Security report schemas release policy
Release notes
Problem to solve
As part of introducing the Generic security report schema, we've embedded the security report schemas into GitLab so that we could perform schema validation on security report artifacts.
Before validation is enforced for all security reports, we need to agree on how schema changes are proposed, implemented and deployed across the analyzers and the GitLab rails application.
See also @sethgitlab's example.
Proposal
Any changes to the security report schemas or their release process must follow these rules:
- Proposed changes to be reviewed by the architectural council
- Proposal must be explicitly responded by groupthreat insights.
- Backwards-compatible changes that have been approved can be released with any GitLab minor version.
- Backwards-incompatible changes need to:
- Be announced at least 3 months in advance.
- Be released at GitLab X.0 and X.6 milestones.
Edited by Thiago Figueiró