Govern: Security Policies 16.7 Planning Issue
Previous planning issue: Govern: Security Policies 16.6 Planning Issue (#428788 - closed)
Narrative
In %16.5 and %16.6 we worked in Epics related to Compliance Enforcement of Security Policies (Prevent branch modification when a policy disab... (&9705 - closed), Allow users to enforce MR approvals as a compli... (&9696 - closed), Allow compliance teams to prevent pushing and f... (&9706 - closed)). We have successfully released and delivered last 2 and in this milestone we will be enabling Prevent branch modification when a policy disab... (&9705 - closed) by default. Great work!
In last milestone we have also started working on completely new set of features that we would like to deliver in the nearest future:
- Enforce SEP variables with the highest precedence (#424028 - closed) - setting variables from the Security Policies perspective with the highest precedence to prevent overriding them when they are placed as this will allow customers to ensure that their configuration provided in Security Policies cannot be altered,
- Security Policy Scopes (&5510 - closed) - adding ability to set the scope of the policy to a particular Compliance Framework or list of projects and improving user experience around Compliance Framework,
- Pipeline Execution Action (Custom CI YAML Suppo... (&7312 - closed) - allowing users to configure their Security Policies and provide custom configuration as YAML, so Scan Execution Policies will not be limited to predefined scans (we have to finalize work around this Epic before %16.9 to give customers enough time to migrate from Compliance Pipelines, which will be deprecated in %17.0 - we are looking for opportunities for customers to experiment early).
With this milestone, we will continue our strategy while working on new tasks. Most of the issues will be preassigned to designated DRIs for each Epic, and they will be responsible for refinement, creating implementation issues, implementation, verification, and assigning issues to others if needed. We want to experiment with this approach to see if it helps us reduce the probability of miscommunication.
Additionally, as we do in every release, we want to solve bugs to improve the UX of Security Policy features and ensure they are working correctly. We see more and more interest in using features from our group, so we need to ensure Scan Execution and Scan Result policies are working as expected.
We want to take care of Epics for future milestones to create implementation issues for them:
- Compliance Pipeline to Security Policy Migration (&11275)
- Improve how AppSec teams handle vulnerability m... (&11020)
We also want to improve our documentation with:
- Document security policy compliance pipelines (#424490 - closed)
- start preparing documentation needed for Compliance Pipeline to Security Policy Migration (&11275),
Priorities
To finalize and close
- Prevent branch modification when a policy disab... (&9705 - closed)
- Enforce SEP variables with the highest precedence (#424028 - closed)
To work on
- Security Policy Scopes (&5510 - closed)
- Pipeline Execution Action (Custom CI YAML Suppo... (&7312 - closed)
To prepare implementation issues and refine
- Compliance Pipeline to Security Policy Migration (&11275)
- Aligning scan result policy and MR widget compa... (&11847 - closed)
- Display security policy violation details to users (&11185)
Spikes
- Spike: Investigate how we can create E2E failur... (#430952 - closed)
- Spike: Add unit/integration tests to validate m... (#430910 - closed)
- Spike: Investigate API improvements to provide ... (#426582 - closed)
- Spike: Make sure security policy compliance pip... (#424488 - closed)
typefeature / typemaintenance backend focus
- Handle stages definitions in security policy cu... (#425012 - closed) • Alishan Ladhani • 16.7 • On track (Deliverable)
- Spike: Make sure security policy compliance pip... (#424488 - closed) • Andy Schoenen • 16.9 • On track (Deliverable)
- Enforce SEP variables with the highest precedence (#424028 - closed) • Sashi Kumar Kumaresan • 16.7 • On track (Deliverable)
- BE: Add GraphQL API to list policies for select... (#428493 - closed) • Dominic Bauer • 16.8 • On track (Deliverable)
