2020-06-23 00:09:42 +05:30
---
stage: Plan
group: Project Management
2021-02-22 17:27:13 +05:30
info: To determine the technical writer assigned to the Stage/Group associated with this page, see https://about.gitlab.com/handbook/engineering/ux/technical-writing/#assignments
2020-06-23 00:09:42 +05:30
---
2017-08-17 22:00:37 +05:30
# Confidential issues
2020-03-13 15:44:24 +05:30
> [Introduced](https://gitlab.com/gitlab-org/gitlab-foss/-/merge_requests/3282) in GitLab 8.6.
2017-08-17 22:00:37 +05:30
Confidential issues are issues visible only to members of a project with
[sufficient permissions ](#permissions-and-access-to-confidential-issues ).
Confidential issues can be used by open source projects and companies alike to
keep security vulnerabilities private or prevent surprises from leaking out.
## Making an issue confidential
2018-03-17 18:26:18 +05:30
You can make an issue confidential during issue creation or by editing
2017-08-17 22:00:37 +05:30
an existing one.
When you create a new issue, a checkbox right below the text area is available
2021-04-29 21:17:54 +05:30
to mark the issue as confidential. Check that box and hit the **Create issue**
2017-08-17 22:00:37 +05:30
button to create the issue. For existing issues, edit them, check the
confidential checkbox and hit **Save changes** .
![Creating a new confidential issue ](img/confidential_issues_create.png )
2018-03-17 18:26:18 +05:30
## Modifying issue confidentiality
2017-08-17 22:00:37 +05:30
2018-03-17 18:26:18 +05:30
There are two ways to change an issue's confidentiality.
2021-03-08 18:12:59 +05:30
The first way is to edit the issue and toggle the confidentiality checkbox.
After you save the issue, the confidentiality of the issue is updated.
2018-03-17 18:26:18 +05:30
The second way is to locate the Confidentiality section in the sidebar and click
**Edit**. A popup should appear and give you the option to turn on or turn off confidentiality.
| Turn off confidentiality | Turn on confidentiality |
| :-----------: | :----------: |
| ![Turn off confidentiality ](img/turn_off_confidentiality.png ) | ![Turn on confidentiality ](img/turn_on_confidentiality.png ) |
2017-08-17 22:00:37 +05:30
Every change from regular to confidential and vice versa, is indicated by a
system note in the issue's comments.
![Confidential issues system notes ](img/confidential_issues_system_notes.png )
## Indications of a confidential issue
There are a few things that visually separate a confidential issue from a
regular one. In the issues index page view, you can see the eye-slash icon
next to the issues that are marked as confidential.
![Confidential issues index page ](img/confidential_issues_index_page.png )
2021-03-08 18:12:59 +05:30
If you don't have [enough permissions ](#permissions-and-access-to-confidential-issues ),
you cannot see confidential issues at all.
2017-08-17 22:00:37 +05:30
---
Likewise, while inside the issue, you can see the eye-slash icon right next to
2021-03-08 18:12:59 +05:30
the issue number. There is also an indicator in the comment area that the
2017-08-17 22:00:37 +05:30
issue you are commenting on is confidential.
![Confidential issue page ](img/confidential_issues_issue_page.png )
2018-03-17 18:26:18 +05:30
There is also an indicator on the sidebar denoting confidentiality.
| Confidential issue | Not confidential issue |
| :-----------: | :----------: |
| ![Sidebar confidential issue ](img/sidebar_confidential_issue.png ) | ![Sidebar not confidential issue ](img/sidebar_not_confidential_issue.png ) |
2017-08-17 22:00:37 +05:30
## Permissions and access to confidential issues
There are two kinds of level access for confidential issues. The general rule
is that confidential issues are visible only to members of a project with at
2019-07-07 11:18:12 +05:30
least [Reporter access ](../../permissions.md#project-members-permissions ). However, a guest user can also create
2017-08-17 22:00:37 +05:30
confidential issues, but can only view the ones that they created themselves.
Confidential issues are also hidden in search results for unprivileged users.
2018-11-08 19:23:39 +05:30
For example, here's what a user with Maintainer and Guest access sees in the
2017-08-17 22:00:37 +05:30
project's search results respectively.
2018-11-08 19:23:39 +05:30
| Maintainer access | Guest access |
2017-08-17 22:00:37 +05:30
| :-----------: | :----------: |
2021-03-08 18:12:59 +05:30
| ![Confidential issues search by maintainer ](img/confidential_issues_search_master.png ) | ![Confidential issues search by guest ](img/confidential_issues_search_guest.png ) |
2019-10-12 21:52:04 +05:30
## Merge Requests for Confidential Issues
2020-06-23 00:09:42 +05:30
> [Introduced](https://gitlab.com/gitlab-org/gitlab-foss/-/issues/58583) in GitLab 12.1.
2019-10-12 21:52:04 +05:30
To help prevent confidential information being leaked from a public project
in the process of resolving a confidential issue, confidential issues can be
resolved by creating a merge request from a private fork.
2021-03-08 18:12:59 +05:30
The created merge request targets the default branch of the private fork,
2019-10-12 21:52:04 +05:30
not the default branch of the public upstream project. This prevents the merge
request, branch, and commits entering the public repository, and revealing
2021-03-08 18:12:59 +05:30
confidential information prematurely. To make a confidential commit public,
open a merge request from the private fork to the public upstream project.
2019-10-12 21:52:04 +05:30
2021-03-08 18:12:59 +05:30
Permissions are inherited from parent groups. Developers have the same permissions
2021-03-11 19:13:27 +05:30
for private forks created in the same group or in a subgroup of the original
2021-03-08 18:12:59 +05:30
Permissions are inherited from parent groups. When private forks are created
2021-03-11 19:13:27 +05:30
in the same group or subgroup as the original upstream repository, users
2021-03-08 18:12:59 +05:30
receive the same permissions in both projects. This inheritance ensures
Developer users have the needed permissions to both view confidential issues and
resolve them.
2019-10-12 21:52:04 +05:30
### How it works
On a confidential issue, a **Create confidential merge request** button is
2021-03-08 18:12:59 +05:30
available. Clicking on it opens a dropdown where you can choose to
2019-10-12 21:52:04 +05:30
**Create confidential merge request and branch** or **Create branch** :
| Create confidential merge request | Create branch |
| :-------------------------------: | :-----------: |
| ![Create Confidential Merge Request Dropdown ](img/confidential_mr_dropdown_v12_1.png ) | ![Create Confidential Branch Dropdown ](img/confidential_mr_branch_dropdown_v12_1.png ) |
The **Project** dropdown includes the list of private forks the user is a member
of as at least a Developer and merge requests are enabled.
Whenever the **Branch name** and **Source (branch or tag)** fields change, the
2021-03-08 18:12:59 +05:30
availability of the target and source branch are checked. Both branches should
be available in the selected private fork.
2019-10-12 21:52:04 +05:30
2021-03-08 18:12:59 +05:30
By clicking the **Create confidential merge request** button, GitLab creates
2019-10-12 21:52:04 +05:30
the branch and merge request in the private fork. When you choose
2021-03-08 18:12:59 +05:30
**Create branch**, GitLab creates only the branch.
2019-10-12 21:52:04 +05:30
2021-03-08 18:12:59 +05:30
After the branch is created in the private fork, developers can push code to
2019-10-12 21:52:04 +05:30
that branch to fix the confidential issue.