Govern: Security Policies 17.6 Planning Issue

Previous planning issue: Govern: Security Policies 17.5 Planning Issue (#488661 - closed)

Narrative

In %17.5, our team was working on finalizing work related to Use database read model for merge request appr... (&9971 - closed) and Manage scheduled scan execution pipeline concur... (&13997 - closed), improvements to the Pipeline Execution Policies (Compliance handling of `needs` statements in pi... (#469256 - closed), Scheduled pipeline execution policies (&14147), and Enforce Custom Stages in Pipeline Execution Pol... (#475152 - closed)) and work related to Improve compatibility between security policies... (&14119) and Support multiple distinct approval actions in m... (&12319 - closed). We made some progress in many of these deliverables. However, we need to continue our work to deliver it in this and the next milestone.

For the upcoming milestone, our focus will be on the following key tasks:

• apply required changes to Manage scheduled scan execution pipeline concur... (&13997 - closed) and enable it by default,
• continue working on improvements to Pipeline Execution Policies: Compliance handling of `needs` statements in pi... (#469256 - closed), Scheduled pipeline execution policies (&14147) and Enforce Custom Stages in Pipeline Execution Pol... (#475152 - closed),
• continue working on Improve compatibility between security policies... (&14119),
• continue working on Support multiple distinct approval actions in m... (&12319 - closed)

At the same time, we need to prepare for implementation issues related to work planned for future milestones:

• Support custom roles in merge request approval ... (&13550 - closed)
• Exclude packages from Merge Request Approval Po... (&10203 - closed)
• Scan Execution Policy Templates (&11919 - closed)

In every release, we aim to address bugs and fine-tune Security Policy features for an improved user experience. With customers' growing interest in utilizing these features, it is vital that Scan Execution and Merge Request Approval Policies function effectively to ensure we can scale and meet customer demands. Let's work together to achieve this!

Priorities

To release

• Manage scheduled scan execution pipeline concur... (&13997 - closed)
• Use database read model for merge request appr... (&9971 - closed)

To finalize and close

Use database read model for merge request appr... (&9971 - closed)

DRI: @sashi_kumar

In %17.6, we want to finally close the work related to read-model epic and ensure it is working as expected and not causing an impact on infrastructure. We will leave the feature flag for the following 2-3 milestones to observe this feature's impact on our overall performance and in %18.0 we will schedule additional cleanup.

• Tasks:
  • Use security policy read model for approval_rules (#464034 - closed) • Sashi Kumar Kumaresan • 17.7 • At risk
  • Add migration to sync policies to read model (#464033 - closed) • Andy Schoenen, Sashi Kumar Kumaresan • 17.7 • Needs attention
  • Add service to create and sync policy YAML into... (#416262 - closed) • Andy Schoenen • 17.5 • At risk
  • [Feature flag] Rollout of `security_policies_sy... (#454828 - closed) • Sashi Kumar Kumaresan • 17.6 • On track
  • [Feature flag] Rollout of `security_policies_sync` (#446102 - closed) • Sashi Kumar Kumaresan • 17.6 • On track
  • [Feature flag] Rollout of `use_approval_policy_... (#474468 - closed) • Sashi Kumar Kumaresan • 18.1

Manage scheduled scan execution pipeline concur... (&13997 - closed)

DRI: @mc_rocha (looking for volunteer as Marcos is OOO currently) / @aturinske

In %17.5 we have merged all related MRs. However, we still need to enable FFs to deliver the first iteration. In %"17.6," we want to provide documentation changes and slightly modify the proposed solution to use concurrency limit bound with the top-level group and enable related feature flags.

• Tasks:
  • Update scan execution policy scheduled pipeline... (#467560 - closed) • Marcos Rocha • 17.6 • At risk
  • Add performance metrics for Scan Execution Poli... (#479218 - closed) • Andy Schoenen • 17.6 • At risk

Compliance handling of `needs` statements in pi... (#469256 - closed)

Target release: %17.6

DRI: @Andyschoenen

In %17.6, we want to continue the work from the last milestone and deliver the changes needed to ensure that jobs enforced by Pipeline Execution Policies are running in proper order, preventing users from running jobs before the reserved stage when an empty needs: statement is used. Our goal is to deliver it in %17.6.

