Code Security Policy

All AI-generated code must be submitted to GitLab China for security scanning to ensure code quality and compliance.

⚠️ Mandatory Requirement

All AI-assisted code, regardless of the tool used (LingMa, CodeBuddy, TRAE, CodeRider, OpenCode, etc.), must be committed to a GitLab China repository and pass automated security scans via CI/CD Pipeline before merging.

🦊 GitLab China β†’
πŸ”„ AI Code Security Workflow
1. Generate or modify code using AI tools
β†’
2. Commit code to GitLab China repository
β†’
3. CI/CD Pipeline automatically triggers security scans
β†’
4. Review security reports and fix vulnerabilities
β†’
5. Merge code after passing security review βœ“
πŸ›‘οΈ GitLab Security Features
πŸ”
Static Application Security Testing (SAST)

Analyzes source code without execution to detect SQL injection, XSS, hardcoded secrets, insecure cryptography, and more. GitLab natively supports Semgrep, SpotBugs, Gosec, and other analyzers covering 20+ languages.

⚑
Dynamic Application Security Testing (DAST)

Black-box testing of running applications simulating real attack scenarios to detect runtime vulnerabilities like auth bypass, session flaws, and SSRF. GitLab DAST is powered by OWASP ZAP with API and web app scanning support.

πŸ“¦
Dependency Scanning

Automatically scans third-party libraries and components for known CVE vulnerabilities. Supports npm, pip, Maven, Go modules, and other major package managers.

πŸ”‘
Secret Detection

Scans repositories for accidentally committed API keys, tokens, passwords, and other sensitive credentials. Especially critical for AI-generated code.

🐳
Container Scanning

Scans Docker images for OS and application-layer vulnerabilities to ensure deployed container images are secure.

πŸ“œ
License Compliance

Automatically identifies open-source license types in project dependencies, detects license conflicts, and ensures AI-generated code dependencies meet enterprise compliance requirements.

πŸ“Š
Security Dashboard

Provides a unified vulnerability view at project and group levels with full lifecycle management including severity grading, assignment, tracking, and fix verification.

⚠️ Artifact Repository Mandatory Requirement

All third-party packages, libraries, Docker images, and binaries referenced in code must originate exclusively from Artifactory China. Direct pulls from public registries (npm, PyPI, Maven Central, Docker Hub, etc.) are strictly prohibited. All artifacts must pass JFrog Xray security scanning.

🐸 Artifactory China β†’
πŸ”„ Artifact Security Workflow
1. Configure project to use Artifactory China as sole package source
β†’
2. Pull all dependencies from Artifactory during build
β†’
3. Xray automatically scans all artifacts and dependencies
β†’
4. Non-compliant artifacts automatically blocked
β†’
5. Scanned artifacts cleared for production deployment βœ“
🐸 JFrog Artifactory & Xray
πŸ“¦
Unified Artifact Repository

Artifactory serves as the single enterprise artifact management platform, managing npm, PyPI, Maven, NuGet, Go, Docker, Helm, and all package types. Remote repositories proxy and cache public sources, ensuring build reproducibility and supply chain security.

πŸ”¬
Xray Security Scanning

JFrog Xray performs deep recursive scanning of all artifacts in Artifactory, detecting known CVE vulnerabilities, malicious packages, and license compliance issues. Supports custom security policies to automatically block non-compliant artifact downloads and deployments.

πŸ“‹
Security Policies & Compliance

Through Xray's Watch and Policy mechanisms, set vulnerability severity thresholds (e.g., block Critical/High severity artifacts), license allow/deny lists, and custom rules for automated security compliance governance.

πŸ“„
SBOM (Software Bill of Materials)

Automatically generates Software Bill of Materials tracking complete dependency trees, vulnerability status, and license information for every artifact, meeting supply chain security audit requirements.