Security Risk Management: Security Policies 17.11 Planning Issue

Previous planning issue: Security Risk Management: Security Policies 17.... (#520024 - closed)

Narrative

In %17.10, our team made significant progress on several key initiatives! We successfully released Compliance handling of `needs` statements in pi... (#469256 - closed) (Compliance handling of needs statements in pipeline execution policies), which was a major milestone for ensuring proper execution order in pipeline execution policies. Great work team! 🎉

We continued our development on Scheduled pipeline execution policies (&14147) (Scheduled pipeline execution policies) with a clear plan to deliver it as an experimental feature to gather early feedback from customers. We made substantial progress on the license approval policies capabilities in the scope of Exclude packages from Merge Request Approval Po... (&10203 - closed) (Exclude packages from Merge Request Approval Policies for License Approval Rules).

Additionally, we began exploring two important new areas: Variable precedence controls in pipeline execut... (&16430 - closed) (Optional control of variables when pipeline execution policies are enforced) and Validate, accompany with enabling `policy_merga... (#504700 - closed) (Validate and address identified problems with policy_mergability_check). These initiatives will give our users more control and flexibility with their security policy workflows.

For %17.11, our focus will be on the following key tasks:

• continuing our work on Scheduled pipeline execution policies (&14147) (Scheduled pipeline execution policies), with a focus on adding safeguards and documentation to help customers adopt this feature as an experiment
• finalizing and releasing Exclude packages from Merge Request Approval Po... (&10203 - closed) (Exclude packages from Merge Request Approval Policies for License Approval Rules)
• moving forward with Variable precedence controls in pipeline execut... (&16430 - closed) (Optional control of variables when pipeline execution policies are enforced) by completing the spike and preparing a proof of concept
• starting work on Explore pipeline execution policy limits for cu... (&16929 - closed) (Explore pipeline execution policy limits for customers using a single top-level group) to address scalability concerns for large-scale deployments

As always, we're working hard to fix bugs and improve our Security Policy features. We're seeing more and more customers using these features, which means we need to ensure they work reliably at scale. Let's continue to collaborate and deliver high-quality improvements that meet our users' needs!

Priorities

To release

Exclude packages from Merge Request Approval Po... (&10203 - closed)

Target release: %17.11

DRI: @mc_rocha / @arfedoro

In %17.10, we made excellent progress on both frontend and backend implementations for this feature. In %17.11, we want to finalize the remaining backend tasks, thoroughly test the feature in multiple scenarios, and enable the required feature flags on GitLab.com to release this capability to our users.

• Tasks:
  • BE: Support component filtering options for Mer... (#424526 - closed)
  • [Feature flag] Rollout FF exclude_license_packages (#499142 - closed)
  • [Integration test]: Add coverage for a new feature (#505004 - closed)

To start/continue working on

Scheduled pipeline execution policies (&14147)

Target release: %18.0

DRI: @Andyschoenen / @aturinske

In %17.10, we made significant progress on both frontend and backend implementations. For %17.11, we want to focus on adding safeguards and documentation changes needed to help customers enable this as an experiment. This approach will allow us to gather valuable feedback while ensuring a smooth experience for early adopters.

• Tasks:
  • Throttle scheduled PEP based on running pipelines (#520550 - closed)
  • [backend] Add documentation pipeline execution ... (#504142 - closed)
  • API for Stopping and Snoozing Scheduled Pipelin... (#520130 - closed)
  • Update security_pipeline_execution_project_sche... (#524085 - closed)
  • Set dynamic TTL for PipelineExecutionPolicies::... (#520711 - closed)
  • Add uniqueness for pipeline_execution_schedule_... (#520552 - closed)
  • Throttle scheduled PEP based on running pipelines (#520550 - closed)
  • [FE] Add conditions to pipeline execution polic... (#505174 - closed)

Variable precedence controls in pipeline execut... (&16430 - closed)

Target release: %18.1

DRI: @mcavoj / @arfedoro

We want to continue the spike development we started in %17.10 (Spike: Investigate Optional Control of Variable... (#520088 - closed)), clarify approaches with the Verify team, and deliver a proof of concept. Simultaneously, we'll collaborate on UX design for this feature to prepare for full development in the next milestone.