• Tasks:
  • Compliance handling of `needs` statements in pi... (#469256 - closed) • Marcos Rocha • 17.7 • At risk

To start/continue working on

Scheduled pipeline execution policies (&14147)

Target release: %17.9

DRI: @Andyschoenen / @aturinske

In %17.5, we continued our work on PoC (Add pipeline execution policy schedule run (!162554 - closed)), we agreed on policy schema and planned limitation. In %17.6, we need to deliver PoC behind the feature flag to allow to validate this feature with testers and selected customers.

• Tasks:
  • Spike: Prepare PoC to introduce scheduled Pipel... (#472671 - closed) • Andy Schoenen • 17.6
  • Spike: Permissions for security_policy_bot to a... (#479124) • Unassigned • Backlog

Enforce Custom Stages in Pipeline Execution Pol... (#475152 - closed)

Target release: %17.7

DRI: @mcavoj

Thanks to suggestions from @mcavoj and feedback received from customers we have decided to start working on this Epic earlier than we initially wanted. Due to other deliverables, in %17.5 we have not started working on it yet. Starting discussions around this feature is crucial (especially with devopsverify team) to successful delivery, so we need to start doing it early.

• Tasks:
  • Enforce Custom Stages in Pipeline Execution Pol... (#475152 - closed) • Andy Schoenen • 17.9 • At risk
  • prepare further implementation issues if needed

Improve compatibility between security policies... (&14119)

DRI: @mcavoj

Target release: --- After the discussion with @g.hickman, this does not have a target milestone, we will be doing multiple smaller experiments to see how this is helpful for customers.

In %17.6, we want to continue delivery of two items we started in %17.5: first, providing changes to improve alignment between Merge Request Approval Policies and Scan Execution Policies, not to require approval when scan results are missing, but the scan was enforced with active Scan Execution Policy. Additionally, we want to investigate how we could improve compatibility between analyzers and policies by introducing a mechanism to communicate in the scope of Spike: Store analyzers results metadata to allo... (#471978 - closed). After this, we will decide with @g.hickman what our next steps would be. This Epic requires engineers creativity and will consist of smaller items that we will be improving every milestone. As it is unclear how we want to achieve it, we will strive to enhance how policies are evaluated to help with adoption of this feature.

• Tasks:
  • Spike: Store analyzers results metadata to allo... (#471978 - closed) • Martin Cavoj • 17.7 • At risk
  • Account for configured Scan Execution Policies ... (#490092 - closed) • Marcos Rocha • 17.6 • Needs attention
  • prepare further implementation issues if needed

Support multiple distinct approval actions in m... (&12319 - closed)

DRI: @sashi_kumar / @arfedoro

Target release: %17.7

We already started working on this in the last milestone, with great additions from the backend side prepared by @arfedoro. We want to continue this work and start delivering both the backend and frontend to test it first.

• Tasks:
  • BE: Allow for multiple require approval actions... (#490097 - closed) • Artur Fedorov • 17.6 • At risk
  • FE: Update policy drawer to include information... (#490099 - closed) • Artur Fedorov • 17.6
  • BE: Allow for multiple require approval actions... (#490097 - closed) • Artur Fedorov • 17.6 • At risk

To start planning and breakdown

• Support custom roles in merge request approval ... (&13550 - closed)
• Exclude packages from Merge Request Approval Po... (&10203 - closed)
• Scan Execution Policy Templates (&11919 - closed)

---

---

Say/Do

Please check tasks that you are confident you will be able to deliver within next milestone. When you see a risk in delivering something, please write a comment in this planning issue or in the related Epic/Issue raising the risk. We will be using this to help us better communicate when something might slip and to help us with our predictability. Thanks! 🙇

