Security Risk Management: Security Policies 17.10 Planning Issue
Previous planning issue: Security Risk Management: Security Policies 17.... (#512833 - closed)
Narrative
In %17.9, we've been super busy and delivered some great improvements! We wrapped up our work on Pipeline Execution Policies improvements (Enforce Custom Stages in Pipeline Execution Pol... (#475152 - closed)), made good progress on workflow enhancements (Unable to edit or add new policies after projec... (&15083 - closed)), and completed the Custom Roles integration (Support custom roles in merge request approval ... (&13550 - closed)). We also tackled some important improvements (CI_MERGE_REQUEST_SOURCE_BRANCH_SHA does not see... (#512916 - closed)). Great work team!
For %17.10, we're focusing on some exciting new work. We'll keep pushing forward with our Scheduled Pipeline Execution Policies improvements (Scheduled pipeline execution policies (&14147)) - we're making good progress here and working closely with the Verify team to get things just right. We're also continuing our work on license approval policy capabilities (Exclude packages from Merge Request Approval Po... (&10203 - closed)) and aiming to release Compliance handling of `needs` statements in pi... (#469256 - closed), which will make pipeline execution policies handle job ordering much better.
We're also starting some new and interesting work! We're kicking off development on optional variable control for pipeline execution policies (Variable precedence controls in pipeline execut... (&16430 - closed)) and teaming up with the Code Review team to improve policy mergability checks (Validate, accompany with enabling `policy_merga... (#504700 - closed). These changes will give our users more control over their security workflows while keeping everything secure.
Looking ahead, we've got some important groundwork to lay for the future of Security Policies. We're starting several investigations to make sure we can handle growth and scale well:
- Checking how pipeline execution policy limits work for customers with large setups (Explore pipeline execution policy limits for cu... (#498780 - closed))
- Setting up a way to test experimental features safely (Spike: Implement Experimental Features Mechanis... (#519310 - closed))
- Looking into better ways to apply policy limits (Spike: Explore Changing Security Policy Limits ... (#519311))
- Starting work on organization-level security policy management (Organization-Level Security Policy Management w... (&16664)) - this one's going to be a game-changer for our enterprise customers!
As always, we're working hard to fix bugs and improve our Security Policy features. We're seeing more and more customers using these features, which is fantastic! That means we need to make sure our Scan Execution and Merge Request Approval Policies keep working great as usage grows. We're thinking ahead by starting architectural planning now - it might seem early, but it'll help us stay ahead of the curve.
So, let's dive in together! If you have any thoughts or ideas about how we can make these features even better, please share them. Looking forward to seeing what we can achieve in this release!
Priorities
To release
Compliance handling of `needs` statements in pi... (#469256 - closed)
Target release: %17.10
DRI: @Andyschoenen
In %17.9, we have been focused on validating with customers and ensuring that there would be no unwanted side effects. In %17.10, we want to enable this feature flag and validate it works as expected.
To start/continue working on
Scheduled pipeline execution policies (&14147)
Target release: %17.10 (exploring)
DRI: @Andyschoenen / @aturinske
In %17.9, we made significant progress on both frontend and backend. For %17.10, we want to explore the possibility of delivering this functionality behind a feature flag to start testing and validating with selected customers. This approach will help us ensure the feature works as expected before wider rollout.
- Tasks:
MR Approval Policies Warn Mode (&15552)
Target release: %17.10
DRI: @aturinske / @alan
We will continue our work with the AppSec team to identify and address any gaps before enabling this feature internally. This collaboration will help us ensure we meet all security requirements as we move towards dogfooding with our AppSec Team.
- Tasks:
Exclude packages from Merge Request Approval Po... (&10203 - closed)
Target release: %17.11
DRI: @mc_rocha / @arfedoro
We're focusing on finalizing both the backend and frontend implementation for this feature. Once completed, we'll move into the testing phase to ensure everything works as expected.
- Tasks:
Variable precedence controls in pipeline execut... (&16430 - closed)
Target release: TBD
DRI: @mcavoj / @arfedoro
We're initiating investigation through a spike to better understand the requirements and implementation challenges. This feature will require another round of collaboration with the Verify team, which we expect will extend the timeline for release. We want to ensure we have a solid plan before starting the implementation.
