點可以訪問特殊的 Geo API,以通過 HTTP / HTTPS 下載文件,以及使用 HTTP / HTTPS 克隆存儲庫.
### What user identification and authentication requirements have been defined?[](#what-user-identification-and-authentication-requirements-have-been-defined "Permalink")
* **輔助**節點基于共享數據庫(HTTP 訪問)或 PostgreSQL 復制用戶(用于數據庫復制)通過 OAuth 或 JWT 身份驗證向 Geo **主**節點標識. 數據庫復制還需要定義基于 IP 的訪問控制.
### What user authorization requirements have been defined?[](#what-user-authorization-requirements-have-been-defined "Permalink")
* **輔助**節點只能*讀取*數據. 他們當前無法對**主**節點上的數據進行突變.
### What session management requirements have been defined?[](#what-session-management-requirements-have-been-defined "Permalink")
* 地理 JWT 被定義為僅持續兩分鐘,然后需要重新生成.
* Geo JWT 是為以下特定范圍之一生成的:
* Geo API 訪問.
* Git 訪問.
* LFS 和文件 ID.
* 上傳和文件 ID.
* 作業工件和文件 ID.
### What access requirements have been defined for URI and Service calls?[](#what-access-requirements-have-been-defined-for-uri-and-service-calls "Permalink")
* **輔助**節點對**主**節點的 API 進行了許多調用. 例如,這就是文件復制的進行方式. 只能使用 JWT 令牌訪問此端點.
* **主**節點還調用**輔助**節點以獲取狀態信息.
## Application Monitoring[](#application-monitoring "Permalink")
### What application auditing requirements have been defined? How are audit and debug logs accessed, stored, and secured?[](#what-application-auditing-requirements-have-been-defined-how-are-audit-and-debug-logs-accessed-stored-and-secured "Permalink")
* 結構化 JSON 日志將寫入文件系統,也可以將其提取到 Kibana 安裝中以進行進一步分析.
- GitLab Docs
- Installation
- Requirements
- GitLab cloud native Helm Chart
- Install GitLab with Docker
- Installation from source
- Install GitLab on Microsoft Azure
- Installing GitLab on Google Cloud Platform
- Installing GitLab on Amazon Web Services (AWS)
- Analytics
- Code Review Analytics
- Productivity Analytics
- Value Stream Analytics
- Kubernetes clusters
- Adding and removing Kubernetes clusters
- Adding EKS clusters
- Adding GKE clusters
- Group-level Kubernetes clusters
- Instance-level Kubernetes clusters
- Canary Deployments
- Cluster Environments
- Deploy Boards
- GitLab Managed Apps
- Crossplane configuration
- Cluster management project (alpha)
- Kubernetes Logs
- Runbooks
- Serverless
- Deploying AWS Lambda function using GitLab CI/CD
- Securing your deployed applications
- Groups
- Contribution Analytics
- Custom group-level project templates
- Epics
- Manage epics
- Group Import/Export
- Insights
- Issues Analytics
- Iterations
- Public access
- SAML SSO for GitLab.com groups
- SCIM provisioning using SAML SSO for GitLab.com groups
- Subgroups
- Roadmap
- Projects
- GitLab Secure
- Security Configuration
- Container Scanning
- Dependency Scanning
- Dependency List
- Static Application Security Testing (SAST)
- Secret Detection
- Dynamic Application Security Testing (DAST)
- GitLab Security Dashboard
- Offline environments
- Standalone Vulnerability pages
- Security scanner integration
- Badges
- Bulk editing issues and merge requests at the project level
- Code Owners
- Compliance
- License Compliance
- Compliance Dashboard
- Create a project
- Description templates
- Deploy Keys
- Deploy Tokens
- File finder
- Project integrations
- Integrations
- Atlassian Bamboo CI Service
- Bugzilla Service
- Custom Issue Tracker service
- Discord Notifications service
- Enabling emails on push
- GitHub project integration
- Hangouts Chat service
- Atlassian HipChat
- Irker IRC Gateway
- GitLab Jira integration
- Mattermost Notifications Service
- Mattermost slash commands
- Microsoft Teams service
- Mock CI Service
- Prometheus integration
- Redmine Service
- Slack Notifications Service
- Slack slash commands
- GitLab Slack application
- Webhooks
- YouTrack Service
- Insights
