The following page may contain information related to upcoming products, features and functionality. It is important to note that the information presented is for informational purposes only, so please do not rely on the information for purchasing or planning purposes. Just like with all projects, the items mentioned on the page are subject to change or delay, and the development, release, and timing of any products, features or functionality remain at the sole discretion of GitLab Inc.
In early 2021, we witnessed the cryptomining CI co-evolution, where free SaaS continuous integration platforms are being seriously compromised by the cryptocurrency mining attacks. GitLab was no exception to this Industry-wide experience and we instrumented a few practices to mitigate abuse for on GitLab.com, which impacts the experience of free and trial users.
Going forward, we needed a more proactive approach for monitoring, detecting, evaluating, preventing, and reacting to pipeline abuse. Traditionally, product categories are single product group areas with one engineering team. As a result, we funded a cross-cutting Abuse group, and created this Instance Resiliency category as part of our Anti-Abuse stage.
Pipeline Abuse Prevention is focused on the proactive mitigation of CI abuse to ensure acceptable tolerances of business impact and human cost are not exceeded.
Many issues are intentionally confidential despite our value of transparency. This is because we don't want to make it obvious to abusers the exact details of our controls. We aren't relying on "security by obscurity"; however, we also don't want to make it easier for the abusers.
For specific information related to spam and abuse reduction initiatives, check out Trust and Safety.
We rely on several teams to make this program successful:
| DRI | EM | Trust & Safety | AppSec | Fulfillment PM | Engineering |
|---|---|---|---|---|---|
| Sam White | Jay Swain | Charl de Wit | Nick Malcolm | Justin Farris | Stan Hu |
Anti-Abuse - Anything related to preventing abuse Fulfillment - Anything related to the collection and validation of credit cards/debit cards Verify - Anything related to triggering credit card/debit card validation
There are four areas of focus for Pipeline Abuse Prevention:
| Identity Verification | Dashboard |
| Pipeline Validation Service which has rules that catch certain coding behaviors to stop bad actors before pipelines are run | Dashboard |
| Quota of compute minutes enforcement and limits across various levels of GitLab.com | Dashboard |
Identity verification at signup is an effort to identfy users who hav previously been banned and ensure those users are blocked from signing up for additional accounts.
We are also looking at instrumenting methods of abuse control via this 1. Abuse tracking controls including confidential issue
As of 13.12, we have instrumented enforcement of limits in private projects where now pipelines fail when the quota of compute minutes are exceeded.
Up next, we are iterating toward enforcement across a public project by introducing limits to new public projects. While also taking into account how this impacts our Open Source projects in gitlab#330888.
This effort will then be expanded to all free, public users via gitlab#254231, where we hope to instrument counting of compute minutes as well via gitlab#254231.
Cryptomining is impacting free CI providers industry-wide. GitHub has added several features to help combat bad actors in the wake of this shake up including:
The priority list for Instance Resiliency is maintained here.
Last Reviewed: 2023-02-01
Last Updated: 2023-02-01