• Tasks:
  • Spike: Investigate Optional Control of Variable... (#520088 - closed)

Explore pipeline execution policy limits for cu... (&16929 - closed)

Target release: TBD

DRI: @bauerdominic (@alan during Dominic's PTO)

In %17.11, we want to start working on adding a setting to configure limits related to pipeline execution policies. This will help address scalability concerns for customers with large-scale deployments using a single top-level group.

• Tasks:
  • Introduce application settings for Pipeline exe... (#521630 - closed)

To investigate

We want to continue our investigation of several important areas to ensure we're building a solid foundation for future improvements:

• Spike: Investigate Optional Control of Variable... (#520088 - closed) - Investigating optional control of variables when pipeline execution policies are enforced
• Spike: Explore Changing Security Policy Limits ... (#519311) - Exploring changes to security policy limits application
• Spike: Proof of Concept for Flexible Scan Execu... (#504973 - closed) - Proof of concept for flexible scan execution policy trigger conditions

---

@arfedoro

• gitlab-org/gitlab#523376+s (Deliverable)
• [Frontend]: Add variables deny/allow selector t... (#525085 - closed) • Artur Fedorov • 18.0 (Stretch)
• [Frontend]: Add variables deny/allow selector t... (#525084 - closed) • Artur Fedorov • 18.0 (Stretch)
• Fix spec/frontend/vue_shared/components/project... (#524950 - closed) • Artur Fedorov • 17.11 (Stretch)
• Sentry error in group_projects_dropdown.vue (#524637 - closed) • Artur Fedorov • 17.11 (Stretch)
• Update policies list to account for a large num... (#524279 - closed) • Artur Fedorov • 18.1 (Stretch)
• Add checks for nullability for compliance frame... (#523627 - closed) • Artur Fedorov • 17.11 (Stretch)
• [Feature flag] Clean up feature flag security_p... (#510850 - closed) • Artur Fedorov • 17.11 (feature flag)
• [Integration test]: Add coverage for a new feature (#505004 - closed) • Artur Fedorov • 18.0 (Stretch)
• [Frontend] Add ability to set new HMAC secret (#477098 - closed) • Artur Fedorov • 17.11 (Stretch)
• Fix skipped integration tests for skip ci pipeline (#524902 - closed) • Artur Fedorov • 17.11

@mc_rocha

• Adjust license scanning code to work with stati... (#524880 - closed) • Dominic Bauer • 18.0 • At risk (Deliverable)
• Add database read model support for component ... (#524877 - closed) • Andy Schoenen • 17.11 • Needs attention (Deliverable)
• MR Widget incorrectly showing Licenses as Denie... (#518004 - closed) • Dominic Bauer • 17.11 • At risk (Deliverable)
• Remove software_licenses table (#497969) • Marcos Rocha • 18.6 • At risk (Deliverable)
• Migrate custom licenses to the new table. (#478520 - closed) • Unassigned • 17.11 • At risk (Deliverable)
• gitlab-org/gitlab#514816+s (Stretch)
• [Feature flag] Enable static_licenses (#499430 - closed) • Marcos Rocha • 18.4 (feature flag)
• [Feature flag] Rollout FF exclude_license_packages (#499142 - closed) • Marcos Rocha • 18.0 (feature flag)
• [Feature flag] Enable custom_software_license (#465358 - closed) • Marcos Rocha • 18.0 (feature flag)
• BE: Support component filtering options for Mer... (#424526 - closed) • Dominic Bauer • 17.11 • At risk (Stretch)