- Issues
- Crosslinking Issues
- Design Management
- Confidential issues
- Due dates
- Issue Boards
- Issue Data and Actions
- Labels
- Managing issues
- Milestones
- Multiple Assignees for Issues
- Related issues
- Service Desk
- Sorting and ordering issue lists
- Issue weight
- Associate a Zoom meeting with an issue
- Merge requests
- Allow collaboration on merge requests across forks
- Merge Request Approvals
- Browser Performance Testing
- How to create a merge request
- Cherry-pick changes
- Code Quality
- Load Performance Testing
- Merge Request dependencies
- Fast-forward merge requests
- Merge when pipeline succeeds
- Merge request conflict resolution
- Reverting changes
- Reviewing and managing merge requests
- Squash and merge
- Merge requests versions
- Draft merge requests
- Members of a project
- Migrating projects to a GitLab instance
- Import your project from Bitbucket Cloud to GitLab
- Import your project from Bitbucket Server to GitLab
- Migrating from ClearCase
- Migrating from CVS
- Import your project from FogBugz to GitLab
- Gemnasium
- Import your project from GitHub to GitLab
- Project importing from GitLab.com to your private GitLab instance
- Import your project from Gitea to GitLab
- Import your Jira project issues to GitLab
- Migrating from Perforce Helix
- Import Phabricator tasks into a GitLab project
- Import multiple repositories by uploading a manifest file
- Import project from repo by URL
- Migrating from SVN to GitLab
- Migrating from TFVC to Git
- Push Options
- Releases
- Repository
- Branches
- Git Attributes
- File Locking
- Git file blame
- Git file history
- Repository mirroring
- Protected branches
- Protected tags
- Push Rules
- Reduce repository size
- Signing commits with GPG
- Syntax Highlighting
- GitLab Web Editor
- Web IDE
- Requirements Management
- Project settings
- Project import/export
- Project access tokens (Alpha)
- Share Projects with other Groups
- Snippets
- Static Site Editor
- Wiki
- Project operations
- Monitor metrics for your CI/CD environment
- Set up alerts for Prometheus metrics
- Embedding metric charts within GitLab-flavored Markdown
- Embedding Grafana charts
- Using the Metrics Dashboard
- Dashboard YAML properties
- Metrics dashboard settings
- Panel types for dashboards
- Using Variables
- Templating variables for metrics dashboards
- Prometheus Metrics library
- Monitoring AWS Resources
- Monitoring HAProxy
- Monitoring Kubernetes
- Monitoring NGINX
- Monitoring NGINX Ingress Controller
- Monitoring NGINX Ingress Controller with VTS metrics
- Alert Management
- Error Tracking
- Tracing
- Incident Management
- GitLab Status Page
- Feature Flags
- GitLab CI/CD
- GitLab CI/CD pipeline configuration reference
- GitLab CI/CD include examples
- Introduction to CI/CD with GitLab
- Getting started with GitLab CI/CD
- How to enable or disable GitLab CI/CD
- Using SSH keys with GitLab CI/CD
- Migrating from CircleCI
- Migrating from Jenkins
- Auto DevOps
- Getting started with Auto DevOps
- Requirements for Auto DevOps
- Customizing Auto DevOps
- Stages of Auto DevOps
- Upgrading PostgreSQL for Auto DevOps
- Cache dependencies in GitLab CI/CD
- GitLab ChatOps
- Cloud deployment
- Docker integration
- Building Docker images with GitLab CI/CD
- Using Docker images
- Building images with kaniko and GitLab CI/CD
- GitLab CI/CD environment variables
- Predefined environment variables reference
- Where variables can be used
- Deprecated GitLab CI/CD variables
- Environments and deployments
- Protected Environments
- GitLab CI/CD Examples
- Test a Clojure application with GitLab CI/CD
- Using Dpl as deployment tool
