Update Security Policies priorites to reflect focus on quality
Why is this change being made?
From weekly meeting:
We need to focus on a few initiatives over the following 2-3 milestones. Then, the goal is to slow down with the development of new features and focus all efforts on improving the performance, availability, and overall quality of our features. We want to minimize the probability of support tickets, incidents and anything unplanned, to do so we need to focus on moving approval rules read-model and to do it, we need to stop with adding new features to this functionality.
Before we can do it there are a few things we need to close first:
- Stagger or batch scheduled pipelines executed by scan execution policies (important also from runner perspective; we should have MVC ready in 16.11)
- Toggle scan result policies to fail open or fail closed (important for at least one customer; we will MVC it first in 16.11)
- Display policy violation details in bot comment (to be released in 16.11)
- Pipeline Execution Action (Custom CI YAML) in Scan Execution Policies (plan to finish before 17.0)
- Security Policy Scopes (should be released in 16.11)
Then, we will focus mainly on the following:
- Use database read model for merge request approval policies
- Refine Policy Application Limits
This MR reflects that.
Author and Reviewer Checklist
Please verify the check list and ensure to tick them off before the MR is merged.
-
Provided a concise title for this Merge Request (MR) -
Added a description to this MR explaining the reasons for the proposed change, per say why, not just what - Copy/paste the Slack conversation to document it for later, or upload screenshots. Verify that no confidential data is added, and the content is SAFE
-
Assign reviewers for this MR to the correct Directly Responsible Individual/s (DRI) - If the DRI for the page/s being updated isn’t immediately clear, then assign it to one of the people listed in the
Maintained bysection on the page being edited - If your manager does not have merge rights, please ask someone to merge it AFTER it has been approved by your manager in #mr-buddies
- The when to get approval handbook section explains the workflow in more detail
- If the DRI for the page/s being updated isn’t immediately clear, then assign it to one of the people listed in the
-
For transparency, share this MR with the audience that will be impacted. -
Team: For changes that affect your direct team, share in your group Slack channel -
Department: If the update affects your department, share the MR in your department Slack channel -
Company: If the update affects all (or the majority of) GitLab team members, post an update in #whats-happening-at-gitlab linking to this MR - For high-priority company-wide announcements work with the internal communications team to post the update in #company-fyi and align on a plan to circulate in additional channels like the "While You Were Iterating" Newsletter
-