Security Policy Advanced Editor - Feedback Issue

Overview

We're experimenting with an advanced editor for security policies to improve the user experience. This issue is dedicated to collecting structured feedback from internal users and select customers who are testing this experimental feature.

Background

As we introduced security policies, we learned that some users prefer a policies as code or DevSecOps approach to managing policies, which comes with benefits such as a git history on all policy changes, programmatic management of policies, and simpler rollback to previous versions of a policy configuration.

On the other hand, some customers preferred a simpler approach to managing policies, with a more traditional UI with form field inputs, dropdowns, multiple choice options, and similar input options.

In this experiment we are exploring ways to make it simpler for users to manage policies based on preference with the best possible interface for their needs.

Let's explore current capabilities vs our experimental feature you are testing.

Current Experience: Fixed UI with YAML Preview	New Experimental Feature: Dynamic Split View
Rule Mode UI section is fixed and the width of each section cannot be modified. Inputs in the Rule Mode UI update in the YAML preview during editing. Users may switch to YAML mode to separately edit YAML, then switch back to Rule mode.	Rule Mode UI section and YAML section are combined on a single page in a split view. Both Rule mode and YAML modes can be edited in the same screen. Changes in either the UI or YAML update in the other. The width of both sections defaults to a similar 80/20 split across the screen, but this can be modified using the drag bar to suit your preferences -- to adjust granularly or fully edit in one more or the other. Once adjusted, you may reset to the default with a back button in the drag bar.

How to Provide Feedback

1. Enable the feature flag security_policies_split_view (available from 17.8) in your security policy project. For GitLab.com users, you may create a support ticket including information for the group you'd like to use for the test and enable the FF. Support can then follow this workflow to enable the FF.
2. Identify a test group you may use.
3. Try out the new policy editor. Consider creating / editing policies for scenarios that are most relevant to you, or if you need some prompts, try the following:
   1. Create a merge request approval policy to block critical/high severity findings. Choose the settings/filters you feel are most important.
   2. Create a scan execution policy that executes SAST scans in all projects in your test group. Choose the settings/filters you feel are most important.
   3. Create a pipeline execution policy with a custom CI job you think would be useful.
   4. Create a vulnerability management policy to auto-resolve vulnerabilities that are no longer detected.
4. After using the advanced editor (accessible via the experimental banner in the security policy editor), please provide your feedback by completing the survey shared below. Also feel free to comment on this issue with any additional feedback/questions you would like to share!

Survey

Please complete this survey to complete the experiment:

👉 Security Policy Advanced Editor Survey 🌟

Timeline

• This feedback collection has been extended and will run through milestone 18.3 (8/21/2025).
• Based on your feedback, we'll make decisions about further development and wider rollout.

Thank you for helping us improve GitLab's security policy editing experience!