Govern: Security Policies 17.3 Planning Issue

Previous planning issue: Govern: Security Policies 17.2 Planning Issue (#466291 - closed)

Narrative

During our last milestone, our team delivered an amazing and anticipated feature: Pipeline Execution Policy Type (&13266 - closed), which is one of the most significant ones! Another example of great work was Expand Scan Execution Policies to run on MR pip... (#415427 - closed), which was also delivered. Congratulations! Great work, team!

These two were not the only ones our team worked on. Additionally, as we stated in previous planning issues, we wanted to spend more time on quality, performance, and improvements that we wanted to introduce with Use database read model for merge request appr... (&9971 - closed), Manage scheduled scan execution pipeline concur... (&13997 - closed) and Enforce, measure and increase Scan Execution Po... (&14460) (part of Refine Policy Application Limits (&8084)). We continue our work around them and we plan to close this refactoring and performance improvements in this milestone.

In the upcoming milestone, apart from finalizing the mentioned epics, we want to start working on new ones:

• Add authentication to merge request external st... (#433035 - closed) - where we want to enhance a feature that we inherited from groupcompliance team,
• Add groups to security policy scope (Iteration 1) (&14149 - closed) - where we want to improve policy scoping to allow users to scope policies by groups,
• ~~ Prevent branch modification when a policy disab... (&13776 - closed) - where we need to continue our work around preventing branch modification on the group level~~ - as we are dependent on [Feature flag] Rollout of allow_protected_branc... (#383178 - closed) and it is not yet enabled, I'm removing it for now from our priorities for this milestone. (30.07.2024, @alan)

Additionally, as in every release, we want to continue solving bugs to improve the UX of Security Policy features and ensure they work correctly. Our customers are increasingly interested in using our features, so we must ensure that Scan Execution and Merge Request Approval Policies work as expected.

Spikes

• Spike: Prepare PoC to introduce scheduled Pipel... (#472671 - closed)
• https://gitlab.com/gitlab-org/gitlab/-/issues/437012+

Priorities

To finalize and close

• Use database read model for merge request appr... (&9971 - closed) ( @sashi_kumar)
• Manage scheduled scan execution pipeline concur... (&13997 - closed) ( @mc_rocha / @aturinske)
• Enforce, measure and increase Scan Execution Po... (&14460) ( @bauerdominic)
• Pipeline Execution Policy Improvements (&13918) ( @Andyschoenen / @mcavoj)

To start/continue working on

• Add authentication to merge request external st... (#433035 - closed) ( @arfedoro)
• Add groups to security policy scope (Iteration 1) (&14149 - closed) ( @sashi_kumar / @arfedoro)
• Prevent branch modification when a policy disab... (&13776 - closed) ( @bauerdominic) [TBD, as the feature from groupsource code was not yet enabled]

To start planning and breakdown

• Scheduled pipeline execution policies (Experiment) (&14147 - closed)
• Improve compatibility between security policies... (&14119)
• Enforce scan execution in spite of "disabled Gi... (&14057)

typefeature / typemaintenance backend focus

• Add migration to sync policies to read model (#464033 - closed) • Andy Schoenen, Sashi Kumar Kumaresan • 17.7 • Needs attention ( Deliverable)
• BE: Clean up the security policy pipeline execu... (#472193 - closed) • Martin Cavoj • 17.3 • On track ( Deliverable)
• Follow-up from "Set internal bots profiles to b... (#470153 - closed) • Unassigned • 17.3 • On track ( Deliverable)
• Ignore invalid project CI with pipeline executi... (#471726 - closed) • Marcos Rocha • 17.4 • On track ( Deliverable)
• [Feature flag] Removal of `approval_policy_disa... (#454852 - closed) • Alexander Turinske • 17.3 • On track ( Deliverable)
• Add authentication to merge request external st... (#433035 - closed) • Artur Fedorov • 17.3 • On track ( Deliverable)
• BE: Add groups to security policy scope (#468384 - closed) • Sashi Kumar Kumaresan • 17.3 • On track ( Deliverable)
• Add service to create and sync policy YAML into... (#416262 - closed) • Andy Schoenen • 17.5 • At risk ( Deliverable)
• Use security policy read model for approval_rules (#464034 - closed) • Sashi Kumar Kumaresan • 17.7 • At risk ( Deliverable)
• Update scan_finding approval rules when protect... (#432913 - closed) • Sashi Kumar Kumaresan • 17.3 • At risk ( Deliverable)
• Define SSoT precedence of CI configurations in CE (#466430 - closed) • Martin Cavoj • 17.3 • On track ( Deliverable)
• https://gitlab.com/gitlab-org/gitlab/-/issues/437012+s ( Deliverable)
• Rephrase errors in policy bot comment (#462978 - closed) • Andy Schoenen • 17.3 ( Stretch)
• Update security policies graphql API to filter ... (#471583 - closed) • Sashi Kumar Kumaresan • 17.3 ( Stretch)
• Follow-up from "Update scheduled_scans_max_conc... (#470873 - closed) • Marcos Rocha • 17.3 ( Stretch)
• Find a better place for the PipelineExecutionPo... (#470717 - closed) • Andy Schoenen • 17.3 ( Stretch)
• Add instrumentation when evaluating Scan Execut... (#468661 - closed) • Martin Cavoj • 17.3 ( Stretch)
• Spike: Prepare PoC to introduce scheduled Pipel... (#472671 - closed) • Andy Schoenen • 17.6 ( Stretch)
• Add `fail_open` usage metrics (#462372 - closed) • Alan (Maciej) Paruszewski • 17.3 ( Stretch)
• Add histogram dashboard for `ProcessScanResultP... (#456990 - closed) • Marcos Rocha • 17.3 ( Stretch)
• Follow-up from "Ignore value of feature toggle ... (#448494 - closed) • Dominic Bauer • 17.3 ( Stretch)
• Spike: Cells - Investigate and separate importe... (#441078 - closed) • Marcos Rocha • 17.4 ( Stretch)
• Metric - Adoption/usage of pipeline execution p... (#436055 - closed) • Marcos Rocha • 17.3 ( Stretch)
• Use bot avatar for security_policy_bot users (#421386 - closed) • Sashi Kumar Kumaresan • 17.3 ( Stretch)
• https://gitlab.com/gitlab-org/gitlab/-/issues/450703+s ( Stretch)
• Follow-up from PEP MVC: Define SSoT for pipelin... (#464300 - closed) • Martin Cavoj • 17.3 ( Stretch)