- Testing a Phoenix application with GitLab CI/CD
- End-to-end testing with GitLab CI/CD and WebdriverIO
- DevOps and Game Dev with GitLab CI/CD
- Deploy a Spring Boot application to Cloud Foundry with GitLab CI/CD
- How to deploy Maven projects to Artifactory with GitLab CI/CD
- Testing PHP projects
- Running Composer and NPM scripts with deployment via SCP in GitLab CI/CD
- Test and deploy Laravel applications with GitLab CI/CD and Envoy
- Test and deploy a Python application with GitLab CI/CD
- Test and deploy a Ruby application with GitLab CI/CD
- Test and deploy a Scala application to Heroku
- GitLab CI/CD for external repositories
- Using GitLab CI/CD with a Bitbucket Cloud repository
- Using GitLab CI/CD with a GitHub repository
- GitLab Pages
- GitLab Pages
- GitLab Pages domain names, URLs, and baseurls
- Create a GitLab Pages website from scratch
- Custom domains and SSL/TLS Certificates
- GitLab Pages integration with Let's Encrypt
- GitLab Pages Access Control
- Exploring GitLab Pages
- Incremental Rollouts with GitLab CI/CD
- Interactive Web Terminals
- Optimizing GitLab for large repositories
- Metrics Reports
- CI/CD pipelines
- Pipeline Architecture
- Directed Acyclic Graph
- Multi-project pipelines
- Parent-child pipelines
- Pipelines for Merge Requests
- Pipelines for Merged Results
- Merge Trains
- Job artifacts
- Pipeline schedules
- Pipeline settings
- Triggering pipelines through the API
- Review Apps
- Configuring GitLab Runners
- GitLab CI services examples
- Using MySQL
- Using PostgreSQL
- Using Redis
- Troubleshooting CI/CD
- GitLab Package Registry
- GitLab Container Registry
- Dependency Proxy
- GitLab Composer Repository
- GitLab Conan Repository
- GitLab Maven Repository
- GitLab NPM Registry
- GitLab NuGet Repository
- GitLab PyPi Repository
- API Docs
- API resources
- .gitignore API
- GitLab CI YMLs API
- Group and project access requests API
- Appearance API
- Applications API
- Audit Events API
- Avatar API
- Award Emoji API
- Project badges API
- Group badges API
- Branches API
- Broadcast Messages API
- Project clusters API
- Group clusters API
- Instance clusters API
- Commits API
- Container Registry API
- Custom Attributes API
- Dashboard annotations API
- Dependencies API
- Deploy Keys API
- Deployments API
- Discussions API
- Dockerfiles API
- Environments API
- Epics API
- Events
- Feature Flags API
- Feature flag user lists API
- Freeze Periods API
- Geo Nodes API
- Group Activity Analytics API
- Groups API
- Import API
- Issue Boards API
- Group Issue Boards API
- Issues API
- Epic Issues API
- Issues Statistics API
- Jobs API
- Keys API
- Labels API
- Group Labels API
- License
- Licenses API
- Issue links API
- Epic Links API
- Managed Licenses API
- Markdown API
- Group and project members API
- Merge request approvals API
- Merge requests API
- Project milestones API
- Group milestones API
- Namespaces API
- Notes API
- Notification settings API
- Packages API
- Pages domains API
- Pipeline schedules API
- Pipeline triggers API
- Pipelines API
- Project Aliases API
- Project import/export API
- Project repository storage moves API
- Project statistics API
- Project templates API
- Projects API
- Protected branches API
- Protected tags API
- Releases API
- Release links API
- Repositories API
- Repository files API
- Repository submodules API
- Resource label events API
- Resource milestone events API
- Resource weight events API
- Runners API
- SCIM API
- Search API
- Services API
- Application settings API
- Sidekiq Metrics API
- Snippets API
- Project snippets
- Application statistics API
