Security Risk Management: Security Policies 17.7 Planning Issue
Previous planning issue: Govern: Security Policies 17.6 Planning Issue (#499231 - closed)
Narrative
In %17.6, our team focused on completing tasks associated with &9971 (closed) and &13997 (closed), enhancing the Pipeline Execution Policies (#469256 (closed), &14147, and #475152 (closed)), as well as working tied to &14119 and &12319 (closed). We made progress on several of these deliverables. Most importantly, we finalized and released the following: &13997 (closed) and &13776 (closed)! Great work team!
Regarding the other planned items, some demanded more effort than we initially expected, particularly the work concerning Pipeline Execution Policies, which involves collaboration with the Verify team. Nevertheless, we must continue our efforts to accomplish this in both the current milestone.
For the upcoming milestone, our focus will be on the following key tasks:
- continue working on improvements to Pipeline Execution Policies: Compliance handling of `needs` statements in pi... (#469256 - closed), Scheduled pipeline execution policies (&14147) and Enforce Custom Stages in Pipeline Execution Pol... (#475152 - closed),
- continue working on Improve compatibility between security policies... (&14119),
- continue working on Support multiple distinct approval actions in m... (&12319 - closed)
We also need to start working on implementation issues related to work planned for future milestones:
- Support custom roles in merge request approval ... (&13550 - closed)
- Exclude packages from Merge Request Approval Po... (&10203 - closed)
- Scan Execution Policy Templates (&11919 - closed)
In each release, we strive to fix bugs and refine the Security Policy features to enhance user experience. As customer interest in these features increases, it becomes crucial for the Scan Execution and Merge Request Approval Policies to operate effectively, allowing us to scale and meet the demands of our customers. Let's collaborate to make this happen!
Priorities
To release
- Use database read model for merge request appr... (&9971 - closed)
- Compliance handling of `needs` statements in pi... (#469256 - closed)
- Enforce Custom Stages in Pipeline Execution Pol... (#475152 - closed)
- Support multiple distinct approval actions in m... (&12319 - closed)
- MR Approval Policies Warn Mode (&15552)
- Support custom roles in merge request approval ... (&13550 - closed)
To finalize and close
Use database read model for merge request appr... (&9971 - closed)
Target release: %17.7
DRI: @sashi_kumar
In %17.6, we came very close to finalizing it. However, %17.7 is where we aim to complete the work related to the read-model epic, ensuring it functions as intended without affecting the infrastructure. We will retain the feature flag for the next 2-3 milestones to monitor its impact on overall performance, and in %18.0, we will plan for further cleanup.
-
Tasks:
- Use security policy read model for approval_rules (#464034 - closed) • Sashi Kumar Kumaresan • 17.7 • At risk
- [Feature flag] Rollout of `use_approval_policy_... (#474468 - closed) • Sashi Kumar Kumaresan • 18.1
- Sync security policy for a project when complia... (#499432 - closed) • Sashi Kumar Kumaresan • 17.9 • At risk
Compliance handling of `needs` statements in pi... (#469256 - closed)
Target release: %17.7
DRI: @Andyschoenen
In %"17.6," we have released the needed changes, although we could not start enabling the feature flag. In %17.7, we want to carefully enable it and verify customers' use cases to ensure this change will not break their workflows and enable it by default, leaving the feature flag for some time to observe the impact.
To start/continue working on
Scheduled pipeline execution policies (&14147)
Target release: %17.9
DRI: @Andyschoenen / @aturinske
In %"17.6," we continued working on the PoC (Add pipeline execution policy schedule run (!162554 - closed)); our goal was to deliver it behind the feature flag to selected users. However, during the review with the Verify team, we decided to have a different outcome for this PoC: a clear implementation plan for how this feature should address all identified problems. In %17.7, we want to start that.
