Principal Engineer, Software Supply Chain Security

Overview of the Principal Engineer, Software Supply Chain Security Role at GitLab

As a Principal Engineer, Software Supply Chain Security at GitLab, you will be instrumental in defining the technical strategy to secure how software is built and delivered across GitLab's DevSecOps platform. This role demands architectural leadership, collaborating closely with infrastructure and CI/CD teams to fortify pipelines, infrastructure, and access layers. Your contributions will significantly enhance GitLab’s enterprise security posture within the burgeoning software supply chain security market. A key focus will be on achieving SLSA Level 3 compliance, advanced secrets management, CI/CD security hardening, and laying the groundwork for GitLab’s global zero trust architecture. You will mentor Staff Engineers and individual contributors, guiding crucial technical decisions, and serve as a key spokesperson for GitLab's secure SaaS offerings to customers and external stakeholders.

Key Projects and Initiatives

• Leading SLSA Level 3 compliance efforts and provenance attestation across GitLab’s CI/CD platform.
• Integrating robust secrets management and enhancing runner security for container-isolated, highly secure pipelines.

What You Will Do

• Lead the end-to-end software supply chain security architecture for GitLab’s CI/CD platform, including SLSA Level 3 implementation and CI infrastructure hardening.
• Drive cross-team technical strategy and decisions across the Software Supply Chain Security (SSCS) stage teams, ensuring alignment with strategic plans.
• Collaborate extensively with infrastructure and CI/CD teams to design and implement long-term initiatives for a secure, scalable runner architecture, container isolation, and pipeline security at scale.
• Propose and validate technical implementations that support architectural changes to improve CI/CD scaling and performance on critical paths.
• Provide mentorship and coaching to Staff Engineers and individual contributors, elevating expertise in supply chain threat modeling, secrets management, artifact signing, and SBOM lifecycle practices.
• Partner with Engineering Managers and senior leadership to define roadmaps, decompose complex initiatives, and empower Staff Engineers to lead sub-department-wide efforts.
• Engage with customers and external stakeholders as a technical consultant and spokesperson, advocating for GitLab’s software supply chain security capabilities and roadmap.
• Collaborate with product, security, and compliance stakeholders to ensure features meet enterprise security, governance, and regulatory expectations in the software supply chain security market.

What You Will Bring

• Deep expertise in software supply chain security, including threat modeling for supply chain attack vectors, SLSA implementation and attestation systems, and SBOM generation and lifecycle management.
• Strong knowledge of artifact signing and verification using the Sigstore ecosystem, including Cosign, Fulcio, Rekor, and in-toto attestations.
• Extensive experience designing and hardening CI/CD security, such as runner isolation, pipeline security controls, and secrets management in large-scale environments.
• A solid background in distributed systems and infrastructure, including building resilient CI/CD platforms that handle high pipeline volumes and optimizing performance for critical paths.
• Practical experience with container security and Kubernetes security, encompassing admission controllers, policy controllers, workload isolation, and registry hardening.
• Proficiency in Go or Rust in a production environment, coupled with expert-level understanding of CI/CD workflows and DevSecOps best practices.
• Proven experience operating as a Principal or Staff Engineer across multiple development teams, demonstrating architectural leadership and effective partnership with Engineering Managers and senior leaders.
• Demonstrated capacity to clearly communicate complex problems and solutions.

About the Software Supply Chain Security Team

Our Software Supply Chain Security stage engineering teams are integral to GitLab’s authentication and access systems. We develop features that empower customers to manage vulnerabilities, dependencies, security policies, and compliance frameworks across their organizations. Comprising four core teams—Authentication, Authorization, Pipeline Security, and Compliance—with over 40 engineers, we operate asynchronously across regions. We collaborate closely with product, security, and infrastructure teams to deliver secure-by-default features for customers in highly regulated industries.

How GitLab Supports You

• Comprehensive benefits for health, finances, and well-being.
• Flexible Paid Time Off.
• Team Member Resource Groups.
• Equity Compensation & Employee Stock Purchase Plan.
• Growth and Development Fund.
• Parental leave.
• Home office support.

Key skills/competency

• Software Supply Chain Security
• SLSA Compliance
• CI/CD Security
• Secrets Management
• Threat Modeling
• Artifact Signing (Sigstore, Cosign)
• Kubernetes Security
• Go/Rust Programming
• Distributed Systems
• DevSecOps Best Practices