debian-mirror-gitlab/doc/user/project/issues/confidential_issues.md

---
stage: Plan
group: Project Management
info: To determine the technical writer assigned to the Stage/Group associated with this page, see https://about.gitlab.com/handbook/engineering/ux/technical-writing/#assignments
---

# Confidential issues

> [Introduced](https://gitlab.com/gitlab-org/gitlab-foss/-/merge_requests/3282) in GitLab 8.6.

Confidential issues are issues visible only to members of a project with
[sufficient permissions](#permissions-and-access-to-confidential-issues).
Confidential issues can be used by open source projects and companies alike to
keep security vulnerabilities private or prevent surprises from leaking out.

## Making an issue confidential

You can make an issue confidential during issue creation or by editing
an existing one.

When you create a new issue, a checkbox right below the text area is available
to mark the issue as confidential. Check that box and hit the **Create issue**
button to create the issue. For existing issues, edit them, check the
confidential checkbox and hit **Save changes**.

![Creating a new confidential issue](img/confidential_issues_create.png)

## Modifying issue confidentiality

There are two ways to change an issue's confidentiality.

The first way is to edit the issue and toggle the confidentiality checkbox.
After you save the issue, the confidentiality of the issue is updated.

The second way is to locate the Confidentiality section in the sidebar and click
**Edit**. A popup should appear and give you the option to turn on or turn off confidentiality.

| Turn off confidentiality | Turn on confidentiality |
| :-----------: | :----------: |
| ![Turn off confidentiality](img/turn_off_confidentiality.png) | ![Turn on confidentiality](img/turn_on_confidentiality.png) |

Every change from regular to confidential and vice versa, is indicated by a
system note in the issue's comments.

![Confidential issues system notes](img/confidential_issues_system_notes.png)

## Indications of a confidential issue

There are a few things that visually separate a confidential issue from a
regular one. In the issues index page view, you can see the eye-slash icon
next to the issues that are marked as confidential.

![Confidential issues index page](img/confidential_issues_index_page.png)

If you don't have [enough permissions](#permissions-and-access-to-confidential-issues),
you cannot see confidential issues at all.

---

Likewise, while inside the issue, you can see the eye-slash icon right next to
the issue number. There is also an indicator in the comment area that the
issue you are commenting on is confidential.

![Confidential issue page](img/confidential_issues_issue_page.png)

There is also an indicator on the sidebar denoting confidentiality.

| Confidential issue | Not confidential issue |
| :-----------: | :----------: |
| ![Sidebar confidential issue](img/sidebar_confidential_issue.png) | ![Sidebar not confidential issue](img/sidebar_not_confidential_issue.png) |

## Permissions and access to confidential issues

There are two kinds of level access for confidential issues. The general rule
is that confidential issues are visible only to members of a project with at
least [Reporter access](../../permissions.md#project-members-permissions). However, a guest user can also create
confidential issues, but can only view the ones that they created themselves.

Confidential issues are also hidden in search results for unprivileged users.
For example, here's what a user with Maintainer and Guest access sees in the
project's search results respectively.

| Maintainer access | Guest access |
| :-----------: | :----------: |
| ![Confidential issues search by maintainer](img/confidential_issues_search_master.png) | ![Confidential issues search by guest](img/confidential_issues_search_guest.png) |

## Merge Requests for Confidential Issues

> [Introduced](https://gitlab.com/gitlab-org/gitlab-foss/-/issues/58583) in GitLab 12.1.

To help prevent confidential information being leaked from a public project
in the process of resolving a confidential issue, confidential issues can be
resolved by creating a merge request from a private fork.

The created merge request targets the default branch of the private fork,
not the default branch of the public upstream project. This prevents the merge
request, branch, and commits entering the public repository, and revealing
confidential information prematurely. To make a confidential commit public,
open a merge request from the private fork to the public upstream project.

Permissions are inherited from parent groups. Developers have the same permissions
for private forks created in the same group or in a subgroup of the original
Permissions are inherited from parent groups. When private forks are created
in the same group or subgroup as the original upstream repository, users
receive the same permissions in both projects. This inheritance ensures
Developer users have the needed permissions to both view confidential issues and
resolve them.

### How it works

On a confidential issue, a **Create confidential merge request** button is
available. Clicking on it opens a dropdown where you can choose to
**Create confidential merge request and branch** or **Create branch**:

| Create confidential merge request | Create branch |
| :-------------------------------: | :-----------: |
| ![Create Confidential Merge Request Dropdown](img/confidential_mr_dropdown_v12_1.png) | ![Create Confidential Branch Dropdown](img/confidential_mr_branch_dropdown_v12_1.png) |

The **Project** dropdown includes the list of private forks the user is a member
of as at least a Developer and merge requests are enabled.

Whenever the **Branch name** and **Source (branch or tag)** fields change, the
availability of the target and source branch are checked. Both branches should
be available in the selected private fork.

By clicking the **Create confidential merge request** button, GitLab creates
the branch and merge request in the private fork. When you choose
**Create branch**, GitLab creates only the branch.