-
Tasks:
- [backend] Add pipeline execution schedule polic... (#504088 - closed) • Andy Schoenen • 17.7 • At risk
- [backend] Add new CI pipeline source for pipeli... (#504091 - closed) • Marcos Rocha • 17.9 • At risk
- [backend] Add pipeline execution schedule backg... (#504092 - closed) • Dominic Bauer • 17.9 • At risk
Enforce Custom Stages in Pipeline Execution Pol... (#475152 - closed)
Target release: %17.7
DRI: @mcavoj
We had a great start, with changes prepared early in the previous milestone. However, after a thorough discussion with Verify, we have decided to solve the identified bugs first before delivering this improvement and to validate if we need it with customers.
- Tasks:
Improve compatibility between security policies... (&14119)
DRI: @mcavoj
Target release: --- After the discussion with @g.hickman, this does not have a target milestone, we will be doing multiple smaller experiments to see how this is helpful for customers.
In %17.6, we want to continue delivery of two items we started in %17.5: first, providing changes to improve alignment between Merge Request Approval Policies and Scan Execution Policies, not to require approval when scan results are missing, but the scan was enforced with active Scan Execution Policy. Additionally, we want to investigate how we could improve compatibility between analyzers and policies by introducing a mechanism to communicate in the scope of Spike: Store analyzers results metadata to allo... (#471978 - closed). After this, we will decide with @g.hickman what our next steps would be. This Epic requires engineers creativity and will consist of smaller items that we will be improving every milestone. As it is unclear how we want to achieve it, we will strive to enhance how policies are evaluated to help with adoption of this feature.
- Tasks:
Support multiple distinct approval actions in m... (&12319 - closed)
DRI: @sashi_kumar / @arfedoro
Target release: %17.7
We continued amazing work, on both frontend and backend initiated by @arfedoro. In this milestone, we will focus fully on the backend and release the feature for customers.
MR Approval Policies Warn Mode (&15552)
DRI: @aturinske / @alan
Target release: %17.7
In the last milestone, we have been discussing with UX and PM how to solve this problem for customers. Finally, we have a good answer, and we can start working on this initiative that should help customers reduce the amount of work needed to begin using policies. We would like to work in this milestone on delivering this Epic.
- Tasks:
Support custom roles in merge request approval ... (&13550 - closed)
DRI: @aturinske / @sashi_kumar
Target release: %17.7
We want to allow users to use Custom Roles as an addition to our list of available Approvers to help them better manage who can approve code in selected MRs. We want to start working on that, with a goal of finalizing it within single milestone.
- Tasks:
To start planning and breakdown
- Support custom roles in merge request approval ... (&13550 - closed)
- Exclude packages from Merge Request Approval Po... (&10203 - closed)
- Scan Execution Policy Templates (&11919 - closed)
Say/Do
Check tasks you believe you can complete by the next milestone. If you identify any risks in delivery, please leave a comment in this planning issue or in the related Epic/Issue to highlight the risk. This will aid us in communicating any potential delays and improve our predictability. Thank you!
@alan
-
BE: Implement Backend Support for Basic Warn Mo... (#504941 - closed) • Alan (Maciej) Paruszewski • 17.10 • At risk (Deliverable) -
[backend] Link compliance frameworks with vulne... (#497820 - closed) • Alan (Maciej) Paruszewski • 17.7 • On track (Deliverable) -
Merge request approval policies continue to eva... (#499670 - closed) • Marcos Rocha • 17.8 (Stretch) -