- Suggest Changes API
- System hooks API
- Tags API
- Todos API
- Users API
- Project-level Variables API
- Group-level Variables API
- Version API
- Vulnerabilities API
- Vulnerability Findings API
- Wikis API
- GraphQL API
- Getting started with GitLab GraphQL API
- GraphQL API Resources
- API V3 to API V4
- Validate the .gitlab-ci.yml (API)
- User Docs
- Abuse reports
- User account
- Active sessions
- Deleting a User account
- Permissions
- Personal access tokens
- Profile preferences
- Threads
- GitLab and SSH keys
- GitLab integrations
- Git
- GitLab.com settings
- Infrastructure as code with Terraform and GitLab
- GitLab keyboard shortcuts
- GitLab Markdown
- AsciiDoc
- GitLab Notification Emails
- GitLab Quick Actions
- Autocomplete characters
- Reserved project and group names
- Search through GitLab
- Advanced Global Search
- Advanced Syntax Search
- Time Tracking
- GitLab To-Do List
- Administrator Docs
- Reference architectures
- Reference architecture: up to 1,000 users
- Reference architecture: up to 2,000 users
- Reference architecture: up to 3,000 users
- Reference architecture: up to 5,000 users
- Reference architecture: up to 10,000 users
- Reference architecture: up to 25,000 users
- Reference architecture: up to 50,000 users
- Troubleshooting a reference architecture set up
- Working with the bundled Consul service
- Configuring PostgreSQL for scaling
- Configuring GitLab application (Rails)
- Load Balancer for multi-node GitLab
- Configuring a Monitoring node for Scaling and High Availability
- NFS
- Working with the bundled PgBouncer service
- Configuring Redis for scaling
- Configuring Sidekiq
- Admin Area settings
- Continuous Integration and Deployment Admin settings
- Custom instance-level project templates
- Diff limits administration
- Enable and disable GitLab features deployed behind feature flags
- Geo nodes Admin Area
- GitLab Pages administration
- Health Check
- Job logs
- Labels administration
- Log system
- PlantUML & GitLab
- Repository checks
- Repository storage paths
- Repository storage types
- Account and limit settings
- Service templates
- System hooks
- Changing your time zone
- Uploads administration
- Abuse reports
- Activating and deactivating users
- Audit Events
- Blocking and unblocking users
- Broadcast Messages
- Elasticsearch integration
- Gitaly
- Gitaly Cluster
- Gitaly reference
- Monitoring GitLab
- Monitoring GitLab with Prometheus
- Performance Bar
- Usage statistics
- Object Storage
- Performing Operations in GitLab
- Cleaning up stale Redis sessions
- Fast lookup of authorized SSH keys in the database
- Filesystem Performance Benchmarking
- Moving repositories managed by GitLab
- Run multiple Sidekiq processes
- Sidekiq MemoryKiller
- Switching to Puma
- Understanding Unicorn and unicorn-worker-killer
- User lookup via OpenSSH's AuthorizedPrincipalsCommand
- GitLab Package Registry administration
- GitLab Container Registry administration
- Replication (Geo)
- Geo database replication
- Geo with external PostgreSQL instances
- Geo configuration
- Using a Geo Server
- Updating the Geo nodes
- Geo with Object storage
- Docker Registry for a secondary node
- Geo for multiple nodes
- Geo security review (Q&A)
- Location-aware Git remote URL with AWS Route53
- Tuning Geo
- Removing secondary Geo nodes
- Geo data types support
- Geo Frequently Asked Questions
- Geo Troubleshooting
- Geo validation tests
- Disaster Recovery (Geo)
- Disaster recovery for planned failover
- Bring a demoted primary node back online
- Automatic background verification
- Rake tasks
- Back up and restore GitLab
- Clean up
- Namespaces