typefeature / typemaintenance frontend focus

• Update UI text for require auth in MR policies (#465905 - closed) • Alan (Maciej) Paruszewski • 17.3 • On track ( Deliverable)
• [Frontend] Add group scope option for policy list (#470060 - closed) • Artur Fedorov • 17.4 • At risk ( Deliverable)
• [Frontend] Add group/subgroup option in policy ... (#470059 - closed) • Artur Fedorov • 17.4 • On track ( Deliverable)
• Use full path for security policy scope project... (#463409 - closed) • Artur Fedorov • 17.3 • On track ( Deliverable)
• [Feature flag] Removal of `approval_policy_disa... (#454852 - closed) • Alexander Turinske • 17.3 • On track ( Deliverable)
• [Feature flag] Removal of `approval_policy_disa... (#469449 - closed) • Alexander Turinske • 17.3 • On track ( Deliverable)
• [Feature flag] Cleanup of `scan_execution_polic... (#468981 - closed) • Alexander Turinske • 17.3 ( Deliverable)
• [Feature flag] Cleanup of `scan_execution_polic... (#461474 - closed) • Alexander Turinske • 17.3 ( Deliverable)
• Improve security policy primary key validation (#471863 - closed) • Artur Fedorov • 17.3 ( Stretch)
• FE: Prevent changes in group-level protected br... (#435725 - closed) • Alexander Turinske • 17.6 ( Stretch)

typebug backend focus

• priority2 / severity3 Move creation of security policy project to bac... (#464329 - closed) • Alexander Turinske • 17.5 • Needs attention ( Stretch)
• priority3 / severity3 `Limit access to this project` setting is not a... (#469108 - closed) • Andy Schoenen, Alan (Maciej) Paruszewski • 17.3 ( Deliverable)
• priority3 / severity3 Merge request approval policy applies to all br... (#456055 - closed) • Andy Schoenen • 17.3 • Needs attention ( Deliverable)
• priority3 / severity3 Allow pipeline execution yaml files to be read ... (#469439 - closed) • Marcos Rocha • 17.5 ( Stretch)
• priority4 / severity3 Require expression in commit messages regular e... (#463064 - closed) • Dominic Bauer • 17.4 ( Stretch)

typebug frontend focus

• priority2 / severity3 Move creation of security policy project to bac... (#464329 - closed) • Alexander Turinske • 17.5 • Needs attention ( Stretch)
• priority3 / severity3 For scan execution policies, when linking a pro... (#451320 - closed) • Alexander Turinske • 17.5 • On track ( Deliverable)
• priority4 / severity4 Security Policy yaml validation does not work w... (#461252 - closed) • Alexander Turinske • 17.5 • At risk ( Stretch)

Extra

• Kanban Board with additional smaller maintenance issues and bugs. (Prioritized from top to bottom)
• Group Priorities List

Metrics

• Engineering Metrics

Release post items

Release post items related to current work in format Epic | Release post | Milestone.

1. Manage scheduled scan execution pipeline concur... (&13997 - closed) | Draft: Release post: Manage scheduled scan exec... (gitlab-com/www-gitlab-com!135173 - merged) | %17.3
2. Prevent branch modification when a policy disab... (&13776 - closed) | Release post: Prevent branch modification of gr... (gitlab-com/www-gitlab-com!135580 - merged)| %17.3
3. Add authentication to merge request external st... (#433035 - closed) | Release post: Add authentication to merge reque... (gitlab-com/www-gitlab-com!135586 - merged) | %17.3
4. Add groups to security policy scope | Release post: Add groups to security policy scope (gitlab-com/www-gitlab-com!135589 - merged) | %17.3