@arfedoro

• BE: Update graphql API to include approvers fro... (#493744 - closed) • Artur Fedorov • 17.6 • At risk (Deliverable)
• BE: Allow for multiple require approval actions... (#490097 - closed) • Artur Fedorov • 17.6 • At risk (Deliverable)
• Fix spec/frontend/users/profile/actions/compone... (#499981 - closed) • Artur Fedorov • 17.6 (Stretch)
• Fix ee/spec/frontend/security_orchestration/com... (#499961 - closed) • Artur Fedorov • 17.6 (Stretch)
• Fix ee/spec/frontend/security_configuration/das... (#499941 - closed) • Artur Fedorov • 17.6 (Stretch)
• SPIKE: Update yaml in policy drawer/editor to m... (#497402 - closed) • Artur Fedorov • 17.7 (Stretch)
• FE: Update policy drawer to include information... (#490099 - closed) • Artur Fedorov • 17.6 (Stretch)
• FE: Allow users to specify more than one requir... (#490098 - closed) • Artur Fedorov • 17.6 (Stretch)
• [Feature flag] Clean up of policy_group_scope_p... (#488381 - closed) • Artur Fedorov • 17.6 (feature flag)
• Improve "New policy" title in breadcrumb (#480243 - closed) • Artur Fedorov • 17.6 (Stretch)
• [Frontend] Improve from yaml validation (#470868 - closed) • Artur Fedorov • Backlog (Stretch)
• Fix spec/frontend/ci/job_details/components/sid... (#500183 - closed) • Artur Fedorov • 17.6 (Stretch)
• [Feature flag] Clean up 'policy_group_scope' (#470053 - closed) • Artur Fedorov • 17.6 (feature flag)
• Disable add new action for scan execution policy (#500072 - closed) • Artur Fedorov • 17.6 (Stretch)

Delivered extra:

1. Prevent decomposeApprovers from adding empty ap... (#504056 - closed) • Artur Fedorov • 17.6
2. Remove legacy scan_result_approvers from securi... (#503425 - closed) • Artur Fedorov • 17.7
3. Replace scanResultPolicyApprovers with actionAp... (#503410 - closed) • Artur Fedorov • 17.7
4. Remove stepper in policy editor (#502205 - closed) • Artur Fedorov • 17.6
5. Misleading 100 project limit when applying secu... (#501456 - closed) • Artur Fedorov • 17.6

@sashi_kumar

• Security::ProcessScanResultPolicyWorker exceeds... (#490900 - closed) • Sashi Kumar Kumaresan • 17.6 (Deliverable)
• Use security policy read model for approval_rules (#464034 - closed) • Sashi Kumar Kumaresan • 17.7 • At risk (Deliverable)
• Sync security policy for a project when complia... (#499432 - closed) • Sashi Kumar Kumaresan • 17.9 • At risk (Deliverable)
• gitlab-org/gitlab#499633+s (Deliverable)
• [Feature flag] Rollout of `security_policies_sync` (#446102 - closed) • Sashi Kumar Kumaresan • 17.6 • On track (feature flag)
• Security policy approvals do not update when pi... (#483103 - closed) • Andy Schoenen • 17.7 (Stretch)
• [Feature flag] Rollout of `use_approval_policy_... (#474468 - closed) • Sashi Kumar Kumaresan • 18.1 (feature flag)
• [Feature flag] Rollout of `security_policies_sy... (#454828 - closed) • Sashi Kumar Kumaresan • 17.6 • On track (feature flag)

@alan

• Audit status check response updates (#413535 - closed) • Imam Hossain • 18.3 (Stretch)
• Metric - Understand how security policy links a... (#495693 - closed) • Alan (Maciej) Paruszewski • 17.9 (Stretch)
• Pipeline execution policies with compliance fra... (#492552 - closed) • Alan (Maciej) Paruszewski • 17.6 (Stretch)
• Metric - usage of scan execution policy (#480257 - closed) • Alan (Maciej) Paruszewski • 17.6 (Stretch)
• Add more examples for how to use variables in p... (#479392 - closed) • Alan (Maciej) Paruszewski • 17.6 (Stretch)

@aturinske

• FE: Prevent changes in group-level protected br... (#435725 - closed) • Alexander Turinske • 17.6 (Deliverable)
• Add group exceptions to the policy drawer (#500952 - closed) • Alexander Turinske • 17.6 (Deliverable)
• [Feature flag] Rollout of `scan_result_policy_b... (#437306 - closed) • Alexander Turinske, Dominic Bauer • 17.6 (Deliverable)
• FE: Add policy comparison tuning into policy dr... (#501189 - closed) • Alexander Turinske • 17.6 • Needs attention (Deliverable)
• Add link to pipeline execution policy file (#478602 - closed) • Alexander Turinske • 17.6 • At risk (Deliverable)
• Improve "New policy" title (#479966 - closed) • Alexander Turinske • 17.6 (Stretch)
• Merge request approval policy with block_branch... (#494948) • Alexander Turinske • 18.6 (Stretch)
• Merge request policy drawer summary displays HT... (#491075 - closed) • Alexander Turinske • 17.10 (Stretch)
• Refactor policy editor errors (#486021) • Unassigned • Backlog (Stretch)
• Add color coding the yaml preview and change fo... (#482913 - closed) • Unassigned • 17.11 (Stretch)
• Feature Request: Merge request approval - `remo... (#482638 - closed) • Alexander Turinske • 17.7 (Stretch)
• Yaml preview does not preview yaml (#478628 - closed) • Artur Fedorov • 17.7 (Stretch)
• Create new section in merge request approval po... (#498349 - closed) • Alexander Turinske • 18.0 (Stretch)
• Partially disable rule mode on parsing error fo... (#428693 - closed) • Alexander Turinske • 17.6 (Stretch)
• Follow-up use errors instead of errorMessage fo... (#495518 - closed) • Alexander Turinske • 17.7 (Stretch)