@Andyschoenen

• Update security_pipeline_execution_project_sche... (#524085 - closed) • Sashi Kumar Kumaresan • 17.11 • On track (Deliverable)
• API for Stopping and Snoozing Scheduled Pipelin... (#520130 - closed) • Dominic Bauer • 17.11 • On track (Deliverable)
• [Feature flag] Cleanup ensure_pipeline_policy_p... (#523177 - closed) • Andy Schoenen • 17.11 (feature flag)
• Set dynamic TTL for PipelineExecutionPolicies::... (#520711 - closed) • Andy Schoenen • 18.1 (Stretch)
• Throttle scheduled PEP based on running pipelines (#520550 - closed) • Andy Schoenen • 17.11 (Stretch)
• [backend] Validate time window for schedules (#513704 - closed) • Marcos Rocha • 17.11 (Stretch)
• [Feature flag] Rollout of `scheduled_pipeline_e... (#513337) • Andy Schoenen • 18.7 (feature flag)
• [backend] Add pipeline execution schedule polic... (#504143) • Andy Schoenen • 18.7 (Stretch)
• [backend] Add documentation pipeline execution ... (#504142 - closed) • Andy Schoenen, Alan (Maciej) Paruszewski • 18.0 (Stretch)
• Move associated records of security policy bots... (#476248 - closed) • Andy Schoenen • 18.1 (Stretch)

@imam_h

• Improve 404 when link to policy page (#523848 - closed) • Sashi Kumar Kumaresan • 18.0 (Stretch)
• Add uniqueness for pipeline_execution_schedule_... (#520552 - closed) • Unassigned • 17.11 (Stretch)
• Security policy bot can't be created with email... (#505618 - closed) • Imam Hossain • 17.11 (Stretch)
• Show why Merge Request requires approval (#499928 - closed) • Imam Hossain • 18.0 (Stretch)
• Preserve comments in the yaml when editing a se... (#469141 - closed) • Unassigned • Awaiting further demand (Stretch)

@aturinske

• Custom roles based on Developer are unable to b... (#523397 - closed) • Alexander Turinske • 17.11 • On track (Deliverable)
• Scan Execution Policy Tag Validation Fails for ... (#523175 - closed) • Alexander Turinske, Jasmin Taj Shaik • 18.0 • On track (Deliverable)
• Update integration tests to account for partial... (#518613 - closed) • Alexander Turinske • 18.1 (Stretch)
• [Feature flag] Enable `security_policy_approval... (#505352) • Andy Schoenen, Alexander Turinske • 18.6 • Needs attention (feature flag)
• [FE] Add conditions to pipeline execution polic... (#505174 - closed) • Alexander Turinske • 18.0 (Stretch)
• [FE] Add conditions to pipeline execution polic... (#505173 - closed) • Alexander Turinske • 17.11 (Stretch)
• Consolidate partial disabling of rule mode code... (#501143 - closed) • Alexander Turinske • 18.1 (Stretch)
• Update compliance framework tooltip to popover ... (#499456 - closed) • Alexander Turinske • 17.11 (Stretch)

@bauerdominic

• Implicit creation of pipelines for scan executi... (#511483 - closed) • Sashi Kumar Kumaresan • 18.1 • On track (Deliverable)
• SEP variables incorrectly assigned for multiple... (#485051) • Unassigned • 18.7 • At risk (Deliverable)
• [Feature flag] Rollout of `fix_scheduled_scan_e... (#523225 - closed) • Dominic Bauer • 18.2 (feature flag)
• Spike: refine performance improvements to Pipel... (#521591) • Dominic Bauer • 18.8 (Stretch)
• Spike: Limits for `dast` scan action (#479943) • Unassigned • Backlog (Stretch)
• Enforce maximum SEP `action` count (#472214 - closed) • Dominic Bauer • 18.0 (Stretch)
• [Feature flag] Rollout of `scan_execution_polic... (#468918 - closed) • Dominic Bauer • 18.0 (feature flag)
• [Feature flag] Rollout of `scan_execution_polic... (#468462 - closed) • Dominic Bauer • 18.0 (feature flag)

