Skip to main content

    FORGE · MANAGED AND SELF-MANAGED GITLAB

    Self-managed GitLab, run right

    Forge operates your GitLab with audit grade controls, policy enforced pipelines, and evidence on every merge. Managed, self-managed, or air gapped.

    ProofAWS Advanced Tier and Validated MSP·SOC 2 Type II since 2018·21 years of regulated infrastructure·Linux Foundation member participating in FINOS
    THE TRADEOFF

    The choice you should not have to make.

    Self-hosting GitLab for control usually means carrying the operational burden: the upgrades, the runner fleet, the backups, the security posture, and the audit trail all land on your platform team. Forge removes that tradeoff. You keep the control of self-managed GitLab inside your trust boundary, and Forge carries the operations.

    WHAT FORGE OPERATES

    Hardened GitLab, run for you.

    Hardened GitLab, runners, CI variables, upgrades, backups, and security, run for you.

    Hardened GitLab

    GitLab Ultimate or Premium, deployed inside your authorization boundary and hardened as policy-as-code from day one.

    Runners and CI variables

    Runners isolated per environment with short-lived tokens, and CI/CD variables managed under the same identity boundary as the platform.

    Upgrades, backups, and security

    Patch cadence, backup and DR, and the security posture of the substrate, run for you on a continuous-remediation SLA.

    GOVERNED BY DEFAULT

    Evidence on every merge.

    • Policy enforced pipelines: the rules your risk function signs off on run as code inside CI, not as a document beside it.
    • Evidence on every merge: a tamper evident record of what merged, what gates it passed, and who approved it.
    • The same governance extended to AI coding agents: GitLab Duo and the AI coding tool fleet governed by Reign at the call layer.
    DEPLOYMENT TOPOLOGIES

    Same controls in every topology.

    SaaS, dedicated cloud, your cloud, or air gapped. The governed posture does not change when the topology does.

    SaaS

    Forge-operated GitLab with the governed posture applied, for teams that want the fastest path onto governed pipelines.

    Dedicated cloud

    A single-tenant environment operated by Forge, isolated from any other customer workload.

    Your cloud

    Your AWS, Azure, or GCP account. Your VPC. Forge operates the substrate inside your authorization boundary.

    Air gapped

    Defense, classified, and sovereign-national programs. Fully air gapped, FIPS 140-2 Level 3 posture, no outbound calls to gitlab.com.

    MIGRATION

    Phased cut over, assurance live on day one.

    Projects, groups, CI variables and runners preserved. A scoped readiness assessment sizes the migration, then a phased cut over lands your estate on the new substrate with the continuous-assurance posture live from day one.

    Group and sub-group inheritance preserved across the move. No re-platforming of pipelines mid-flight.

    Built on open foundations

    Member and contributor in the open standards behind governed AI. The Linux Foundation, FINOS, and the Agentic AI Foundation.

    The Linux Foundation Silver MemberFINOS MemberAgentic AI Foundation Silver Member
    THE HARDENING SHEET

    What Forge applies on day one.

    Twelve named controls. Each is policy-as-code, not manual configuration. Five of the twelve are below. The full deliverable, with regulator framework mapping, deployment topology diagrams, and sample policy-as-code excerpts, lives in the gated hardening sheet PDF.

    • 01SAML / SCIM identity boundary, group and sub-group inheritance enforced.
    • 02IP allow-list at the platform edge and the runner edge.
    • 03Runners isolated per environment. Short-lived tokens. No long-lived registration.
    • 04Audit log streamed to the customer's SIEM and to the Reign Audit Ledger (CAVR).
    • 05AI coding tools governed through the Reign AI Gateway.

    Plus seven more covering code scanning, branch protection, approved-model registry, data classification, egress controls, backup and DR, quarterly operating partner hardening review.

    FAQ

    Four questions before the scoping call.

    What is the difference between managed and self-managed GitLab?
    GitLab SaaS (gitlab.com) runs in GitLab's cloud under GitLab's operational control. Self-managed GitLab runs inside your own trust boundary, which is what regulated buyers usually need, but it normally means carrying the operational burden yourself. Forge removes that tradeoff: your GitLab runs self-managed inside your authorization boundary, and Forge operates the substrate, the runners, the upgrades, the backups, and the security for you.
    Do you support air gapped deployments?
    Yes. Forge operates GitLab in fully air gapped deployments for defense, classified, and sovereign-national programs, with FIPS 140-2 Level 3 posture and ITAR, NIST 800-171, and CMMC alignment. No outbound calls to gitlab.com. The same controls apply in every topology: SaaS, dedicated cloud, your cloud, or air gapped.
    How does migration work?
    A scoped readiness assessment sizes the migration. Inventory of projects, groups, sub-groups, CI/CD variables, and Runners; gap analysis against your regulatory surface; then a phased cut over with the continuous-assurance posture live on the new substrate from day one. Group and sub-group inheritance preserved across the move.
    Do you support the GitLab Ultimate tier?
    Yes. Ultimate is the default for regulated buyers: the Ultimate-only features (Compliance Pipelines, Audit Events with longer retention, Security Dashboards) align with the evidence cadence regulated enterprises need. GitLab Self-Managed Premium fits earlier-stage organizations or workloads where the Ultimate feature set is genuinely not needed. Our professional services team can scope the decision.
    TALK TO FORGE

    Scope your GitLab on Forge.

    Talk to Forge engineering.

    Tell us where your GitLab runs today and we will scope the governed, Forge-operated path.

    First response within one business day.