- BE: Prevent changes in group-level protected br... (#420724 - closed) • Marcos Rocha • 16.9 • On track (Deliverable)
- Generate approval notification when no scanners... (#417598 - closed) • Andy Schoenen • 16.7 • On track (Deliverable)
- BE: Synchronize Scan Result Policies after Comp... (#428491 - closed) • Marcos Rocha • 16.7 • On track (Deliverable)
- Custom scan execution policies should execute e... (#432050 - closed) • Andy Schoenen, Marcos Rocha • 16.8 • At risk (Deliverable)
- Make stages order from security policy custom C... (#432042 - closed) • Andy Schoenen • 16.9 • On track (Deliverable)
- Remove MergeRequests::Mergeability::CheckDenied... (#430911 - closed) • Sashi Kumar Kumaresan • 16.7 • On track (Deliverable)
- Spike: Investigate security policy usage by typ... (#416137) • Unassigned • Backlog (Stretch)
- Use security policy job name index pattern for ... (#432046 - closed) • Andy Schoenen • 16.11 • On track (Stretch)
- Spike: Investigate how we can create E2E failur... (#430952 - closed) • Alan (Maciej) Paruszewski • 16.7 (Stretch)
- Spike: Add unit/integration tests to validate m... (#430910 - closed) • Marcos Rocha • 16.7 (Stretch)
- Spike: Investigate API improvements to provide ... (#426582 - closed) • Martin Čavoj • 16.7 (Stretch)
- Remove security policy configuration bot_user_i... (#426144 - closed) • Sashi Kumar Kumaresan • 16.7 (Stretch)
- Add metrics for Auth group (#425519 - closed) • Unassigned • 16.10 (Stretch)
- Add e2e test to ensure policies appear in setti... (#423454 - closed) • Marcos Rocha • 16.7 (Stretch)
- Add metrics for Compliance Group (#416918 - closed) • Andy Schoenen • 16.7 (Stretch)
typefeature / typemaintenance frontend focus
- FE: Add Policy Scope to UI Policy Editor (#428492 - closed) • Artur Fedorov • 16.7 • On track (Deliverable)
- FE: Add validation for `policy.yml` file in sec... (#369006 - closed) • Alexander Turinske • 16.7 (Stretch)
- FE: Update UI Policy Editor to allow to include... (#428507 - closed) • Artur Fedorov • 16.8 (Stretch)
- FE: Add ability to create Compliance Framework ... (#428494 - closed) • Artur Fedorov • 16.7 • On track (Stretch)
- FE: Add tooltip to every setting (#430281 - closed) • Alexander Turinske • 16.7 (Stretch)
- Add e2e test to ensure policies appear in setti... (#423454 - closed) • Marcos Rocha • 16.7 (Stretch)
- FE: Add support for group-level branch exceptio... (#423434 - closed) • Artur Fedorov • 17.0 (Stretch)
- Update tests in policy_editor/scan_result_polic... (#419212) • Unassigned • Backlog (Stretch)
- FE: Update UI Policy Editor to show custom CI c... (#428508 - closed) • Artur Fedorov • 16.10 (Stretch)
typebug backend focus
- License compliance bug: Report comparison perfo... (#430710 - closed) • Sashi Kumar Kumaresan • 16.7 • On track (Deliverable)
- License compliance bug: Merge request shows "de... (#430706 - closed) • Sashi Kumar Kumaresan • 16.7 (Deliverable)
- priority2 / severity2 License Compliance widget shows all licenses as... (#416006 - closed) • Andy Schoenen • 16.7 • On track (Deliverable)
- priority2 / severity3 Investigate degraded performance of AuthorizedP... (#423838 - closed) • Sashi Kumar Kumaresan • 16.8 • On track (Deliverable)
- priority2 / severity3 Duplicate approval rules in MR when scan_findin... (#420335 - closed) • Alexander Turinske • 16.8 • On track (Deliverable)
- priority3 / severity3 License approval works incorrectly when the tar... (#419569 - closed) • Marcos Rocha • 16.8 • On track (Deliverable)
- priority3 / severity3 Scan result policy blocking MR when vulnerabili... (#424963 - closed) • Andy Schoenen • 16.7 • At risk (Deliverable)
- Timeout error when unassigning security policy ... (#427805 - closed) • Sashi Kumar Kumaresan • 16.7 (Stretch)
typebug frontend focus
- priority2 / severity3 Duplicate approval rules in MR when scan_findin... (#420335 - closed) • Alexander Turinske • 16.8 • On track (Deliverable)
- Improve error handling for branch exceptions (#430943 - closed) • Alexander Turinske • 16.7 (Stretch)
Extra
- Kanban Board with additional smaller maintenance issues and bugs. (Prioritized from top to bottom)
- Group Priorities List