Security Risk Management: Security Policies 18.1 Planning Issue

Previous planning issue: Security Risk Management: Security Policies 18.... (#535420 - closed)

Narrative

In %18.0, our team achieved significant milestones! We successfully delivered the experimental feature &14147 (closed) (Scheduled Pipeline Execution Policies), which allows users more flexibility in managing their pipeline schedules. We clarified next steps to implement new audit events for policies (&15869 (closed)) and worked on a proof of concept for centralized management of security policies (&17392 (closed)), giving us a better understanding of the impact on GitLab instances.

For %18.1, our primary focus will be on:

• concluding and releasing &15869 (closed) (Security policy audit events)
• releasing &16430 (closed) (Optional control of variables) after receiving feedback from Verify team
• starting frontend work for &11919 (closed) (Flexible Scan Execution Policy Trigger Condition)
• continuing backend work for &14090 (Exceptions/Bypass in MR Approval Policies), reviewing designs, and preparing an implementation plan
• starting frontend work and backend implementation for &17392 (closed) (Centralized Management) after promising results from the PoC

We do have some dependencies to be aware of - for Variable precedence controls in pipeline execut... (&16430 - closed), we're waiting for feedback from the Verify team. Additionally, both Centralized Security Policy Management (Beta) (&17392 - closed) and Exceptions and Bypasses in Merge Request Approv... (&14090) are dependent on finalized designs before frontend work can proceed. I'd like to ask the team to review designs quickly when they are prepared and ready by @tparker so we can promptly start working on implementation.

Priorities

To release

Variable precedence controls in pipeline execut... (&16430 - closed)

Target release: %18.1

DRI: @mcavoj / @arfedoro Backend backup DRI: @Andyschoenen

In this milestone, we will finalize backend implementation by addressing any remaining feedback and ensure proper connection with the frontend work completed in the previous milestone. Our goal is to release this feature behind a feature flag, enabling selected customers to start testing it. This will allow us to validate that variable controls work as expected in various pipeline scenarios before wider rollout.

• Tasks:
  • [Frontend]: Connect optional variables frontend... (#525128 - closed)
  • [Backend] Add variable precedence controls for ... (#535981 - closed)
  • [Feature flag] Rollout feature flag security_po... (#535928 - closed)

Security policy audit events (&15869 - closed)

Target release: %18.1

DRI: @imam_h / @aturinske Backend backup DRI: @sashi_kumar

Based on our successful proof of concept, we will implement the first set of audit events for security policies in this milestone. We aim to deliver a comprehensive solution that provides customers with visibility into policy-related actions. By the end of the milestone, we should have a releasable feature with documentation and testing completed.

• Tasks:
  • Implement policy limit and validation related a... (#539233 - closed)
  • Implement Pipeline related audit events for sec... (#539232 - closed)
  • Implement audit events related to security poli... (#539231 - closed)
  • Implement Audit events for policy management op... (#539230 - closed)

To start/continue working on

Centralized Security Policy Management (Beta) (&17392 - closed)

Target release: %18.2 (beta)

DRI: @mcavoj / @aturinske Backend backup DRI: @alan

For this milestone, we will transform our proof of concept into the beginning of a viable implementation. With UX designs now finalized, we'll build the initial frontend components while developing the underlying backend architecture. Our objective is to make significant progress toward a beta release in %18.2, establishing the foundation for centralized security policy management.

• Tasks:
  • [FE] Annotate group as "Compliance and security... (#541377 - closed)
  • [FE] Add admin setting to designate CSP group (#539129 - closed)
  • Spike: Backend PoC for Centralized Security Pol... (#535382 - closed)
  • [BE] Designation of a CSP group (#541510 - closed)
  • [BE] Add API to allow updates of CSP (#541511 - closed)
  • [BE] Restrict assignment and unassignment of se... (#541515 - closed)
  • [BE] Extend GraphQL for frontend for CSP (#541516 - closed)

Exceptions and Bypasses in Merge Request Approv... (&14090)

Target release: %18.2

DRI: @sashi_kumar / @arfedoro Backend backup DRI: @mc_rocha

Our goal for this milestone is to complete the architectural blueprint and create a solid implementation plan for exceptions/bypass functionality in Merge Request Approval Policies. We'll review designs, identify technical challenges, and establish a clear path forward for implementation in upcoming milestones. By the end of 18.1, we should have a well-defined roadmap for delivering this feature in 18.2.

