Govern: Security Policies 17.4 Planning Issue
Previous planning issue: Govern: Security Policies 17.3 Planning Issue (#472374 - closed)
Narrative
During our last milestone, our team delivered substantial improvement to External Status Check: Add authentication to merge request external st... (#433035 - closed), which increases the security of External Status Checks, giving customers the ability to verify if the request is coming from the GitLab instance!
However, that was not the only area that our team was focused on. We moved forward with Use database read model for merge request appr... (&9971 - closed), Manage scheduled scan execution pipeline concur... (&13997 - closed) and Enforce, measure and increase Scan Execution Po... (&14460) (part of Refine Policy Application Limits (&8084)). Additionally, we are finalizing our work around Prevent branch modification when a policy disab... (&13776 - closed), which will be a great addition to our features as well! We continue our work around them, and we plan to close this refactoring and performance improvements in this milestone.
In the upcoming milestone, apart from finalizing the mentioned epics, we want to start working on new ones:
- continue improvements around Pipeline Execution Policies with:
- Improve compatibility between security policies... (&14119) - where we want to improve compatibility between Scan Execution and Merge Request Approval Policies and Security Analyzers,
Additionally, as in every release, we want to continue solving bugs to improve the UX of Security Policy features and ensure they work correctly. Our customers are increasingly interested in using our features, so we must ensure that Scan Execution and Merge Request Approval Policies work as expected.
Spikes
Priorities
To finalize and close
- Use database read model for merge request appr... (&9971 - closed) ( @sashi_kumar)
- Manage scheduled scan execution pipeline concur... (&13997 - closed) ( @mc_rocha)
To start/continue working on
- Enforce, measure and increase Scan Execution Po... (&14460) ( @bauerdominic)
- Pipeline Execution Policy Improvements (&13918) ( @Andyschoenen / @mcavoj)
- Add groups to security policy scope (Iteration 1) (&14149 - closed) ( @alan / @arfedoro)
- Prevent branch modification when a policy disab... (&13776 - closed) ( @bauerdominic) [TBD, as the feature from groupsource code was not yet enabled]
To start planning and breakdown
- Scheduled pipeline execution policies (Experiment) (&14147 - closed)
- Improve compatibility between security policies... (&14119)
- Enforce scan execution in spite of "disabled Gi... (&14057)
- Scan Execution Policy Templates (&11919 - closed)
typefeature / typemaintenance backend focus
- Use security policy read model for approval_rules (#464034 - closed) • Sashi Kumar Kumaresan • 17.7 • At risk ( Deliverable)
- Add migration to sync policies to read model (#464033 - closed) • Andy Schoenen, Sashi Kumar Kumaresan • 17.7 • Needs attention ( Deliverable)
- Consider multiple pipelines for license approva... (#455760 - closed) • Andy Schoenen • 17.5 • On track ( Deliverable)
- Support suffix for jobs with name collisions in... (#473189 - closed) • Sashi Kumar Kumaresan • 17.4 • On track ( Deliverable)
- Tests scheduled Scan Execution Policies for 10k... (#472802 - closed) • Alan (Maciej) Paruszewski • 18.4 • On track ( Deliverable)
- Add service to create and sync policy YAML into... (#416262 - closed) • Andy Schoenen • 17.5 • At risk ( Deliverable)
- Ignore invalid project CI with pipeline executi... (#471726 - closed) • Marcos Rocha • 17.4 • On track ( Deliverable)
- [Spike] use CI Job source for uniqueness on con... (#474112 - closed) • Martin Cavoj • 17.4 • On track ( Deliverable)
- Compliance handling of `needs` statements in pi... (#469256 - closed) • Marcos Rocha • 17.7 • At risk ( Deliverable)
- Include comparison pipelines for error cases (#467411 - closed) • Sashi Kumar Kumaresan • 17.5 • On track ( Deliverable)
- Add `ScanPipelineService` execution duration hi... (#472191 - closed) • Marcos Rocha • 17.4 ( Stretch)
