GitLab

Principal Engineer, Software Supply Chain Security

GitLab

full-time

Posted on:

Location Type: Remote

Location: United States

Visit company website

Explore more

AI Apply
Apply

Salary

💰 $157,900 - $338,400 per year

Job Level

Lead

Tech Stack

Distributed SystemsGoKubernetesRust

About the role

  • Lead the end-to-end software supply chain security architecture for GitLab’s CI/CD platform, including SLSA Level 3 implementation and CI infrastructure hardening.
  • Drive cross-team technical strategy and decisions across our Software Supply Chain Security (SSCS) stage teams, aligning engineering work to SSCS strategic plans.
  • Collaborate with infrastructure and CI/CD teams to design and land long-term initiatives for secure, scalable runner architecture, container isolation, and pipeline security at scale.
  • Propose and validate technical implementations that support architectural changes to improve CI/CD scaling and performance on critical paths.
  • Teach, mentor, and coach Staff Engineers and individual contributors, raising the bar on supply chain threat modeling, secrets management, artifact signing, and SBOM lifecycle practices.
  • Partner with Engineering Managers and senior leadership to define roadmaps, break down complex initiatives, and enable Staff Engineers to lead sub-department-wide efforts.
  • Engage with customers and external stakeholders as a technical consultant and spokesperson for GitLab’s software supply chain security capabilities and roadmap.
  • Collaborate with product, security, and compliance stakeholders to ensure features meet enterprise security, governance, and regulatory expectations in the software supply chain security market.

Requirements

  • Deep expertise in software supply chain security, including threat modeling for supply chain attack vectors, SLSA implementation and attestation systems, and SBOM generation and lifecycle management.
  • Strong knowledge of artifact signing and verification using the Sigstore ecosystem, including Cosign, Fulcio, Rekor, and in-toto attestations.
  • Experience designing and hardening CI/CD security, such as runner isolation, pipeline security controls, and secrets management in large-scale environments.
  • Background in distributed systems and infrastructure, including building resilient CI/CD platforms that process high pipeline volumes and optimizing performance for critical paths.
  • Practical experience with container security and Kubernetes security, including admission controllers, policy controllers, workload isolation, and registry hardening.
  • Proficiency in Go or Rust in a production environment, combined with expert-level understanding of CI/CD workflows and DevSecOps best practices.
  • Experience operating as a Principal or Staff Engineer across multiple development teams, providing architectural leadership and partnering with Engineering Managers and senior leaders.
  • Demonstrated capacity to clearly communicate complex problems and solutions.
Benefits
  • Benefits to support your health, finances, and well-being
  • Flexible Paid Time Off
  • Team Member Resource Groups
  • Equity Compensation & Employee Stock Purchase Plan
  • Growth and Development Fund
  • Parental leave
  • Home office support

Applicant Tracking System Keywords

Tip: use these terms in your resume and cover letter to boost ATS matches.

Hard skills
software supply chain securitythreat modelingSLSA implementationSBOM generationartifact signingCI/CD securitycontainer securityKubernetes securityGoRust
Soft skills
mentoringcoachingcommunicationcollaborationstrategic planningleadershipproblem-solving