@alan

• Introduce application settings for Pipeline exe... (#521630 - closed) • Alan (Maciej) Paruszewski • 17.11 (Stretch)
• Spike: Explore Changing Security Policy Limits ... (#519311) • Alan (Maciej) Paruszewski • 18.8 (Stretch)
• Enhance performance testing infrastructure (#517710 - closed) • Alan (Maciej) Paruszewski • 18.4 (Stretch)
• Inconsistent behavior of the merge request appr... (#514201) • Martin Cavoj • 18.6 (Stretch)
• Spike: Proof of Concept for Flexible Scan Execu... (#504973 - closed) • Alan (Maciej) Paruszewski • 17.11 (Stretch)
• Merge request approval policy with block_branch... (#494948) • Alexander Turinske • 18.6 (Stretch)
• Project owner blocked from editing project poli... (#478812 - closed) • Alan (Maciej) Paruszewski • 18.0 (Stretch)
• Audit status check response updates (#413535 - closed) • Imam Hossain • 18.3 (Stretch)

@mcavoj

• Approvals are required when MR pipelines produc... (#519532 - closed) • Unassigned • 17.11 • On track (Deliverable)
• Policy bot comment not posted when latest pipel... (#519529 - closed) • Sashi Kumar Kumaresan • 17.11 • On track (Deliverable)
• Improve MR approval policy handling of pipeline... (#512310 - closed) • Unassigned • 18.0 • On track (Deliverable)
• Validate, accompany with enabling `policy_merga... (#504700 - closed) • Martin Cavoj • 17.11 • At risk (Deliverable)
• [Feature flag] Rollout of `policy_mergability_c... (#473704 - closed) • Martin Cavoj • 17.11 • At risk (Deliverable)
• [Feature flag] Rollout of `unblock_rules_using_... (#520982 - closed) • Martin Cavoj • 17.11 (feature flag)
• Spike: Investigate Optional Control of Variable... (#520088 - closed) • Martin Cavoj • 17.11 (Stretch)
• Merge Request Licence Widget to align with full... (#515994 - closed) • Andy Schoenen • 18.1 (Stretch)

@sashi_kumar

• Analyze only Merge Request findings in Approval... (#517806 - closed) • Dominic Bauer • 17.11 • At risk (Deliverable)
• Fix ActiveRecord::QueryCanceled in RelatedPipel... (#517512 - closed) • Sashi Kumar Kumaresan • 17.11 • On track (Deliverable)
• Allow vulnerability_states to bypass the baseli... (#515780 - closed) • Dominic Bauer • 17.11 • At risk (Deliverable)
• Backfill approval_policy_rules for approval rul... (#509374 - closed) • Sashi Kumar Kumaresan • 17.11 • At risk (Deliverable)
• Resolution of MR compliance to approval_policy ... (#503327 - closed) • Sashi Kumar Kumaresan • 18.0 • At risk (Deliverable)
• Use security policy read model for compliance f... (#481786 - closed) • Sashi Kumar Kumaresan • 18.0 • At risk (Deliverable)
• Spike: Verify security report comparison logic ... (#427863) • Sashi Kumar Kumaresan • Backlog • At risk (Deliverable)
• Handle N+1 queries in SyncPolicyEventService (#510975 - closed) • Sashi Kumar Kumaresan • Backlog (Stretch)
• [Feature flag] Rollout of `deprecate_scan_resul... (#510282) • Sashi Kumar Kumaresan • 18.6 (feature flag)
• [Feature flag] Rollout of `use_approval_policy_... (#474468 - closed) • Sashi Kumar Kumaresan • 18.1 (feature flag)

---

Extra

• Kanban Board with additional more minor maintenance issues and bugs. (Prioritized from top to bottom)
• Group Priorities List

Metrics

• Service Ping Metrics
• Development Metrics

Release post items

Release post items related to current work in the format Epic | Release post | Milestone.

Epic	Release post	Milestone