Security Risk Management: Security Policies 18.2 Planning Issue

Previous planning issue: Security Risk Management: Security Policies 18.... (#541387 - closed)

Narrative

In %18.1, we successfully completed and released Variable precedence controls in pipeline execut... (&16430 - closed), which provides users with greater flexibility in managing their pipeline configurations. We made progress on Security policy audit events (&15869 - closed), though this work will continue into %18.2 for completion.

We also made significant advancement on Centralized Security Policy Management (Beta) (&17392 - closed), where backend work is progressing well on both API and database sides. Additionally, we continued our frontend work on Scan Execution Policy Templates (&11919 - closed) since the backend was already delivered, and made substantial progress on Exceptions and Bypasses in Merge Request Approv... (&14090), which we've strategically split into focused epics: Source branch pattern exceptions for MR Approva... (&18113 - closed), Service Account & Access Token Exceptions for M... (&18112 - closed), and User and Group Exceptions in MR Approval Policies (&18114). We're making continously progress on both backend and frontend implementations for the first two epics scheduled for %18.2 delivery.

For %18.2, our primary focus is on completing, testing, measuring, and releasing our committed epics. This is absolutely critical - all mentioned epics above are committed deliverables for this milestone, which includes comprehensive testing, metrics implementation, and enabling feature flags by default. We need to ensure early completion in the milestone to provide adequate time for addressing any issues discovered during testing.

This will be a challenging milestone with substantial deliverables across multiple complex epics, but I'm confident that with our team's dedication and focus, we will complete our committed items on time. To ensure quality delivery, DRIs are responsible for extensive testing of their features. I strongly suggest implementing dedicated testing practices: create comprehensive test scenarios, ask colleagues to perform cross-testing of your work, and consider organizing a dedicated bug bash day. Early identification and resolution of issues will be key to meeting our commitments.

Let's work together with focus and determination to deliver these important features to our customers!

Priorities

To release

Security policy audit events (&15869 - closed)

Target release: %18.2

DRI: @imam_h Backup DRI: @mc_rocha

We need to complete this epic including enabling all feature flags simultaneously and thoroughly testing the features. An important consideration is evaluating potential performance risks as we're introducing new types of audit events to the system.

• Tasks:
  • Implement audit events related to security poli... (#539231 - closed)
  • Implement Pipeline related audit events for sec... (#539232 - closed)
  • Implement policy limit and validation related a... (#539233 - closed)

Centralized Security Policy Management (Beta) (&17392 - closed)

Target release: %18.2 (Beta)

BE DRI: @mcavoj Backend backup DRI: @sashi_kumar
FE DRI: @aturinske

We're releasing this as a Beta feature until the Compliance team is ready with their component. Our focus includes API additions, validating performance implications on GitLab infrastructure, comprehensive documentation, and initiating frontend development work.

• Tasks:
  • Prepare documentation for CSP (#541525 - closed)
  • [BE] Validate performance with CSP (#541522 - closed)
  • [BE] Validate propagation of policies when poli... (#541517 - closed)
  • [BE] Extend GraphQL for frontend for CSP (#541516 - closed)
  • [BE] Restrict assignment and unassignment of se... (#541515 - closed)
  • [BE] Add API to allow updates of CSP (#541511 - closed)
  • [BE] Designation of a CSP group (#541510 - closed)
  • [FE] Annotate group as "Compliance and security... (#541377 - closed)
  • [FE] Add admin setting to designate CSP group (#539129 - closed)

Scan Execution Policy Templates (&11919 - closed)

Target release: %18.2

BE DRI: @alan Backend backup DRI: @bauerdominic
FE DRI: @aturinske

With backend implementation complete, we need to adapt the frontend to the newest designs, enable feature flags, and conduct thorough testing before release.

