Govern: Security Policies 17.2 Planning Issue

Previous planning issue: Govern: Security Policies 17.1 Planning Issue (#461021 - closed)

Narrative

During our last milestone, our team continued to deliver great improvements and enhancements to features offered by groupsecurity policies! One example is Merge request approval policies fail open/close... (&13227 - closed) or Support merge request settings override for any... (&13930 - closed). Congratulations! Great work, team!

At the same time, we have started shifting our focus to spend more time on quality, performance, and improvements that we wanted to introduce with Use database read model for merge request appr... (&9971 - closed) and https://gitlab.com/groups/gitlab-org/-/epics/12033+. We continue our work around and we plan to close this refactoring and performance improvements in this milestone.

In the upcoming milestone, our focus will be on releasing Pipeline Execution Policy Type (&13266 - closed), finalizing Manage scheduled scan execution pipeline concur... (&13997 - closed), and implementing quality and performance improvements in the scope of Use database read model for merge request appr... (&9971 - closed). We will also finalize our efforts on the improvements needed for Cells 1.0 in the scope of (size: M to L) Cells - Workflows: Security Poli... (&12709 - closed). These goals are critical for our team to continue great progress!

Additionally, as in every release, we want to continue solving bugs to improve the UX of Security Policy features and ensure they work correctly. Our customers are increasingly interested in using our features, so we must ensure that Scan Execution and Merge Request Approval Policies work as expected.

Spikes

• Spike: Verify how to implement Policy History i... (#434678 - closed)
• Spike: Cells - Investigate and separate importe... (#441078 - closed)

Priorities

To finalize and close

• Pipeline Execution Policy Type (&13266 - closed) ( @mcavoj / @arfedoro)
• Use database read model for merge request appr... (&9971 - closed) ( @sashi_kumar)
• Manage scheduled scan execution pipeline concur... (&13997 - closed) ( @mc_rocha)
• Expand Scan Execution Policies to run on MR pip... (#467497 - closed) ( @aturinske)

To start/continue working on

• 🆕 Audit status check response updates (#413535 - closed) - We have development guidelines and can get support from compliance on adding audit events -- I suspect this should be straightforward. If it's more work we could do a spike and plan for 17.3.
• Refine Policy Application Limits (&8084) - Start work to characterize performance from &9971 (closed)
• Add groups to security policy scope (Iteration 1) (&14149 - closed) - Candidate to start if we have capacity, or plan/breakdown. I think the path here is already clear.

To start planning and breakdown

• 🆕 Add authentication to merge request external st... (#433035 - closed)
• 🆕 Improve compatibility between security policies... (&14119) - To avoid solving for each edge case, we'd like to brainstorm and nail down a proposal for simplifying MR approval policies.
• Hide the Security Policy Project and Automate P... (&5446 - closed) - With the recent walkthrough and breakdown of iterations, let's refine and define the implementation plan. We could continue still with Cancelled: Allow Users to View Policy History i... (&5448) if it works as an iteration, or it may make sense to skip forward and add the policy history directly with Iteration 4 instead. We should have problem validation research completed on this soon as well.

typefeature / typemaintenance backend focus

typefeature / typemaintenance frontend focus

• Expand Scan Execution Policies to run on MR pip... (#467497 - closed) • Alexander Turinske • 17.2 • On track
• [Exploration] Security policy approval descript... (#439831) • Martin Cavoj • Backlog • On track
• [Feature flag] Removal of `approval_policy_disa... (#454852 - closed) • Alexander Turinske • 17.3 • On track
• [Feature flag] Cleanup `merge_request_approval_... (#461544 - closed) • Alexander Turinske • 17.2
• [Feature flag] Cleanup `merge_request_approval_... (#461543 - closed) • Alexander Turinske • 17.2
• Update aria-label for remove button in policy e... (#429114 - closed) • Unassigned • Backlog • At risk
• [Frontend] Use array for `include` in Pipeline ... (#467376 - closed) • Artur Fedorov • 17.2 • On track
• Follow-up from "Apply limits and restrict schem... (#467244 - closed) • Artur Fedorov • 17.2 • On track

typebug backend focus

typebug frontend focus

• UX bug: policy error message showing an YAML mo... (#419406 - closed) • Alexander Turinske • 17.2 • At risk
• Security Policy yaml validation does not work w... (#461252 - closed) • Alexander Turinske • 17.5 • At risk
• Remove "+" icon and add word "New" to keep the ... (#464710 - closed) • Justin Zeng • 17.2
• Remove extra word"scan" in scan execution variable (#464720 - closed) • Alexander Turinske, Justin Zeng • 17.2 • At risk
• Audit test coverage for Security Policy List (gitlab-org/quality/quality-engineering/team-tasks#2231 - closed) • Alexander Turinske • 17.6

Extra

• Kanban Board with additional smaller maintenance issues and bugs. (Prioritized from top to bottom)
• Group Priorities List

Metrics

• Engineering Metrics

Release post items

Release post items related to current work in format Epic | Release post | Milestone.

1. Merge request approval policies fail open/close... (&13227 - closed) | Release post | %17.1
2. Expand Scan Execution Policies to run on MR pip... (#415427 - closed) | Release post | %17.1
3. Manage scheduled scan execution pipeline concur... (&13997 - closed) | Release post | %17.2
4. Pipeline Execution Policy Type (&13266 - closed) | Release post | %17.2
5. Refine Policy Application Limits (&8084) | Release post | %17.2?
6. Exclude packages from Merge Request Approval Po... (&10203 - closed) | Release post | TBD