@mc_rocha

• Remove software_licenses table (#497969) • Marcos Rocha • 18.6 • At risk (Deliverable)
• Add sharding key to software_licenses table (#480578 - closed) • Marcos Rocha • 17.7 • At risk (Deliverable)
• Add performance metrics for Scan Execution Poli... (#479218 - closed) • Andy Schoenen • 17.6 • At risk (Deliverable)
• Migrate custom licenses to the new table. (#478520 - closed) • Unassigned • 17.11 • At risk (Deliverable)
• Update scan execution policy scheduled pipeline... (#467560 - closed) • Marcos Rocha • 17.6 • At risk (Deliverable)
• Spike: Prepare PoC of backend to allow excludin... (#494722 - closed) • Marcos Rocha • 17.9 (Stretch)
• [Feature flag] Enable scan_execution_pipeline_w... (#451890 - closed) • Marcos Rocha • 17.7 (feature flag)
• [Feature flag] Enable custom_software_license (#465358 - closed) • Marcos Rocha • 18.0 (feature flag)
• [Feature flag] Enable scan_execution_pipeline_c... (#463802 - closed) • Marcos Rocha • 17.9 (feature flag)

@mcavoj

• Account for configured Scan Execution Policies ... (#490092 - closed) • Marcos Rocha • 17.6 • Needs attention (Deliverable)
• Enforce Custom Stages in Pipeline Execution Pol... (#475152 - closed) • Andy Schoenen • 17.9 • At risk (Deliverable)
• Security Policy: Any fallback_behavior should a... (#474853 - closed) • Sashi Kumar Kumaresan • 17.6 • At risk (Deliverable)
• Spike: Store analyzers results metadata to allo... (#471978 - closed) • Martin Cavoj • 17.7 • At risk (Deliverable)
• Follow-up from "Add suffix configuration option... (#481987 - closed) • Unassigned • Backlog (Stretch)
• [Exploration] Security policy approval descript... (#439831) • Martin Cavoj • Backlog • On track (Stretch)

@Andyschoenen

• Spike: Prepare PoC to introduce scheduled Pipel... (#472671 - closed) • Andy Schoenen • 17.6 (Deliverable)
• Compliance handling of `needs` statements in pi... (#469256 - closed) • Marcos Rocha • 17.7 • At risk (Deliverable)
• Add migration to sync policies to read model (#464033 - closed) • Andy Schoenen, Sashi Kumar Kumaresan • 17.7 • Needs attention (Deliverable)
• Block and respond with an error `Project cannot... (#482967 - closed) • Marcos Rocha • 17.8 (Stretch)
• Override [ci skip] for scan execution policies (#482952 - closed) • Marcos Rocha • 17.9 (Stretch)
• BUG: Scan and Pipeline Execution Policies do no... (#482863 - closed) • Andy Schoenen, Alan (Maciej) Paruszewski • 17.10 (Stretch)

---

Extra

• Kanban Board with additional more minor maintenance issues and bugs. (Prioritized from top to bottom)
• Group Priorities List

Metrics

• Service Ping Metrics
• Development Metrics

Release post items

Release post items related to current work in the format Epic | Release post | Milestone.

Epic	Release post	Milestone
&13997 (closed)	Draft: Release post: Manage scheduled scan exec... (gitlab-com/www-gitlab-com!135173 - merged)	%17.6
&13776 (closed)	Release post: Prevent branch modification of gr... (gitlab-com/www-gitlab-com!135580 - merged)	%17.6
#469256 (closed)	Release post: Compliance handling of `needs` st... (gitlab-com/www-gitlab-com!136768 - merged)	%17.6