• Tasks:
  • Spike: Prepare Architectural Blueprint for MR A... (#535383 - closed)

Scan Execution Policy Templates (&11919 - closed)

Target release: %18.1

DRI: @alan / @aturinske Backend backup DRI: @mc_rocha

With fresh UX designs now available, we will begin frontend implementation for flexible scan execution policy trigger conditions. We aim to build upon our existing backend proof of concept, connecting it with a user-friendly interface that allows customers to configure more sophisticated trigger conditions. Our objective is to have a working implementation ready by the end of the milestone.

• Tasks:
  • Collaborate with UX on design refinements (DRI: @alan / @aturinske)
  • FE: Update policy drawer with scan execution st... (#541371 - closed) • Alexander Turinske • 18.2 • On track
  • FE: Introduce scan execution strategy for Scan ... (#541370 - closed) • Alexander Turinske • 18.2

To start planning and breakdown

For this milestone, we won't introduce new planning items, but we will begin reviewing implementation plans for MR Approval Policies Warn Mode (&15552) now that designs are ready. This preliminary work will help us prepare for future development while focusing on our current priorities.

---

Say/Do

Check tasks you believe you can complete by the next milestone. If you identify any risks in delivery, please leave a comment in this planning issue or in the related Epic/Issue to highlight the risk. This will aid us in communicating any potential delays and improve our predictability. Thank you! 🙇

@mcavoj

• [BE] Extend GraphQL for frontend for CSP (#541516 - closed) • Martin Cavoj • 18.2 • At risk (Deliverable)
• [BE] Restrict assignment and unassignment of se... (#541515 - closed) • Andy Schoenen • 18.2 • On track (Deliverable)
• [BE] Add API to allow updates of CSP (#541511 - closed) • Sashi Kumar Kumaresan • 18.2 • On track (Deliverable)
• [BE] Designation of a CSP group (#541510 - closed) • Imam Hossain • 18.2 • At risk (Deliverable)
• [Backend] Add variable precedence controls for ... (#535981 - closed) • Sashi Kumar Kumaresan • 18.1 • On track (Deliverable)
• Pipeline execution policy custom stages ignorin... (#526072 - closed) • Marcos Rocha, Martin Cavoj • 18.5 • At risk (Deliverable)
• Failing `.pipeline-policy-pre` stage should fai... (#534302 - closed) • Andy Schoenen, Martin Cavoj • 18.3 (Stretch)
• Security Widget contradict the security bot com... (#533955 - closed) • Martin Cavoj • 18.6 (Stretch)
• Backfill pipeline execution policy enforced scans (#524563 - closed) • Martin Cavoj • 18.1 (Stretch)
• Refactor pipeline execution policy stages injec... (#514933 - closed) • Martin Cavoj • 18.3 (Stretch)
• Inconsistent behavior of the merge request appr... (#514201 - closed) • Martin Cavoj • 18.7 (Stretch)

@alan

• New merge request approval policy grammatical bugs (#528987 - closed) • Alan (Maciej) Paruszewski, Artur Fedorov+ • 18.6 (Stretch)
• Give users the option to programmatically enabl... (#524124 - closed) • Andy Schoenen • 18.3 (Stretch)
• Spike: Explore Changing Security Policy Limits ... (#519311) • Alan (Maciej) Paruszewski • 18.8 (Stretch)
• Enhance performance testing infrastructure (#517710 - closed) • Alan (Maciej) Paruszewski • 18.4 (Stretch)
• gitlab-org/gitlab#508340+s (Stretch)

@arfedoro

• Fix spec/frontend/projects/commits/components/a... (#540806 - closed) • Artur Fedorov • 18.1 (Stretch)
• Fix ee/spec/frontend/password/components/passwo... (#540744 - closed) • Artur Fedorov • 18.1 (Stretch)
• Fix ee/spec/frontend/metrics/details/filter_bar... (#540470 - closed) • Artur Fedorov • 18.1 (Stretch)
• [Backend]: Split construct_security_policies in... (#537450 - closed) • Artur Fedorov • 18.1 (Stretch)
• Fix ee/spec/frontend/analytics/analytics_dashbo... (#534602 - closed) • Unassigned • Backlog (Stretch)
• Audit grammar in PEP policy editor (#530290) • Artur Fedorov, Ryan Lehmann+ • 18.8 (Stretch)
• Inherited policy tooltip component (#526599 - closed) • Artur Fedorov • 18.3 (Stretch)
• Load initially selected users for user_select (#526264 - closed) • Artur Fedorov • Backlog (Stretch)
• Disable the three dot menu for policies if the ... (#526069 - closed) • Artur Fedorov • 18.5 (Stretch)
• [Frontend]: Connect optional variables frontend... (#525128 - closed) • Artur Fedorov • 18.1 (Stretch)
• Update policies list to account for a large num... (#524279 - closed) • Artur Fedorov • 18.1 (Stretch)
• Existing security policy delete CTA alignment (#524164 - closed) • Artur Fedorov • 18.2 (Stretch)
• Explore advanced editor for security policy (#450705) • Artur Fedorov, Torian Parker • 18.6 (Stretch)
• Review UX designs for frontend implementations