To investigate
We want to start exploring several important areas through spikes to ensure we're building a solid foundation for future improvements:
- Explore pipeline execution policy limits for cu... (#498780 - closed) - Exploring pipeline execution policy limits for customers using a single top-level group
- Spike: Implement Experimental Features Mechanis... (#519310 - closed) - Implementing experimental features mechanism in policy.yml
- Spike: Explore Changing Security Policy Limits ... (#519311) - Exploring changes to security policy limits application
- Spike: Implement monitoring and alerting for Se... (#517709 - closed) - Implementing monitoring and alerting for Security Policies
- Spike: Proof of Concept for Flexible Scan Execu... (#504973 - closed) - Proof of concept for flexible scan execution policy trigger conditions
@mcavoj
-
Approvals are required when MR pipelines produc... (#519532 - closed) • Unassigned • 17.11 • On track (Deliverable) -
Policy bot comment not posted when latest pipel... (#519529 - closed) • Sashi Kumar Kumaresan • 17.11 • On track (Deliverable) -
CI_MERGE_REQUEST_SOURCE_BRANCH_SHA does not see... (#512916 - closed) • Martin Cavoj • 17.10 • On track (Deliverable) -
Validate, accompany with enabling `policy_merga... (#504700 - closed) • Martin Cavoj • 17.11 • At risk (Deliverable) -
Account for configured Pipeline Execution Polic... (#498624 - closed) • Martin Cavoj • 17.10 • At risk (Deliverable) -
[Feature flag] Rollout of `policy_mergability_c... (#473704 - closed) • Martin Cavoj • 17.11 • At risk (Deliverable) -
Spike: Investigate Optional Control of Variable... (#520088 - closed) • Martin Cavoj • 17.11 (Stretch) -
Refactor pipeline execution policy stages injec... (#514933 - closed) • Martin Cavoj • 18.3 (Stretch) -
Show why Merge Request requires approval (#499928 - closed) • Imam Hossain • 18.0 (Stretch)
@arfedoro
-
Update allow/denylist payload for exclude packages (#520082 - closed) • Artur Fedorov • 17.10 • On track (Deliverable) -
Update texts UI for allow/deny license list widget (#519349 - closed) • Artur Fedorov, Ryan Lehmann • 17.10 • On track (Deliverable) -
Updating Project Scope may remove unrelated items (#518035 - closed) • Artur Fedorov • 17.10 • On track (Deliverable) -
Clearly show the source for policies with ident... (#513381 - closed) • Artur Fedorov • 17.10 (Stretch) -
Follow-up from "Add skip CI configuration for p... (#511982 - closed) • Artur Fedorov • 17.10 (Stretch) -
[Integration tests] Add frontend integration te... (#510851 - closed) • Artur Fedorov • 17.10 (Stretch) -
Update approver action styling (#510675 - closed) • Artur Fedorov • 17.10 (Stretch) -
[Feature flag]: Rollout feature flag security_p... (#508924 - closed) • Artur Fedorov • 17.10 (feature flag) -
[Feature flag] Clean up feature flag security_p... (#506451 - closed) • Artur Fedorov • 17.10 (feature flag) -
Update policy scope project exception dropdown ... (#503385 - closed) • Artur Fedorov • 17.10 (Stretch) -
[Frontend] Refactor approval widget (#514213 - closed) • Artur Fedorov • 17.10 -
[Follow up]: Create universal fromYaml method f... (#520597 - closed) • Artur Fedorov • 17.10 -
Updating Policy Scope may remove unrelated link... (#520943 - closed) • Artur Fedorov • 17.10 -
Fix spects in groups_toggle_list_spec (#520754 - closed) • Artur Fedorov • 17.10 -
Updating Policy Scope may remove unrelated comp... (#520536 - closed) • Artur Fedorov • 17.10 -
Removing excluded projects from scan execution ... (#521720 - closed) • Artur Fedorov • 17.10 -
Update user_select to emit short id version of ... (#511923 - closed) • Artur Fedorov • 17.10 -
