Deprecation issue: Limit number of scan execution policy actions allowed per policy
GitLab customers with an active subscriptions can reach out to GitLab Support when encountering unexpected problems with this change.
Deprecation Summary
New limits have been added for maximum scan execution policy actions allowed per policy. This was introduced in Add maximum SEP `action` count application sett... (#472213 - closed) behind a feature flag. When the setting is enabled, only the first 10 actions of a scan execution policy are processed.
Adding limits ensures performance and scalability for security policies. If additional actions are needed, users can create separate new scan execution policies with additional actions, within the limit of 5 scan execution policies per security policy project.
For Self-managed and Dedicated users, you can configure a custom limit on self-managed instances with the scan_execution_policies_action_limit application setting. The setting will default to 0 but we recommend a limit of 10 actions.
Documentation
- Deprecation notice: !176565 (merged)
- Migration guidelines: N/A
- etc.
Product Usage
Describe why deprecation of this feature is necessary, ideally with dashboards/metrics that show product usage. add links to the documentation
Breaking Change?
Yes. This change adds new limits to existing features.
Affected Customers
-
GitLab.com -
Self-managed -
Dedicated
Deprecation Milestone
17.8
Planned Removal Milestone
18.0
Links
Checklists
Timeline
Limits will be imposed starting in 18.0.
Rollout Plan
We will enable two feature flags by default during 18.0, enabling the limits for policies created at the group or project level:
- [Feature flag] Rollout of `scan_execution_polic... (#468462 - closed)
- [Feature flag] Rollout of `scan_execution_polic... (#468918 - closed)
Users who require more than 10 actions in a given scan execution policy may create additional policies and separate those actions into multiple policies.
DRIs:
-
Engineers: @bauerdominic - Engineering Manager: @alan
-
Describe rollout plans on GitLab.com -
_Link to [a feature flag rollout issue](https://gitlab.com/gitlab-org/gitlab/-/blob/master/.gitlab/issue_templates/Feature%20Flag%20Roll%20Out.md[a feature flag rollout issue](https://gitlab.com/gitlab-org/gitlab/-/blob/master/.gitlab/issue_templates/Feature%20Flag%20Roll%20Out.md that covers: -
Expected release date on GitLab.com and GitLab version -
Rollout timelines, such as a percentage rollout on GitLab.com -
Creation of any clean-up issues, such as code removal
-
-
-
Determine how to migrate users still using the existing functionality -
Document ways to migrate with the tooling available -- @bauerdominic FYI - we need to document the path here. -
Automate any users who have not yet migrated, but ensure it's a two-way door decision - note: Limits are a one-way door decision unfortunately and help protect performance/infrastructure impacts.
Communication Plan
DRIs:
- Product Manager: @g.hickman
Add links to the relevant merge requests.
- As soon as possible, but no later than the third milestone preceding the major release (for example, given the following release schedule:
17.8, 17.9, 17.10, 17.11, 18.0–17.9is the third milestone preceding the major release):-
A deprecation announcement entry has been created so the deprecation will appear in release posts and on the general deprecation page. -
MR started here: !176565 (merged).
-
-
Documentation has been updated to mark the feature asdeprecated-
Feature itself is not deprecated. Only new limits have been added.
-
-
- On the major milestone:
-
The deprecated item has been removed. -
If the removal of the deprecated item is a breaking change, the merge request is labeled breaking change. -
Document the migration plan for users, clearly outlining the actions they need to take to mitigate the impact of the breaking change.
-
Development
DRIs:
-
Engineers: @engineer(s)- Engineering Manager: @alan
-
Measure usage of the impacted product feature -
Evaluate metrics across GitLab.com, Self-Managed, Dedicated -
add issue link -
list any metrics and/or dashboards
-
-
Create tooling for customers to manually migrate their data or workflows -
add issue link
-
-
Build mechanism for users to manually enable the breaking change ahead of time -
add issue link
-
-
Automate the migration for those who do not take any manual steps (ensure the automation can be reverted) -
add issue link
-
-
Develop rollout plan of breaking change on GitLab.com -
add feature flag rollout issue
-
-
Dogfood the changes on GitLab.com or a Self-Managed test instance -
add issue link
-
-
(Optional) Create UI controls for instance admins to disable the breaking change, providing flexibility to Self-Managed / Dedicated customers. Optional as this depends on the breaking change. -
add issue link
-
Approvals
-
Product Manager @PM -
Engineering Manager @EM -
Senior Engineering Manager / Director @senior-eng-leader -
Group / Director of Product Management @senior-product-leader
Mentions (as applicable)
-
Product Designer @ProductDesigner -
Tech Writer @TW -
Software Engineering in Test @SET -
Any other stable counterparts based on the product categories: -
Add Sales/CS counterpart or mention @timtams -
Add Support counterpart or mention @gitlab-com/support/managers -
Add Marketing counterpart or mention @cfoster3
-
Labels
-
This issue is labeled deprecation, and with the relevant ~devops::,~group::, and~Category:labels. -
This issue is labeled breaking change if the removal of the deprecated item will be a breaking change.