After the branch is created in the private fork, developers can push code to
that branch to fix the confidential issue.
New upstream version 13.1.0 2020-06-23 00:09:42 +05:30			`---`
			`stage: Plan`
			`group: Project Management`
New upstream version 13.7.7 2021-02-22 17:27:13 +05:30			`info: To determine the technical writer assigned to the Stage/Group associated with this page, see https://about.gitlab.com/handbook/engineering/ux/technical-writing/#assignments`
New upstream version 13.1.0 2020-06-23 00:09:42 +05:30			`---`

New upstream version 9.2.10+dfsg 2017-08-17 22:00:37 +05:30			`# Confidential issues`

New upstream version 12.8.6 2020-03-13 15:44:24 +05:30			`> [Introduced](https://gitlab.com/gitlab-org/gitlab-foss/-/merge_requests/3282) in GitLab 8.6.`
New upstream version 9.2.10+dfsg 2017-08-17 22:00:37 +05:30
			`Confidential issues are issues visible only to members of a project with`
			`[sufficient permissions](#permissions-and-access-to-confidential-issues).`
			`Confidential issues can be used by open source projects and companies alike to`
			`keep security vulnerabilities private or prevent surprises from leaking out.`

			`## Making an issue confidential`

New upstream version 10.5.5+dfsg 2018-03-17 18:26:18 +05:30			`You can make an issue confidential during issue creation or by editing`
New upstream version 9.2.10+dfsg 2017-08-17 22:00:37 +05:30			`an existing one.`

			`When you create a new issue, a checkbox right below the text area is available`
New upstream version 13.11.2+ds1 2021-04-29 21:17:54 +05:30			`to mark the issue as confidential. Check that box and hit the Create issue`
New upstream version 9.2.10+dfsg 2017-08-17 22:00:37 +05:30			`button to create the issue. For existing issues, edit them, check the`
			`confidential checkbox and hit Save changes.`

			`![Creating a new confidential issue](img/confidential_issues_create.png)`

New upstream version 10.5.5+dfsg 2018-03-17 18:26:18 +05:30			`## Modifying issue confidentiality`
New upstream version 9.2.10+dfsg 2017-08-17 22:00:37 +05:30
New upstream version 10.5.5+dfsg 2018-03-17 18:26:18 +05:30			`There are two ways to change an issue's confidentiality.`

New upstream version 13.8.5+ds1 2021-03-08 18:12:59 +05:30			`The first way is to edit the issue and toggle the confidentiality checkbox.`
			`After you save the issue, the confidentiality of the issue is updated.`
New upstream version 10.5.5+dfsg 2018-03-17 18:26:18 +05:30
			`The second way is to locate the Confidentiality section in the sidebar and click`
			`Edit. A popup should appear and give you the option to turn on or turn off confidentiality.`

			`\| Turn off confidentiality \| Turn on confidentiality \|`
			`\| :-----------: \| :----------: \|`
			`\| ![Turn off confidentiality](img/turn_off_confidentiality.png) \| ![Turn on confidentiality](img/turn_on_confidentiality.png) \|`
New upstream version 9.2.10+dfsg 2017-08-17 22:00:37 +05:30
			`Every change from regular to confidential and vice versa, is indicated by a`
			`system note in the issue's comments.`

			`![Confidential issues system notes](img/confidential_issues_system_notes.png)`

			`## Indications of a confidential issue`

			`There are a few things that visually separate a confidential issue from a`
			`regular one. In the issues index page view, you can see the eye-slash icon`
			`next to the issues that are marked as confidential.`

			`![Confidential issues index page](img/confidential_issues_index_page.png)`

New upstream version 13.8.5+ds1 2021-03-08 18:12:59 +05:30			`If you don't have [enough permissions](#permissions-and-access-to-confidential-issues),`
			`you cannot see confidential issues at all.`

New upstream version 9.2.10+dfsg 2017-08-17 22:00:37 +05:30			`---`

			`Likewise, while inside the issue, you can see the eye-slash icon right next to`
New upstream version 13.8.5+ds1 2021-03-08 18:12:59 +05:30			`the issue number. There is also an indicator in the comment area that the`
New upstream version 9.2.10+dfsg 2017-08-17 22:00:37 +05:30			`issue you are commenting on is confidential.`

			`![Confidential issue page](img/confidential_issues_issue_page.png)`

New upstream version 10.5.5+dfsg 2018-03-17 18:26:18 +05:30			`There is also an indicator on the sidebar denoting confidentiality.`

			`\| Confidential issue \| Not confidential issue \|`
			`\| :-----------: \| :----------: \|`
			`\| ![Sidebar confidential issue](img/sidebar_confidential_issue.png) \| ![Sidebar not confidential issue](img/sidebar_not_confidential_issue.png) \|`

New upstream version 9.2.10+dfsg 2017-08-17 22:00:37 +05:30			`## Permissions and access to confidential issues`