• Tasks:
  • FE: Introduce scan execution strategy for Scan ... (#541370 - closed)
  • FE: Update policy drawer with scan execution st... (#541371 - closed)
  • QA: Perform and document manual feature tests f... (#549571 - closed)
  • Metrics: Add metrics for Flexible Scan Executio... (#549572 - closed)

Exceptions and Bypasses in Merge Request Approv... (&14090)

Target release: %18.2

BE DRI: @sashi_kumar Backend backup DRI: @Andyschoenen
FE DRI: @arfedoro

This epic encompasses both Source branch pattern exceptions for MR Approva... (&18113 - closed) (Source branch pattern exceptions) and Service Account & Access Token Exceptions for M... (&18112 - closed) (Service Account & Access Token Exceptions) as a single deliverable for Exceptions and Bypasses in Merge Request Approval Policies. This requires extensive backend and frontend work, comprehensive testing, and enabling feature flags. This task carries the highest risk of missing delivery - we must communicate early if this work is slipping.

• Tasks:
  • [Backend] Create audit logs when an MR is bypas... (#549646 - closed)
  • QA: Perform and document manual feature tests f... (#549576 - closed)
  • Metrics: Add metrics for Source branch pattern ... (#549575 - closed)
  • [Frontend]: Add accounts option for bypass sett... (gitlab-org/frontend/eslint-plugin#81 - moved)
  • [Backend] Add service account & access token ex... (#549644 - closed)
  • [Frontend]: Add access token option for bypass ... (#548403 - closed)
  • [Feature flag]: Rollout feature flag security_p... (#541704 - closed)
  • [Frontend] Add bypass options to a merge reques... (#541468 - closed)
  • [Frontend]: Add bybass options to a policy drawer (#540827 - closed)
  • [Frontend]: Add bybass options to a policy editor (#540826 - closed)
  • Merge Request Approval Policy Time Window (#525509)

To start/continue working on

MR Approval Policies Warn Mode (&15552)

Target release: %18.5

BE DRI: @Andyschoenen Backend backup DRI: @bauerdominic
FE DRI: @aturinske

For MR Approval Policies Warn Mode, we should evaluate designs, agree on the scope, and discuss implications on Vulnerability Report functionality.

• Tasks:
  • BE: Prepare implementation plan for Policies Wa... (#549766 - closed)

---

Say/Do

Check tasks you believe you can complete by the next milestone. If you identify any risks in delivery, please leave a comment in this planning issue or in the related Epic/Issue to highlight the risk. This will aid us in communicating any potential delays and improve our predictability. Thank you! 🙇

@arfedoro

• [Frontend]: Add bybass options to a policy drawer (#540827 - closed) • Artur Fedorov • 18.2 • On track (Deliverable)
• [Frontend]: Add bybass options to a policy editor (#540826 - closed) • Artur Fedorov • 18.3 • At risk (Deliverable)
• [Frontend] Add bypass options to a merge reques... (#541468 - closed) • Artur Fedorov • 18.5 • At risk (Deliverable)
• Fix ee/spec/frontend/pages/admin/application_se... (#549705 - closed) • Artur Fedorov • 18.2 (Stretch)
• Fix spec/frontend/pages/projects/pipeline_sched... (#549707 - closed) • Artur Fedorov • 18.2 (Stretch)
• Fix spec/frontend/sidebar/components/labels/lab... (#549753 - closed) • Artur Fedorov • 18.2 (Stretch)
• Two Add new CI Variable buttons on Policy Edito... (#546405 - closed) • Artur Fedorov • 18.4 (Stretch)
• Fix spec/frontend/packages_and_registries/setti... (#549703 - closed) • Artur Fedorov • 18.2 (Stretch)
• Fix spec/frontend/pages/projects/forks/new/comp... (#549706 - closed) • Artur Fedorov • 18.2 (Stretch)
• Fix spec/frontend/packages_and_registries/setti... (#549704 - closed) • Artur Fedorov • 18.2 (Stretch)
• Disable the three dot menu for policies if the ... (#526069 - closed) • Artur Fedorov • 18.5 (Stretch)
• [Integration tests]: Add integration tests for ... (#525132) • Artur Fedorov • 18.6 (Stretch)
• Explore advanced editor for security policy (#450705) • Artur Fedorov, Torian Parker • 18.6 (Stretch)