@imam_h

• Implement policy limit and validation related a... (#539233 - closed) • Andy Schoenen • 18.3 • At risk (Deliverable)
• Implement Pipeline related audit events for sec... (#539232 - closed) • Marcos Rocha • 18.3 • At risk (Deliverable)
• Implement audit events related to security poli... (#539231 - closed) • Sashi Kumar Kumaresan • 18.3 • At risk (Deliverable)
• Implement Audit events for policy management op... (#539230 - closed) • Sashi Kumar Kumaresan • 18.1 • On track (Deliverable)
• When generating policy YAML, add a comment next... (#497774 - closed) • Marcos Rocha • 18.1 • On track (Deliverable)
• Add limit to description field in security policy (#505275 - closed) • Andy Schoenen • 18.3 (Stretch)
• Preserve comments in the yaml when editing a se... (#469141 - closed) • Unassigned • Awaiting further demand (Stretch)

@aturinske

• FE: Introduce scan execution strategy for Scan ... (#541370 - closed) • Alexander Turinske • 18.2 (Deliverable)
• [FE] Add admin setting to designate CSP group (#539129 - closed) • Alexander Turinske • 18.2 • On track (Deliverable)
• Organize security policy feature tests (#539167 - closed) • Alexander Turinske • 18.2 (Stretch)
• [FE] Clean up pipeline execution policy code (#536087 - closed) • Alexander Turinske • 18.1 (Stretch)
• [FE] Add form section for Stopping/Snoozing (#535078 - closed) • Alexander Turinske • 18.1 (Stretch)
• Create new constants file from util file (#527204 - closed) • Alexander Turinske • 18.1 (Stretch)
• Handle duplicate branches in schedule pipeline ... (#526747) • Alexander Turinske • Backlog (Stretch)
• Handle invalid types in schedule pipeline form (#526746 - closed) • Alexander Turinske • 18.1 (Stretch)
• Update integration tests to account for partial... (#518613 - closed) • Alexander Turinske • 18.1 (Stretch)
• [Feature flag] Enable `security_policy_approval... (#505352 - closed) • Andy Schoenen, Alexander Turinske • 18.6 • At risk (feature flag)
• Review UX designs for all priority epics
• Prepare implementation plans

@sashi_kumar

• Name of incorrect Merge Request Approval Policy... (#538402 - closed) • Sashi Kumar Kumaresan • 18.2 • On track (Deliverable)
• ActiveRecord::QueryCanceled in Security::Relate... (#538144 - closed) • Sashi Kumar Kumaresan • 18.7 • At risk (Deliverable)
• Create API endpoint to validate and force-sync ... (#536001 - closed) • Sashi Kumar Kumaresan • 18.1 • At risk (Deliverable)
• Spike: Prepare Architectural Blueprint for MR A... (#535383 - closed) • Sashi Kumar Kumaresan • 18.1 • At risk (Deliverable)
• MR approval policy from previous parent (sub)gr... (#532419 - closed) • Marcos Rocha • 18.1 • On track (Deliverable)
• Merge Request Approval Policy Time Window (#525509 - closed) • Dominic Bauer • 18.5 • At risk (Deliverable)
• Deprecate scan_result_policy_reads and use appr... (#510281) • Sashi Kumar Kumaresan • 18.8 • At risk (Deliverable)
• Existing security policies are accessible in pr... (#431229) • Imam Hossain • 18.8 • At risk (Deliverable)
• [Feature flag] Rollout of `deprecate_scan_resul... (#510282) • Sashi Kumar Kumaresan • 18.8 (feature flag)
• Spike: Evaluate impact on approval rules create... (#490587) • Sashi Kumar Kumaresan • 18.8 (Stretch)
• [Feature flag] Rollout of `use_approval_policy_... (#474468 - closed) • Sashi Kumar Kumaresan • 18.1 (feature flag)
• Review UX designs for Exceptions and Bypasses in Merge Request Approv... (&14090)
• Prepare implementation plan for Exceptions and Bypasses in Merge Request Approv... (&14090)

