GitLab is the intelligent orchestration platform for DevSecOps, seeking a Principal Engineer for Software Supply Chain Security to lead the technical strategy for securing software delivery. This role involves architectural leadership across engineering teams and collaboration with infrastructure and CI/CD teams to enhance security and compliance in the software supply chain.
Responsibilities:
- Lead the end-to-end software supply chain security architecture for GitLab’s CI/CD platform, including SLSA Level 3 implementation and CI infrastructure hardening
- Drive cross-team technical strategy and decisions across our Software Supply Chain Security (SSCS) stage teams, aligning engineering work to SSCS strategic plans
- Collaborate with infrastructure and CI/CD teams to design and land long-term initiatives for secure, scalable runner architecture, container isolation, and pipeline security at scale
- Propose and validate technical implementations that support architectural changes to improve CI/CD scaling and performance on critical paths
- Teach, mentor, and coach Staff Engineers and individual contributors, raising the bar on supply chain threat modeling, secrets management, artifact signing, and SBOM lifecycle practices
- Partner with Engineering Managers and senior leadership to define roadmaps, break down complex initiatives, and enable Staff Engineers to lead sub-department-wide efforts
- Engage with customers and external stakeholders as a technical consultant and spokesperson for GitLab’s software supply chain security capabilities and roadmap
- Collaborate with product, security, and compliance stakeholders to ensure features meet enterprise security, governance, and regulatory expectations in the software supply chain security market
Requirements:
- Deep expertise in software supply chain security, including threat modeling for supply chain attack vectors, SLSA implementation and attestation systems, and SBOM generation and lifecycle management
- Strong knowledge of artifact signing and verification using the Sigstore ecosystem, including Cosign, Fulcio, Rekor, and in-toto attestations
- Experience designing and hardening CI/CD security, such as runner isolation, pipeline security controls, and secrets management in large-scale environments
- Background in distributed systems and infrastructure, including building resilient CI/CD platforms that process high pipeline volumes and optimizing performance for critical paths
- Practical experience with container security and Kubernetes security, including admission controllers, policy controllers, workload isolation, and registry hardening
- Proficiency in Go or Rust in a production environment, combined with expert-level understanding of CI/CD workflows and DevSecOps best practices
- Experience operating as a Principal or Staff Engineer across multiple development teams, providing architectural leadership and partnering with Engineering Managers and senior leaders
- Demonstrated capacity to clearly communicate complex problems and solutions