Metric - Understand how security policy links a... (#495693 - closed) • Alan (Maciej) Paruszewski • 17.9 (Stretch)
@aturinske
-
FE: Implement Basic Warn Mode UI for MR Approva... (#504940 - closed) • Alexander Turinske • 17.9 • Needs attention (Deliverable) -
Scan Execution Policy Scope misleading user int... (#501160 - closed) • Alexander Turinske • 17.7 • On track (Deliverable) -
[FE] Add custom roles to policy drawer (#505167 - closed) • Alexander Turinske, Sashi Kumar Kumaresan • 17.8 • At risk (Deliverable) -
[FE] Add custom roles selector to policy editor (#457800 - closed) • Alexander Turinske • 17.7 • On track (Deliverable) -
[Feature flag] Cleanup `scan_result_policy_bloc... (#503930 - closed) • Alexander Turinske • 17.7 (feature flag) -
Feature Request: Merge request approval - `remo... (#482638 - closed) • Alexander Turinske • 17.7 (Stretch) -
Update compliance framework tooltip to popover ... (#499456 - closed) • Alexander Turinske • 17.11 (Stretch) -
Follow-up use errors instead of errorMessage fo... (#495518 - closed) • Alexander Turinske • 17.7 (Stretch) -
Merge request approval policy with block_branch... (#494948) • Alexander Turinske • 18.6 (Stretch) -
Merge request policy drawer summary displays HT... (#491075 - closed) • Alexander Turinske • 17.10 (Stretch) -
Add color coding the yaml preview and change fo... (#482913 - closed) • Unassigned • 17.11 (Stretch) -
Enforce policy limits when policies are created... (#504409 - closed) • Unassigned • Backlog (Stretch) -
Consolidate apollo requests (#501683) • Unassigned • Backlog (Stretch) -
Update pipeline execution policy to not save wi... (#505363 - closed) • Alexander Turinske • 17.7 (Stretch)
@arfedoro
-
[Frontend] Improve from yaml validation (#470868 - closed) • Artur Fedorov • Backlog (Stretch) -
Fix spec/frontend/vue_shared/components/source_... (#505371 - closed) • Artur Fedorov • 17.7 -
[Frontend] Update policy drawer with licence al... (#499160 - closed) • Artur Fedorov • 17.8 (Stretch) -
[Frontend] Add modal with allowlist/denylist fi... (#499149 - closed) • Artur Fedorov • 17.8 (Stretch) -
[Frontend] Add allow list licence filter (#499147 - closed) • Artur Fedorov • 17.7 (Stretch) -
SPIKE: Update yaml in policy drawer/editor to m... (#497402 - closed) • Artur Fedorov • 17.7 (Stretch) -
Yaml preview does not preview yaml (#478628 - closed) • Artur Fedorov • 17.7 (Stretch) -
Fix spec/frontend/vue_shared/components/registr... (#504800 - closed) • Artur Fedorov • 17.7 (Stretch) -
[Frontend] Update existing approvers on yaml up... (#505388 - closed) • Artur Fedorov • 17.7 -
[Feature flag] Add feature flag and hide add ac... (#505373 - closed) • Artur Fedorov • 17.7 -
Add topLevelOnly argument for groups resolver (#504374 - closed) • Artur Fedorov • 17.7 -
Add grapqhql query to block_group_branch_modifi... (#505519 - closed) • Artur Fedorov • 17.7 -
[Backend] Add feature flag check to validation ... (#505549 - closed) • Artur Fedorov • 17.7 -
[Backend]: Update ValidatePolicyService to hand... (#505808 - closed) • Artur Fedorov • 17.7 -
[Frontend] Update action validation errors to h... (#507380 - closed) • Artur Fedorov • 17.7 -
Role-selection dropdown improvement for MR appr... (#498903 - closed) • Artur Fedorov • 17.9 -
Bug: visual font-weight shouldn't change (#507295 - closed) • Artur Fedorov • 17.8
@mcavoj
-
Validate, accompany with enabling `policy_merga... (#504700 - closed) • Martin Cavoj • 17.11 • At risk (Deliverable) -
Job with custom stage not included in pipeline ... (#494431 - closed) • Andy Schoenen • 17.7 • On track (Deliverable) -
Enforce Custom Stages in Pipeline Execution Pol... (#475152 - closed) • Andy Schoenen • 17.9 • At risk (Deliverable) -