@sashi_kumar

• [Backend] Create audit logs when an MR is bypas... (#549646 - closed) • Andy Schoenen • 18.2 • On track (Deliverable)
• [Backend] Add service account & access token ex... (#549644 - closed) • Sashi Kumar Kumaresan • 18.2 • At risk (Deliverable)
• Name of incorrect Merge Request Approval Policy... (#538402 - closed) • Sashi Kumar Kumaresan • 18.2 • On track (Deliverable)
• Deprecate scan_result_policy_reads and use appr... (#510281) • Sashi Kumar Kumaresan • 18.6 • At risk (Deliverable)
• ActiveRecord::QueryCanceled in Security::Relate... (#538144) • Sashi Kumar Kumaresan • 18.6 • At risk (Deliverable)
• Merge Request Approval Policy Time Window (#525509) • Dominic Bauer • 18.5 • At risk (Deliverable)
• [FF] `approval_policy_branch_exceptions` -- Add... (#543778 - closed) • Sashi Kumar Kumaresan • 18.3 (feature flag)
• [Feature flag] Rollout of `deprecate_scan_resul... (#510282) • Sashi Kumar Kumaresan • 18.6 (feature flag)
• [FF] `use_approval_policy_rules_for_approval_ru... (#543955 - closed) • Sashi Kumar Kumaresan • 18.2 (feature flag)

@mcavoj

• [BE] Extend GraphQL for frontend for CSP (#541516 - closed) • Martin Cavoj • 18.2 • At risk (Deliverable)
• Prepare documentation for CSP (#541525 - closed) • Martin Cavoj • 18.2 • On track (Deliverable)
• [BE] Designation of a CSP group (#541510 - closed) • Imam Hossain • 18.2 • At risk (Deliverable)
• [BE] Restrict assignment and unassignment of se... (#541515 - closed) • Andy Schoenen • 18.2 • On track (Deliverable)
• [BE] Add API to allow updates of CSP (#541511 - closed) • Sashi Kumar Kumaresan • 18.2 • On track (Deliverable)
• [BE] Validate propagation of policies when poli... (#541517 - closed) • Martin Cavoj • 18.2 (Stretch)
• ChatOps run commands fail when Pipeline Executi... (#549404 - closed) • Martin Cavoj • 18.2 (Stretch)
• [BE] Validate performance with CSP (#541522 - closed) • Dominic Bauer • 18.6 (Stretch)
• Security Widget contradict the security bot com... (#533955 - closed) • Martin Cavoj • 18.6 (Stretch)
• Refactor pipeline execution policy stages injec... (#514933 - closed) • Martin Cavoj • 18.3 (Stretch)

@Andyschoenen

• gitlab-org/gitlab#545917+s (Deliverable)
• Enforce variable precedence from scheduled PEP (#543105) • Andy Schoenen • 18.7 • At risk (Deliverable)
• BE: Prepare implementation plan for Policies Wa... (#549766 - closed) • Andy Schoenen • 18.3 • At risk (Deliverable)
• Add branches array to pipeline execution schedu... (#547932 - closed) • Sashi Kumar Kumaresan • 18.2 (Stretch)
• Add branch_type support to pipeline execution s... (#547933) • Andy Schoenen • 18.7 (Stretch)
• Update "pipeline_execution_schedule_policy" to ... (#538299) • Andy Schoenen • 18.8 (Stretch)
• Automatically grant access to SPP after creatin... (#535228 - closed) • Sashi Kumar Kumaresan • 18.2 (Stretch)
• [FE] Add latest pipeline information into the p... (#528299) • Andy Schoenen, Alexander Turinske • 18.7 (Stretch)
• [Feature flag] Rollout of `scheduled_pipeline_e... (#513337) • Andy Schoenen • 18.7 (feature flag)
• [backend] Add pipeline execution schedule polic... (#504143) • Andy Schoenen • 18.7 (Stretch)