@Andyschoenen

• [Spike] Create backend MVC for MR Approval Poli... (#536153 - closed) • Andy Schoenen, Imam Hossain • 18.4 • On track (Deliverable)
• exists: condition in Pipeline Execution Policy ... (#525060 - closed) • Andy Schoenen • 18.1 • On track (Deliverable)
• Set SECURE_ENABLE_LOCAL_CONFIGURATION variable ... (#471946 - closed) • Andy Schoenen, Artur Fedorov • 18.1 • On track (Deliverable)
• Add metrics for Scheduled Pipeline Execution Po... (#538345 - closed) • Andy Schoenen • 18.1 (Stretch)
• Update "pipeline_execution_schedule_policy" to ... (#538299) • Andy Schoenen • 18.8 (Stretch)
• Automatically grant access to SPP after creatin... (#535228 - closed) • Sashi Kumar Kumaresan • 18.2 (Stretch)
• [FE] Add latest pipeline information into the p... (#528299) • Andy Schoenen, Alexander Turinske • 18.8 (Stretch)
• Set dynamic TTL for PipelineExecutionPolicies::... (#520711 - closed) • Andy Schoenen • 18.1 (Stretch)
• [backend] Add pipeline execution schedule polic... (#504143) • Andy Schoenen • 18.8 (Stretch)
• Follow-up from "Add suffix configuration option... (#481987 - closed) • Unassigned • Backlog (Stretch)
• Move associated records of security policy bots... (#476248 - closed) • Andy Schoenen • 18.1 (Stretch)

@bauerdominic

• Scheduled pipeline execution policies with addi... (#538170 - closed) • Dominic Bauer • 18.1 • On track (Deliverable)
• Improve error on trying to create more than max... (#537763 - closed) • Andy Schoenen • 18.1 (Stretch)
• Approval required for all protected branches if... (#529997 - closed) • Sashi Kumar Kumaresan • 18.2 (Stretch)
• Policy branch rules configured to require appro... (#528852 - closed) • Marcos Rocha • 18.2 (Stretch)
• [Feature flag] Rollout of `fix_scheduled_scan_e... (#523225 - closed) • Dominic Bauer • 18.2 (feature flag)
• Spike: refine performance improvements to Pipel... (#521591) • Dominic Bauer • 18.8 (Stretch)
• Security::OrchestrationConfigurationRemoveBotWo... (#520685) • Marcos Rocha • 18.8 (Stretch)
• Unexpected behavior with non-default branches c... (#513671 - closed) • Dominic Bauer • 18.2 (Stretch)
• Implicit creation of pipelines for scan executi... (#511483 - closed) • Sashi Kumar Kumaresan • 18.1 • On track (Stretch)
• Merge request approval policy with block_branch... (#494948 - closed) • Alexander Turinske • 18.7 (Stretch)
• Optimise SEP performance (#472223 - closed) • Dominic Bauer • 18.3 (Stretch)

@mc_rocha

• Runner tag defined in scan execution policy is ... (#530298 - closed) • Marcos Rocha • 18.1 • On track (Deliverable)
• Remove software_licenses table (#497969) • Imam Hossain • 18.8 • At risk (Deliverable)
• Ignore software_license_id in software_license_... (#524876 - closed) • Marcos Rocha • 18.3 (Stretch)
• Spike: Refactoring Merge Request Approval Polic... (#523067 - closed) • Alan (Maciej) Paruszewski, Marcos Rocha • 18.5 • On track (Stretch)
• Merge Request Licence Widget to align with full... (#515994 - closed) • Andy Schoenen • 18.1 (Stretch)
• Follow-up from "Update software license policie... (#514935) • Marcos Rocha • Backlog (Stretch)
• [Feature flag] Enable static_licenses (#499430 - closed) • Marcos Rocha • 18.4 (feature flag)

---

Extra

• Kanban Board with additional more minor maintenance issues and bugs. (Prioritized from top to bottom)
• Group Priorities List

Metrics

• Service Ping Metrics
• Development Metrics

Release post items

Release post items related to current work in the format Epic | Release post | Milestone.

Epic	Release post	Milestone
&14147 (closed)	Draft: Release post: Scheduled pipeline executi... (gitlab-com/www-gitlab-com!136769)	18.2
&16430 (closed)	Release post: Variable precedence controls in p... (gitlab-com/www-gitlab-com!138810 - merged)	18.1
#525509 (closed)	Release post: Merge Request Approval Policy Tim... (gitlab-com/www-gitlab-com!139394 - merged)	18.1