Align new policy button on cards (#522945 - closed) • Artur Fedorov • 17.10 -
"Required approvers" setting allows for negativ... (#428689 - closed) • Artur Fedorov • 17.10
@alan
-
Security Policy unassignment fails when there a... (#517389 - closed) • Alan (Maciej) Paruszewski • 17.10 • On track (Deliverable) -
Spike: Explore Changing Security Policy Limits ... (#519311) • Alan (Maciej) Paruszewski • 18.8 (Stretch) -
Spike: Implement Experimental Features Mechanis... (#519310 - closed) • Alan (Maciej) Paruszewski • 17.10 (Stretch) -
Enhance performance testing infrastructure (#517710 - closed) • Alan (Maciej) Paruszewski • 18.4 (Stretch) -
Spike: Implement monitoring and alerting for Se... (#517709 - closed) • Alan (Maciej) Paruszewski • 17.10 (Stretch) -
GraphQL mutation securityPolicyProjectAssign no... (#511009 - closed) • Alan (Maciej) Paruszewski • 17.10 (Stretch) -
Spike: Proof of Concept for Flexible Scan Execu... (#504973 - closed) • Alan (Maciej) Paruszewski • 17.11 (Stretch) -
Explore pipeline execution policy limits for cu... (#498780 - closed) • Alan (Maciej) Paruszewski • 17.10 (Stretch) -
Merge request approval policy with block_branch... (#494948) • Alexander Turinske • 18.7 (Stretch) -
Project owner blocked from editing project poli... (#478812 - closed) • Alan (Maciej) Paruszewski • 18.0 (Stretch)
@sashi_kumar
-
Fix ActiveRecord::QueryCanceled in RelatedPipel... (#517512 - closed) • Sashi Kumar Kumaresan • 17.11 • On track (Deliverable) -
Policy not linked back to the project after ena... (#515866 - closed) • Sashi Kumar Kumaresan, Martin Cavoj • 17.10 • On track (Deliverable) -
Incorrect policy index persisted in scan_result... (#515851 - closed) • Sashi Kumar Kumaresan • 17.10 • On track (Deliverable) -
Allow vulnerability_states to bypass the baseli... (#515780 - closed) • Dominic Bauer • 17.11 • At risk (Deliverable) -
Mirrored policies not deleted from database whe... (#512468 - closed) • Sashi Kumar Kumaresan • 17.10 • On track (Deliverable) -
Backfill approval_policy_rules for approval rul... (#509374 - closed) • Sashi Kumar Kumaresan • 17.11 • At risk (Deliverable) -
Resolution of MR compliance to approval_policy ... (#503327 - closed) • Sashi Kumar Kumaresan • 18.0 • At risk (Deliverable) -
Improve Security Policy evaluation for chained ... (#501445 - closed) • Sashi Kumar Kumaresan • 17.10 • At risk (Deliverable) -
MR approval policy should not block MR's on new... (#495828 - closed) • Sashi Kumar Kumaresan • 17.11 • Needs attention (Deliverable)
@aturinske
-
Update integration tests to account for partial... (#518613 - closed) • Alexander Turinske • 18.1 (Stretch) -
Simplify alert validation logic and use it with... (#518610) • Alexander Turinske • Backlog (Stretch) -
Simplify policy editor saving code to increase ... (#518000 - closed) • Alexander Turinske • 17.10 (Stretch) -
Improve error message when project/group cannot... (#512391 - closed) • Alexander Turinske • 17.10 (Stretch) -
Add validation to skip_ci section to partially ... (#512005 - closed) • Alexander Turinske • 17.10 (Stretch) -
[FE] Add conditions to pipeline execution polic... (#505174 - closed) • Alexander Turinske • 18.0 (Stretch) -
[FE] Add conditions to pipeline execution polic... (#505173 - closed) • Alexander Turinske • 17.11 (Stretch) -
First time policy set up errors (#505040 - closed) • Alexander Turinske • 17.10 (Stretch) -
Enforce policy limits when policies are created... (#504409 - closed) • Unassigned • Backlog (Stretch) -
Consolidate apollo requests (#501683) • Unassigned • Backlog (Stretch) -
