Gitlab Security

  1. I have a finding from auditors saying that admins can change project settings. My question is, where are Gitlab Audit Events stored and are administrators able to alter audit event logs?

  2. What can I do to validate whether the source code as approved on Gitlab matches what is ultimately deployed on Artifactory?

  1. I have a finding from auditors saying that admins can change project settings. My question is, where are Gitlab Audit Events stored and are administrators able to alter audit event logs?

The audit events should be recorded in the GitLab-configured postgresql database, just like most other persisted information you observe on other pages.

The audit events do not present any UI or API on the web service for users (including admins) to make changes.

  1. What can I do to validate whether the source code as approved on Gitlab matches what is ultimately deployed on Artifactory?

I’m not quite sure what you mean here. Does Artifactory serve the source code, or the builds? Since builds are more than just the sources, or even the sources compiled, perhaps producing an artifact in the build job that carries the resultant file’s checksums may be useful here. This can later be used to compare against published/downloaded files of the build from elsewhere.

We are using Gitlab for source control and Artifactory for the builds?