Skip to content

Compliance frameworks

DETAILS: Tier: Premium, Ultimate Offering: GitLab.com, Self-managed, GitLab Dedicated

You can create a compliance framework that is a label to identify that your project has certain compliance requirements or needs additional oversight.

In the Ultimate tier, the compliance framework can optionally enforce compliance pipeline configuration and security policies to the projects on which it is applied.

Compliance frameworks are created on top-level groups. If a project is moved outside of its existing top-level group, its frameworks are removed.

You can apply up to 20 compliance frameworks to each project.

Prerequisites

  • To create, edit, and delete compliance frameworks, users must have either:
  • To add or remove a compliance framework to or from a project, the group to which the project belongs must have a compliance framework.

Create, edit, or delete a compliance framework

You can create, edit, or delete a compliance framework from a compliance framework report. For more information, see:

You can create, edit, or delete a compliance framework from a compliance projects report. For more information, see:

Subgroups and projects have access to all compliance frameworks created on their top-level group. However, compliance frameworks cannot be created, edited, or deleted at the subgroup or project level. Project owners can choose a framework to apply to their projects.

Apply a compliance framework to a project

  • Assigning multiple compliance frameworks introduced in GitLab 17.3.

You can apply multiple compliance frameworks to a project but cannot apply compliance frameworks to projects in personal namespaces.

To apply a compliance framework to a project, apply the compliance framework through the Compliance projects report.

You can use the GraphQL API to apply a compliance framework to a project.

If you create compliance frameworks on subgroups with GraphQL, the framework is created on the root ancestor if the user has the correct permissions. The GitLab UI presents a read-only view to discourage this behavior.

Default compliance frameworks

Group owners can set a default compliance framework. The default framework is applied to all the new and imported projects that are created in that group. It does not affect the framework applied to the existing projects. The default framework cannot be deleted.

A compliance framework that is set to default has a default label.

Set and remove a default by using the compliance center

To set as default (or remove the default) from compliance projects report:

  1. On the left sidebar, select Search or go to and find your group.
  2. Select Secure > Compliance center.
  3. On the page, select the Projects tab.
  4. Hover over a compliance framework, select the Edit Framework tab.
  5. Select Set as default.
  6. Select Save changes.

To set as default (or remove the default) from compliance framework report:

  1. On the left sidebar, select Search or go to and find your group.
  2. Select Secure > Compliance center.
  3. On the page, select the Frameworks tab.
  4. Hover over a compliance framework, select the Edit Framework tab.
  5. Select Set as default.
  6. Select Save changes.

Remove a compliance framework from a project

To remove a compliance framework from one or multiple project in a group, remove the compliance framework through the Compliance projects report.