Compliance violations report
DETAILS: Tier: Ultimate Offering: GitLab.com, Self-managed, GitLab Dedicated
- Renamed to compliance violations report in GitLab 15.9.
- Ability to create and edit compliance frameworks introduced in GitLab 16.0.
With the compliance violations report, you can see a high-level view of merge request activity for all projects in the group.
When you select a row in the compliance violations report, a drawer appears that provides:
- The project name and compliance framework label, if the project has one assigned.
- A link to the merge request that introduced the violation.
- The merge request's branch path in the format
[source] into [target]. - A list of users that committed changes to the merge request.
- A list of users that commented on the merge request.
- A list of users that approved the merge request.
- The user that merged the merge request.
View the compliance violations report for a group
- Target branch search introduced in GitLab 16.0.
Prerequisites:
- You must be an administrator or have the Owner role for the group.
To view the compliance violations report:
- On the left sidebar, select Search or go to and find your group.
- Select Secure > Compliance center.
You can sort the compliance report on:
- Severity level.
- Type of violation.
- Merge request title.
You can filter the compliance violations report on:
- The project that the violation was found on.
- The date range of violation.
- The target branch of the violation.
Select a row to see details of the compliance violation.
Severity levels
Each compliance violation has one of the following severities.
| Icon | Severity level |
|---|---|
| {severity-critical} | Critical |
| {severity-high} | High |
| {severity-medium} | Medium |
| {severity-low} | Low |
| {severity-info} | Info |
Violation types
From GitLab 14.10, these are the available compliance violations.
| Violation | Severity level | Category | Description |
|---|---|---|---|
| Author approved merge request | High | Separation of duties | Author of the merge request approved their own merge request. For more information, see Prevent approval by author. |
| Committers approved merge request | High | Separation of duties | Committers of the merge request approved the merge request they contributed to. For more information, see Prevent approvals by users who add commits. |
| Fewer than two approvals | High | Separation of duties | Merge request was merged with fewer than two approvals. For more information, see Merge request approval rules. |
Separation of duties
GitLab supports a separation of duties policy between users who create and approve merge requests. Our criteria for the separation of duties is:
- A merge request author is not allowed to approve their merge request.
- A merge request committer is not allowed to approve a merge request they have added commits to.
- The minimum number of approvals required to merge a merge request is at least two.
Export a report of merge request compliance violations on projects in a group
- Introduced in GitLab 16.4 with a flag named
compliance_violation_csv_export. Disabled by default.- Enabled on GitLab.com and self-managed in GitLab 16.5.
- Feature flag
compliance_violation_csv_exportremoved in GitLab 16.9.
Export a report of merge request compliance violations on merge requests belonging to projects in a group. Reports:
- Do not use filters on the violations report.
- Are truncated at 15 MB so the email attachment is not too large.
Prerequisites:
- You must be an administrator or have the Owner role for the group.
To export a report of merge request compliance violations for projects in a group:
- On the left sidebar, select Search or go to and find your group.
- Select Secure > Compliance center.
- In the top-right corner, select Export.
- Select Export violations report.
A report is compiled and delivered to your email inbox as an attachment.