Announce breaking change: set CS_SEVERITY_THRESHOLD default value to medium

A written process alone is unlikely to be sufficient to navigate through the complexity of how customers use GitLab. Please use this template as guidance with steps to take when deprecating GitLab functionality, but not as an exhaustive list designed to generate positive outcomes every time. Deprecations are often nuanced in their impact and the approach needed may not be fully covered in this template. Each team must be accountable for their deprecation, weighing the positives and negatives to ensure we prioritize results for customers.

⚠️ This change has been cancelled or postponed indefinitely.

Deprecation Summary

Add a brief description of the feature or functionality that is deprecated. Clearly state the potential impact of the deprecation to end users.

The Container Scanning security feature generates a lot of security findings. The volume is often difficult to manage for engineering teams and even internally we often limit the results to focus on the most critical vulnerabilities.

By changing this to medium we'll provide a saner default to our users, where any findings with a severity below medium are not reported.

Starting with GitLab 18.0, the default value for the CS_SEVERITY_THRESHOLD environment variable is set to medium instead of unknown. As a result, the security findings with the low and unknown severity levels will no longer be reported by default. Consequently, any vulnerablity with these severities previously reported on the default branch will be marked as no longer detected upon the next execution of Container Scanning. To continue showing these findings, you must configure the CS_SEVERITY_THRESHOLD variable to the desired level.

Documentation

Product Usage

Describe why deprecation of this feature is necessary, ideally with dashboards/metrics that show product usage. add links to the documentation

Breaking Change?

Does this deprecation contain a breaking change? Yes

Affected Customers

Who is affected by this deprecation: GitLab.com users, Self-managed users, or Dedicated users? (choose all that apply)

  • GitLab.com
  • Self-managed
  • Dedicated

What pricing tiers are impacted?

  • GitLab Free
  • GitLab Premium
  • GitLab Ultimate

[ ] Internal note outlining details of customer impact has been created

Deprecation Milestone

This deprecation will be announced in milestone: 17.9 If this deprecation has already been announced, include information about when the initial announcement went out and what follow-up announcements are scheduled.

Planned Removal Milestone

The breaking change will be applied in milestone: 18.0

Links

Checklists

Timeline

Rollout Plan

Plan:

  • Describe rollout plans on GitLab.com
  • Determine how to migrate users still using the existing functionality
    • All users of the feature who have not overridden the default value will be migrated automatically.
  • Document ways to migrate with the tooling available
    • There is no tooling available for this change
  • Automate any users who have not yet migrated, but ensure it's a two-way door decision
    • Not applicable

Communication Plan

An internal slack post and a release post are not sufficient notification for our customers or internal stakeholders. Plan to communicate proactively and directly with affected customers and the internal stakeholders supporting them.

Internal Communication Plan

  • Create an internal note in the comment thread of this issue with a comprehensive narrative of customer impacts, with the intended audience of internal stakeholders who directly interact with customers.
    • Consider: what will the CSM / AE / SA teams need to tell their customers? What will they want to know about customer sentiment and impact?
    • If customers must take an action, include in this internal note the following information: what action is needed, the steps they can take to complete it, the due date for that action, and the consequences of not completing the action in time.
  • Internal announcement plan (timeline for notifications, audience, channels, etc)
  • Support and enablement plan
    • Support readiness: Document how the support team should handle tickets related to this deprecation / breaking change.
    • Customer Success readiness: Ensure the CS team knows how to bring questions or concerns from clients to the right internal team members.

External Communication Plan

  • Customer announcement plan (timeline for notifications, audience, channels, etc)
  • Ensure you have approvals from legal and corp comms for any communication being sent directly to customers.
  • As soon as possible, but no later than the third milestone preceding the major release, ensure that the following are complete (for example, given the following release schedule: 17.8, 17.9, 17.10, 17.11, 18.017.9 is the third milestone preceding the major release).
  • On the major milestone:
    • The deprecated item has been removed. Add link to the relevant merge request.
    • If the removal of the deprecated item is a breaking change, the merge request is labeled breaking change.
    • Document the migration plan for users, clearly outlining the actions they need to take to mitigate the impact of the breaking change.

Development

  • DRI Engineers: @gonzoyumo

  • DRI Engineering Manager: @tkopel

  • Measure usage of the impacted product feature

    • Evaluate metrics across GitLab.com, Self-Managed, Dedicated
    • add issue link
    • list any metrics and/or dashboards

  • Create tooling for customers to manually migrate their data or workflows

    • Not Applicable

  • Build mechanism for users to manually enable the breaking change ahead of time

    • Use can already set the CS_SEVERITY_THRESHOLD environment variable to the desired value.

  • Automate the migration for those who do not take any manual steps (ensure the automation can be reverted)

    • The change will be applied automatically, there is no migration needed.

  • Develop rollout plan of breaking change on GitLab.com

  • Dogfood the changes on GitLab.com or a Self-Managed test instance

    • We already use CS_SEVERITY_THRESHOLD internally to reduce noise from Container Scanning scan results.

  • (Optional) Create UI controls for instance admins to disable the breaking change, providing flexibility to Self-Managed / Dedicated customers. Optional as this depends on the breaking change.

    • Not applicable. Users can set the environment variable at the project, group, or instance level to the desired value. E.g They can set it to UNKNOWN to preserve the current behavior.

Approvals

  • Product Manager @johncrowley
  • Engineering Manager @tkopel
  • Senior Engineering Manager / Director @senior-eng-leader
  • Group / Director of Product Management @senior-product-leader
  • Product / Eng Leaders in the CPO or CTO organizations, as applicable (optional - depends on scope of change)

Keep in mind that approval check boxes and deprecations notices alone are not sufficient communication about breaking changes. Despite having approvals documented here, the PM/EM will still need to take active steps to partner with internal stakeholders and customers to ensure a positive user experience.

Stakeholder Mentions

  • Product Designer @ProductDesigner
  • Tech Writer @TW
  • Software Engineering in Test @SET
  • Any other stable counterparts based on the product categories:
    • Add Sales/CS counterpart or mention @timtams
    • Add Support counterpart or mention @gitlab-com/support/managers
    • Add Marketing counterpart or mention @martin_klaus
    • Add Corp comms if direct customer comms are needed @jmalleo
    • Add Product Security counterpart, if relevant to your deprecation
    • Mention (in internal note) Customer Success Managers / Acount Managers / Solutions Architects for impacted customers

Labels

  • This issue is labeled deprecation, and with the relevant ~devops::, ~group::, and ~Category: labels.
  • This issue is labeled breaking change if the removal of the deprecated item will be a breaking change.

References

Edited by John Crowley