Spike: Store analyzers results metadata to allo... (#471978 - closed) • Martin Cavoj • 17.7 • At risk (Deliverable) -
Override [ci skip] for scan execution policies (#482952 - closed) • Marcos Rocha • 17.9 (Stretch) -
Merge request approval policies to override pro... (#478175 - closed) • Marcos Rocha • 17.8 (Stretch)
@Andyschoenen
-
[backend] Add pipeline execution schedule backg... (#504092 - closed) • Dominic Bauer • 17.9 • At risk (Deliverable) -
[backend] Add new CI pipeline source for pipeli... (#504091 - closed) • Marcos Rocha • 17.9 • At risk (Deliverable) -
[backend] Add pipeline execution schedule polic... (#504088 - closed) • Andy Schoenen • 17.7 • At risk (Deliverable) -
Compliance handling of `needs` statements in pi... (#469256 - closed) • Marcos Rocha • 17.7 • At risk (Deliverable) -
[Feature flag] Rollout of `ensure_pipeline_poli... (#500652 - closed) • Andy Schoenen, Martin Cavoj • 17.10 (feature flag) -
BUG: Scan and Pipeline Execution Policies do no... (#482863 - closed) • Andy Schoenen, Alan (Maciej) Paruszewski • 17.10 (Stretch) -
[Feature flag] Enable `bulk_create_scan_result_... (#435958 - closed) • Andy Schoenen • 17.10 (feature flag)
@sashi_kumar
-
[BE] Support custom roles in merge request appr... (#457796 - closed) • Sashi Kumar Kumaresan • 17.9 • At risk (Deliverable) -
BE: Create approval rules from multiple approve... (#502228 - closed) • Andy Schoenen • 17.7 • At risk (Deliverable) -
Sync security policy for a project when complia... (#499432 - closed) • Sashi Kumar Kumaresan • 17.9 • At risk (Deliverable) -
Merge Results and Security Policies: always det... (#496668 - closed) • Sashi Kumar Kumaresan • 17.9 • At risk (Deliverable) -
Use security policy read model for approval_rules (#464034 - closed) • Sashi Kumar Kumaresan • 17.7 • At risk (Deliverable) -
Resolution of MR compliance to approval_policy ... (#503327 - closed) • Sashi Kumar Kumaresan • 18.0 • At risk (Deliverable) -
Improve Security Policy evaluation for chained ... (#501445 - closed) • Sashi Kumar Kumaresan • 17.10 • At risk (Deliverable) -
Cleanup security_policies_sync_group and securi... (#501556 - closed) • Sashi Kumar Kumaresan • 17.7 (feature flag) -
Spike: Evaluate impact on approval rules create... (#490587) • Sashi Kumar Kumaresan • 18.7 (Stretch) -
Security policy approvals do not update when pi... (#483103 - closed) • Andy Schoenen • 17.7 (Stretch) -
[Feature flag] Rollout of `use_approval_policy_... (#474468 - closed) • Sashi Kumar Kumaresan • 18.1 (feature flag)
@mc_rocha
-
Migrate custom licenses to the new table. (#478520 - closed) • Unassigned • 17.11 • At risk (Deliverable) -
Remove software_licenses table (#497969) • Marcos Rocha • 18.6 • At risk (Deliverable) -
Add sharding key to software_licenses table (#480578 - closed) • Marcos Rocha • 17.7 • At risk (Deliverable) -
[Feature flag] Enable custom_software_license (#465358 - closed) • Marcos Rocha • 18.0 (feature flag) -
[Feature flag] Enable scan_execution_pipeline_c... (#463802 - closed) • Marcos Rocha • 17.9 (feature flag) -
[Feature flag] Enable scan_execution_pipeline_w... (#451890 - closed) • Marcos Rocha • 17.7 (feature flag) -
[Feature flag] Enable static_licenses (#499430 - closed) • Marcos Rocha • 18.4 (feature flag) -
BE: Support component filtering options for Mer... (#424526 - closed) • Dominic Bauer • 17.11 • At risk (Stretch) -
Spike: Prepare PoC of backend to allow excludin... (#494722 - closed) • Marcos Rocha • 17.9 (Stretch) -
Preserve comments in the yaml when editing a se... (#469141 - closed) • Unassigned • Awaiting further demand (Stretch)
Extra
- Kanban Board with additional more minor maintenance issues and bugs. (Prioritized from top to bottom)
- Group Priorities List
Metrics
Release post items
Release post items related to current work in the format Epic | Release post | Milestone.