			`There are two kinds of level access for confidential issues. The general rule`
			`is that confidential issues are visible only to members of a project with at`
New upstream version 11.10.8+dfsg 2019-07-07 11:18:12 +05:30			`least [Reporter access](../../permissions.md#project-members-permissions). However, a guest user can also create`
New upstream version 9.2.10+dfsg 2017-08-17 22:00:37 +05:30			`confidential issues, but can only view the ones that they created themselves.`

			`Confidential issues are also hidden in search results for unprivileged users.`
New upstream version 11.1.8+dfsg 2018-11-08 19:23:39 +05:30			`For example, here's what a user with Maintainer and Guest access sees in the`
New upstream version 9.2.10+dfsg 2017-08-17 22:00:37 +05:30			`project's search results respectively.`

New upstream version 11.1.8+dfsg 2018-11-08 19:23:39 +05:30			`\| Maintainer access \| Guest access \|`
New upstream version 9.2.10+dfsg 2017-08-17 22:00:37 +05:30			`\| :-----------: \| :----------: \|`
New upstream version 13.8.5+ds1 2021-03-08 18:12:59 +05:30			`\| ![Confidential issues search by maintainer](img/confidential_issues_search_master.png) \| ![Confidential issues search by guest](img/confidential_issues_search_guest.png) \|`
New upstream version 12.2.8 2019-10-12 21:52:04 +05:30
			`## Merge Requests for Confidential Issues`

New upstream version 13.1.0 2020-06-23 00:09:42 +05:30			`> [Introduced](https://gitlab.com/gitlab-org/gitlab-foss/-/issues/58583) in GitLab 12.1.`
New upstream version 12.2.8 2019-10-12 21:52:04 +05:30
			`To help prevent confidential information being leaked from a public project`
			`in the process of resolving a confidential issue, confidential issues can be`
			`resolved by creating a merge request from a private fork.`

New upstream version 13.8.5+ds1 2021-03-08 18:12:59 +05:30			`The created merge request targets the default branch of the private fork,`
New upstream version 12.2.8 2019-10-12 21:52:04 +05:30			`not the default branch of the public upstream project. This prevents the merge`
			`request, branch, and commits entering the public repository, and revealing`
New upstream version 13.8.5+ds1 2021-03-08 18:12:59 +05:30			`confidential information prematurely. To make a confidential commit public,`
			`open a merge request from the private fork to the public upstream project.`
New upstream version 12.2.8 2019-10-12 21:52:04 +05:30
New upstream version 13.8.5+ds1 2021-03-08 18:12:59 +05:30			`Permissions are inherited from parent groups. Developers have the same permissions`
New upstream version 13.9.3+ds1 2021-03-11 19:13:27 +05:30			`for private forks created in the same group or in a subgroup of the original`
New upstream version 13.8.5+ds1 2021-03-08 18:12:59 +05:30			`Permissions are inherited from parent groups. When private forks are created`
New upstream version 13.9.3+ds1 2021-03-11 19:13:27 +05:30			`in the same group or subgroup as the original upstream repository, users`
New upstream version 13.8.5+ds1 2021-03-08 18:12:59 +05:30			`receive the same permissions in both projects. This inheritance ensures`
			`Developer users have the needed permissions to both view confidential issues and`
			`resolve them.`
New upstream version 12.2.8 2019-10-12 21:52:04 +05:30
			`### How it works`

			`On a confidential issue, a Create confidential merge request button is`
New upstream version 13.8.5+ds1 2021-03-08 18:12:59 +05:30			`available. Clicking on it opens a dropdown where you can choose to`
New upstream version 12.2.8 2019-10-12 21:52:04 +05:30			`Create confidential merge request and branch or Create branch:`

			`\| Create confidential merge request \| Create branch \|`
			`\| :-------------------------------: \| :-----------: \|`
			`\| ![Create Confidential Merge Request Dropdown](img/confidential_mr_dropdown_v12_1.png) \| ![Create Confidential Branch Dropdown](img/confidential_mr_branch_dropdown_v12_1.png) \|`

			`The Project dropdown includes the list of private forks the user is a member`
			`of as at least a Developer and merge requests are enabled.`

			`Whenever the Branch name and Source (branch or tag) fields change, the`
New upstream version 13.8.5+ds1 2021-03-08 18:12:59 +05:30			`availability of the target and source branch are checked. Both branches should`
			`be available in the selected private fork.`
New upstream version 12.2.8 2019-10-12 21:52:04 +05:30
New upstream version 13.8.5+ds1 2021-03-08 18:12:59 +05:30			`By clicking the Create confidential merge request button, GitLab creates`
New upstream version 12.2.8 2019-10-12 21:52:04 +05:30			`the branch and merge request in the private fork. When you choose`
New upstream version 13.8.5+ds1 2021-03-08 18:12:59 +05:30			`Create branch, GitLab creates only the branch.`
New upstream version 12.2.8 2019-10-12 21:52:04 +05:30
New upstream version 13.8.5+ds1 2021-03-08 18:12:59 +05:30			`After the branch is created in the private fork, developers can push code to`
New upstream version 12.2.8 2019-10-12 21:52:04 +05:30			`that branch to fix the confidential issue.`