Consolidate partial disabling of rule mode code... (#501143 - closed) • Alexander Turinske • 18.1 (Stretch) -
Update compliance framework tooltip to popover ... (#499456 - closed) • Alexander Turinske • 17.11 (Stretch) -
Create new section in merge request approval po... (#498349 - closed) • Alexander Turinske • 18.0 (Stretch) -
Refactor `editor_layout`'s `isRemoving`/`isEdit... (#489018 - closed) • Unassigned • Backlog (Stretch) -
Refactor policy editor errors (#486021) • Unassigned • Backlog (Stretch) -
Investigate Sentry type errors on security poli... (#523898 - closed) • Alexander Turinske • 17.10 (Stretch) -
Sentry error in editor/extensions/source_editor... (#524709 - closed) • Alexander Turinske • 17.10 (Stretch) -
User select sometimes does not provide user name (#523312 - closed) • Alexander Turinske • 17.10 (Stretch)
@mc_rocha
-
Project Approval Settings in Security Policies ... (#506904 - closed) • Alan (Maciej) Paruszewski, Marcos Rocha • 17.10 • At risk (Deliverable) -
gitlab-org/security/gitlab#1230+s (Deliverable) -
Backfill spdx column in software_license_polici... (#505271 - closed) • Andy Schoenen • 17.10 • At risk (Deliverable) -
IDOR in securityPolicyProjectAssign Mutation Al... (#502857 - closed) • Marcos Rocha • 17.10 (Deliverable) -
Remove software_licenses table (#497969) • Marcos Rocha • 18.7 • At risk (Deliverable) -
Migrate custom licenses to the new table. (#478520 - closed) • Unassigned • 17.11 • At risk (Deliverable) -
Follow-up from "Fix SecurityPolicyDefault to wo... (#516222) • Marcos Rocha • Backlog (Stretch) -
Follow-up from "Update software license policie... (#514935) • Marcos Rocha • Backlog (Stretch) -
gitlab-org/gitlab#514816+s (Stretch)
@Andyschoenen
-
Pipeline Execution Policies ignore rules:change... (#513365 - closed) • Sashi Kumar Kumaresan • 17.10 • On track (Deliverable) -
Enqueue security bot removal workers for namesp... (#512671 - closed) • Unassigned • 17.10 • On track (Deliverable) -
[backend] Investigate scheduled PEP limits and ... (#504212 - closed) • Andy Schoenen • 17.10 • On track (Deliverable) -
Remove delegations from `ExecutionPolicies::Pip... (#517294 - closed) • Andy Schoenen • 18.3 (Stretch) -
[backend] Validate time window for schedules (#513704 - closed) • Marcos Rocha • 17.11 (Stretch) -
Security policy bot can't be created with email... (#505618 - closed) • Imam Hossain • 17.11 (Stretch) -
Follow-up from "Add suffix configuration option... (#481987 - closed) • Unassigned • Backlog (Stretch) -
Move associated records of security policy bots... (#476248 - closed) • Andy Schoenen • 18.1 (Stretch)
@bauerdominic
-
[backend] Add execution time window for pipelin... (#504598 - closed) • Marcos Rocha • 17.10 • At risk (Deliverable) -
gitlab-org/security/gitlab#1199+s (Deliverable) -
SEP variables incorrectly assigned for multiple... (#485051) • Unassigned • 18.7 • At risk (Deliverable) -
[Feature flag] Rollout of `scheduled_pipeline_e... (#513337) • Andy Schoenen • 18.7 (feature flag) -
[backend] Add pipeline execution schedule polic... (#504143) • Andy Schoenen • 18.7 (Stretch) -
[Feature flag] Rollout of `scan_execution_polic... (#468918 - closed) • Dominic Bauer • 18.0 (feature flag) -
[Feature flag] Rollout of `scan_execution_polic... (#468462 - closed) • Dominic Bauer • 18.0 (feature flag)
Extra
- Kanban Board with additional more minor maintenance issues and bugs. (Prioritized from top to bottom)
- Group Priorities List
Metrics
Release post items
Release post items related to current work in the format Epic | Release post | Milestone.
| Epic | Release post | Milestone |
|---|