- Drop namespace_settings columns related to secu... (#477283 - closed) • Martin Cavoj • 17.5 ( Stretch)
- Reduce timeseries data cardinality when calling... (#475027 - closed) • Andy Schoenen • 17.4 ( Stretch)
- Remove unused columns from security_policies table (#474079 - closed) • Sashi Kumar Kumaresan • 17.4 ( Stretch)
- Spike: Prepare PoC to introduce scheduled Pipel... (#472671 - closed) • Andy Schoenen • 17.6 ( Stretch)
- Add deprecation warning for `custom` Scan execu... (#477730 - closed) • Dominic Bauer • 17.4 ( Stretch)
- Spike: Store analyzers results metadata to allo... (#471978 - closed) • Martin Cavoj • 17.7 • At risk ( Stretch)
- Add `fail_open` usage metrics (#462372 - closed) • Alan (Maciej) Paruszewski • 17.3 ( Stretch)
- Spike: Cells - Investigate and separate importe... (#441078 - closed) • Marcos Rocha • 17.4 ( Stretch)
- Use bot avatar for security_policy_bot users (#421386 - closed) • Sashi Kumar Kumaresan • 17.3 ( Stretch)
typefeature / typemaintenance frontend focus
- priority4 / severity4 [Exploration] Security policy approval descript... (#439831) • Martin Cavoj • Backlog • On track ( Deliverable)
- [Frontend] Add group scope option for policy list (#470060 - closed) • Artur Fedorov • 17.4 • At risk ( Deliverable)
- Add edit/delete button in policy list (#474839 - closed) • Alexander Turinske • 17.4 • On track ( Deliverable)
- [Frontend] Add group/subgroup option in policy ... (#470059 - closed) • Artur Fedorov • 17.4 • On track ( Deliverable)
- [Frontend] Add group scope option to a policy d... (#478426 - closed) • Artur Fedorov • 17.4
- FE: Prevent changes in group-level protected br... (#435725 - closed) • Alexander Turinske • 17.6 ( Stretch)
- [Frontend integration] Add integration tests fo... (#470054 - closed) • Artur Fedorov • 17.5 ( Stretch)
- Follow-up from "Fix initial user selection afte... (#479394 - closed) • Unassigned • 17.4
typebug backend focus
- priority3 / severity3 Auto-merge not appearing for Developer role dur... (#468483 - closed) • Martin Cavoj • 17.4 • On track ( Deliverable)
- priority3 / severity3 Allow pipeline execution yaml files to be read ... (#469439 - closed) • Marcos Rocha • 17.5 ( Deliverable)
- priority4 / severity3 Disable default branch for MR policy if default... (#444676) • Unassigned • Backlog • On track ( Deliverable)
- priority4 / severity3 Require expression in commit messages regular e... (#463064 - closed) • Dominic Bauer • 17.4 ( Stretch)
- priority4 / severity4 Move associated records of security policy bots... (#476248 - closed) • Andy Schoenen • 18.1 ( Stretch)
- Auto disable "Pipeline Must Succeed" Setting fo... (#478084 - closed) • Andy Schoenen • 17.4 • On track ( Deliverable)
- MR approval policies don't require approvals fo... (#477520 - closed) • Marcos Rocha • 17.4 ( Stretch)
typebug frontend focus
- priority2 / severity3 Move creation of security policy project to bac... (#464329 - closed) • Alexander Turinske • 17.5 • Needs attention ( Deliverable)
- priority3 / severity3 For scan execution policies, when linking a pro... (#451320 - closed) • Alexander Turinske • 17.5 • On track ( Deliverable)
- priority4 / severity4 UX bug: Move the delete button to the right of ... (#417440 - closed) • Sascha Eggenberger • 17.6 • At risk ( Deliverable)
- priority4 / severity4 Broken policy editor schema validation as `$ref... (#475260 - closed) • Alexander Turinske • 18.1 ( Stretch)
- priority4 / severity4 Security Policy yaml validation does not work w... (#461252 - closed) • Alexander Turinske • 17.5 • At risk ( Stretch)
- priority4 / severity4 Bug: selected users is not show in MR policy (#474645 - closed) • Artur Fedorov • 17.4
- priority4 / severity4 Scan execution policy: update customized variab... (#464715 - closed) • Artur Fedorov • 17.4
Extra
- Kanban Board with additional more minor maintenance issues and bugs. (Prioritized from top to bottom)
- Group Priorities List
Metrics
Release post items
Release post items related to current work in the format Epic | Release post | Milestone.
TBD
Edited by Artur Fedorov