- Maintenance Rake tasks
- Geo Rake Tasks
- GitHub import
- Import bare repositories
- Integrity check Rake task
- LDAP Rake tasks
- Listing repository directories
- Praefect Rake tasks
- Project import/export administration
- Repository storage Rake tasks
- Generate sample Prometheus data
- Uploads migrate Rake tasks
- Uploads sanitize Rake tasks
- User management
- Webhooks administration
- X.509 signatures
- Server hooks
- Static objects external storage
- Updating GitLab
- GitLab release and maintenance policy
- Security
- Password Storage
- Custom password length limits
- Restrict allowed SSH key technologies and minimum length
- Rate limits
- Webhooks and insecure internal web services
- Information exclusivity
- How to reset your root password
- How to unlock a locked user from the command line
- User File Uploads
- How we manage the TLS protocol CRIME vulnerability
- User email confirmation at sign-up
- Security of running jobs
- Proxying assets
- CI/CD Environment Variables
- Contributor and Development Docs
- Contribute to GitLab
- Community members & roles
- Implement design & UI elements
- Issues workflow
- Merge requests workflow
- Code Review Guidelines
- Style guides
- GitLab Architecture Overview
- CI/CD development documentation
- Database guides
- Database Review Guidelines
- Database Review Guidelines
- Migration Style Guide
- What requires downtime?
- Understanding EXPLAIN plans
- Rake tasks for developers
- Mass inserting Rails models
- GitLab Documentation guidelines
- Documentation Style Guide
- Documentation structure and template
- Documentation process
- Documentation site architecture
- Global navigation
- GitLab Docs monthly release process
- Telemetry Guide
- Usage Ping Guide
- Snowplow Guide
- Experiment Guide
- Feature flags in development of GitLab
- Feature flags process
- Developing with feature flags
- Feature flag controls
- Document features deployed behind feature flags
- Frontend Development Guidelines
- Accessibility & Readability
- Ajax
- Architecture
- Axios
- Design Patterns
- Frontend Development Process
- DropLab
- Emojis
- Filter
- Frontend FAQ
- GraphQL
- Icons and SVG Illustrations
- InputSetter
- Performance
- Principles
- Security
- Tooling
- Vuex
- Vue
- Geo (development)
- Geo self-service framework (alpha)
- Gitaly developers guide
- GitLab development style guides
- API style guide
- Go standards and style guidelines
- GraphQL API style guide
- Guidelines for shell commands in the GitLab codebase
- HTML style guide
- JavaScript style guide
- Migration Style Guide
- Newlines style guide
- Python Development Guidelines
- SCSS style guide
- Shell scripting standards and style guidelines
- Sidekiq debugging
- Sidekiq Style Guide
- SQL Query Guidelines
- Vue.js style guide
- Instrumenting Ruby code
- Testing standards and style guidelines
- Flaky tests
- Frontend testing standards and style guidelines
- GitLab tests in the Continuous Integration (CI) context
- Review Apps
- Smoke Tests
- Testing best practices
- Testing levels
- Testing Rails migrations at GitLab
- Testing Rake tasks
- End-to-end Testing
- Beginner's guide to writing end-to-end tests
- End-to-end testing Best Practices
- Dynamic Element Validation
- Flows in GitLab QA
- Page objects in GitLab QA
- Resource class in GitLab QA
- Style guide for writing end-to-end tests
- Testing with feature flags
- Translate GitLab to your language
- Internationalization for GitLab
- Translating GitLab
- Proofread Translations
- Merging translations from CrowdIn
- Value Stream Analytics development guide
- GitLab subscription
- Activate GitLab EE with a license