Govern: Security Policies 17.5 Planning Issue

Previous planning issue: Govern: Security Policies 17.4 Planning Issue (#478166 - closed)

Narrative

In %17.4, our team was working on delivering Add groups to security policy scope (Iteration 1) (&14149 - closed), Support suffix for jobs with name collisions in... (#473189 - closed) and Allow pipeline execution yaml files to be read ... (#469439 - closed).

Unfortunately, all three had to be postponed as related feature flags were not enabled by default before 2024-09-11: Hard Production Change Lock for Sep... (gitlab-com/gl-infra/production#18551 - closed). Thank you, everyone, for your work in trying to include it in this release! 🎉

Before %"17.5," we worked with Grant to do small reprioritization based on designs and requirement readiness of anticipated epics. You can see the results of that work at Update priorities for Security Policies before ... (gitlab-com/www-gitlab-com!136231 - merged).

In this milestone, we aim to:

finalize work related to Use database read model for merge request appr... (&9971 - closed) and Manage scheduled scan execution pipeline concur... (&13997 - closed),
continue working on improvements to Pipeline Execution Policies: Compliance handling of `needs` statements in pi... (#469256 - closed), Scheduled pipeline execution policies (&14147) and Enforce Custom Stages in Pipeline Execution Pol... (#475152 - closed),
start working on Improve compatibility between security policies... (&14119),
start working on Support multiple distinct approval actions in m... (&12319 - closed)

At the same time, we need to prepare implementation issues for work planned for future milestones:

Additionally, in every release, we aim to continue solving bugs to improve the user experience of our Security Policy features and ensure that they work correctly. Our customers are showing increasing interest in using our features, so it's essential to ensure that Scan Execution and Merge Request Approval Policies are functioning as expected.

Spikes

TBD

Priorities

To release

To finalize and close

Use database read model for merge request appr... (&9971 - closed)

DRI: @sashi_kumar

In %17.5, we want to release work related to read-model epic: deliver all services, models, and migrations and enable the feature flag by default. We will leave the feature flag for the following 2-3 milestones to observe this feature's impact on our overall performance.

Tasks:

Manage scheduled scan execution pipeline concur... (&13997 - closed)

DRI: @mc_rocha / @aturinske

In %17.5, we want to finalize the first iteration by delivering the Add dynamic concurrency limit for create pipeli... (!162339 - merged) and enabling the feature flag by default. Then we will wait for Scheduled pipeline execution policies (&14147), as we want to introduce similar configuration options to specify a time window when pipelines created from scheduled Scan Execution Policies will be evenly distributed (similar to previously introduced and reverted Distribute scheduled pipelines from Scan Execut... (!145993 - merged)).

Tasks:

To start/continue working on

Compliance handling of `needs` statements in pi... (#469256 - closed)

Target release: %17.6

DRI: @Andyschoenen

In %17.5, we want to deliver changes needed to ensure that jobs enforced by Pipeline Execution Policies are running in proper order, preventing users from running jobs before the reserved stage when an empty needs: statement is used. We want to deliver the required changes, which might require collaboration with the Verify stage. While we would love to deliver this in %17.5, our aim is to enable the related feature flag by default and release it in %17.6.

Tasks:
- Compliance handling of `needs` statements in pi... (#469256 - closed) • Marcos Rocha • 17.7 • At risk

Scheduled pipeline execution policies (&14147)

Target release: %17.9

DRI: @Andyschoenen / @aturinske

In %17.4, we already have started working on PoC (Add pipeline execution policy schedule run (!162554 - closed)), where we are collaborating to agree on the policy schema and limitations required to prevent us from having performance issues. In %17.5, we want to continue this discussion and deliver changes behind the feature flag. Then prepare implementation issues needed to deliver all aspects of the feature.

Tasks:
- Spike: Prepare PoC to introduce scheduled Pipel... (#472671 - closed) • Andy Schoenen • 17.6
- Spike: Permissions for security_policy_bot to a... (#479124) • Unassigned • Backlog
- prepare further implementation issues if needed

Enforce Custom Stages in Pipeline Execution Pol... (#475152 - closed)

Target release: %17.7

DRI: @mcavoj

Thanks to suggestions from @mcavoj and feedback received from customers we have decided to start working on this Epic earlier than we initially wanted. In %17.5, we want to initiate discussions related to this Epic, as we need to first collaborate with devopsverify on the schema for this new property. Most probably in this milestone our work will be limited only to this, perhaps followed by PoC to verify our decisions.

Tasks:
- Enforce Custom Stages in Pipeline Execution Pol... (#475152 - closed) • Andy Schoenen • 17.9 • At risk
- prepare further implementation issues if needed

Improve compatibility between security policies... (&14119)

DRI: @mcavoj

Target release: %17.6

In %17.5, we want to focus on two items: first, delivering changes to improve alignment between Merge Request Approval Policies and Scan Execution Policies, not to require approval when scan results are missing, but the scan was enforced with active Scan Execution Policy. Additionally, we want to investigate how we could improve compatibility between analyzers and policies by introducing a mechanism to communicate in the scope of Spike: Store analyzers results metadata to allo... (#471978 - closed). After this, we will decide with @g.hickman what would be our next steps.

Tasks:
- Spike: Store analyzers results metadata to allo... (#471978 - closed) • Martin Cavoj • 17.7 • At risk
- Account for configured Scan Execution Policies ... (#490092 - closed) • Marcos Rocha • 17.6 • Needs attention
- prepare further implementation issues if needed

Support multiple distinct approval actions in m... (&12319 - closed)

DRI: @sashi_kumar / @arfedoro

Target release: %17.7

As the work related to Use database read model for merge request appr... (&9971 - closed) is nearly finished and should not block work associated with this one, we can start working on this feature. As there is no need to work on a new schema to support this, we can start working on frontend changes behind the feature flag, which we plan to deliver in this milestone and initiate work related to backend.

Tasks:

To start planning and breakdown

typefeature / typemaintenance backend focus

typefeature / typemaintenance frontend focus

typebug backend focus

typebug frontend focus

Say/Do

Please check tasks that you are confident you will be able to deliver within next milestone. When you see a risk in delivering something, please write a comment in this planning issue or in the related Epic/Issue raising the risk. We will be using this to help us better communicate when something might slip and to help us with our predictability. Thanks! 🙇

`@arfedoro` (Planned: 13)

`@sashi_kumar` (Planned: 7)

`@mcavoj` (Planned: 5)

`@alan`

`@aturinske` (Planned: 6)

`@Andyschoenen` (Planned: ?)

`@mc_rocha` (Planned: 5)

`@bauerdominic` (Planned: 0)

Optimise SEP performance (#472223 - closed) • Dominic Bauer • 18.3 (Stretch)

Extra

Kanban Board with additional more minor maintenance issues and bugs. (Prioritized from top to bottom)
Group Priorities List

Metrics

Release post items

Release post items related to current work in the format Epic | Release post | Milestone.

Epic	Release post	Milestone
&14149 (closed)	gitlab-com/www-gitlab-com!135589 (merged)	%17.5
&13997 (closed)	gitlab-com/www-gitlab-com!135173 (merged)	%17.5

Edited Oct 02, 2024 by Andy Schoenen