GitLab11.04.2026
Senior Backend Engineer, SSCS: Supply Chain
Remote
Обязанности
- 01Design and implement backend features across the Add-On's software supply chain security surface, including policy enforcement, artifact signing and verification, provenance attestation APIs, and malicious package detection integrations
- 02Build and improve the package policy evaluation engine, including rule compilation, request matching, enforcement decisions, and performance-sensitive execution paths tied to GitLab's Dependency Firewall infrastructure
- 03Develop artifact signing and verification workflows, including Sigstore and Cosign integrations, signing key lifecycle management, keyless signing with OpenID Connect (OIDC), and policy-based promotion gates
- 04Create and evolve the configuration interfaces that enterprise security teams use, including backend APIs and the GraphQL surface for expressing supply chain security requirements
- 05Integrate Add-On capabilities with GitLab's existing security policy framework, including policy inheritance and policy-as-code support through YAML
- 06Collaborate with adjacent teams as malicious package intelligence is incorporated into the Add-On offering, helping deliver cohesive workflows and faster response to package risk
- 07Write and maintain comprehensive RSpec and integration test coverage, and help improve test reliability across the team
- 08Review merge requests with a security-first mindset and implement solutions with substantial decision-making scope in partnership with the Staff Backend Engineer
Требования
- 01Proven backend engineering experience, including production Ruby on Rails expertise
- 02Working knowledge of Go or a clear willingness and ability to ramp up quickly in it
- 03Solid API design skills, including experience with REST, GraphQL, and defining clear internal service boundaries
- 04Solid PostgreSQL fundamentals, including schema design, query optimization, and indexing strategies
- 05Experience with Redis for caching and distributed coordination patterns
- 06A security-aware engineering mindset, with sound judgment around trust boundaries, input validation, and failure modes
- 07Familiarity with software supply chain security concepts such as Supply-chain Levels for Software Artifacts (SLSA), software bill of materials (SBOM), artifact signing, or related security scanning approaches
- 08Interest in complex policy, registry, or platform problems, including areas such as rules engines, package ecosystems, cryptographic signing, or DevSecOps product development