@bauerdominic

• Merge Request approval policy approval_settings... (#538938 - closed) • Andy Schoenen • 18.3 • At risk (Deliverable)
• SEP variables incorrectly assigned for multiple... (#485051) • Unassigned • 18.7 • At risk (Deliverable)
• Remove scan execution policy action limit warni... (#541724 - closed) • Alexander Turinske • 18.3 (Stretch)
• Spike: Investigate if administrators may be una... (#538119 - closed) • Dominic Bauer • 18.3 (Stretch)
• [FF] `merge_request_approval_policies_create_ap... (#547858 - closed) • Dominic Bauer • 18.3 (feature flag)
• Policy branch rules configured to require appro... (#528852 - closed) • Marcos Rocha • 18.2 (Stretch)
• [Feature flag] Rollout of `fix_scheduled_scan_e... (#523225 - closed) • Dominic Bauer • 18.2 (feature flag)
• Spike: refine performance improvements to Pipel... (#521591) • Dominic Bauer • 18.8 (Stretch)
• Approval required for all protected branches if... (#529997 - closed) • Sashi Kumar Kumaresan • 18.2 (Stretch)
• Security::OrchestrationConfigurationRemoveBotWo... (#520685) • Marcos Rocha • 18.6 (Stretch)
• Unexpected behavior with non-default branches c... (#513671 - closed) • Dominic Bauer • 18.2 (Stretch)
• Spike: Explore Changing Security Policy Limits ... (#519311) • Alan (Maciej) Paruszewski • 18.8 (Stretch)
• Optimise SEP performance (#472223 - closed) • Dominic Bauer • 18.3 (Stretch)

@aturinske

• FE: Update policy drawer with scan execution st... (#541371 - closed) • Alexander Turinske • 18.2 • On track (Deliverable)
• FE: Enable branches selector (#535547) • Alexander Turinske • 18.7 • At risk (Deliverable)
• FE: Introduce scan execution strategy for Scan ... (#541370 - closed) • Alexander Turinske • 18.2 (Deliverable)
• [FE] Annotate group as "Compliance and security... (#541377 - closed) • Alexander Turinske • 18.2 • On track (Deliverable)
• [FE] Add admin setting to designate CSP group (#539129 - closed) • Alexander Turinske • 18.2 • On track (Deliverable)
• Sentry error in ee/app/assets/javascripts/secur... (#543092 - closed) • Alexander Turinske • 18.2 (Stretch)
• Update feature tests (#545422) • Alexander Turinske • 18.7 (Stretch)
• Organize security policy feature tests (#539167 - closed) • Alexander Turinske • 18.2 (Stretch)
• [FF] flexible_scan_execution_policy (#541689 - closed) • Alexander Turinske • 18.3 (feature flag)
• Protected‑branch tooltip links to invalid URL w... (#537491) • Artur Fedorov • 18.6 (Stretch)
• Merge request approval policy with block_branch... (#494948) • Alexander Turinske • 18.6 (Stretch)

@mc_rocha

• Custom roles are not able to be selected for me... (#542536 - closed) • Dominic Bauer • 18.3 • At risk (Deliverable)
• Implement Pipeline related audit events for sec... (#539232 - closed) • Marcos Rocha • 18.3 • At risk (Deliverable)
• Remove software_licenses table (#497969) • Marcos Rocha • 18.6 • At risk (Deliverable)
• Existing security policies are accessible in pr... (#431229) • Imam Hossain • 18.6 • At risk (Deliverable)
• Spike: Refactoring Merge Request Approval Polic... (#523067 - closed) • Alan (Maciej) Paruszewski, Marcos Rocha • 18.5 • On track (Stretch)
• Ignore software_license_id in software_license_... (#524876 - closed) • Marcos Rocha • 18.3 (Stretch)
• [Feature flag] Enable static_licenses (#499430 - closed) • Marcos Rocha • 18.4 (feature flag)

@imam_h

• Prevent edits to MRAP approval rules (#549105 - closed) • Imam Hossain • 18.3 • On track (Deliverable)
• Implement policy limit and validation related a... (#539233 - closed) • Andy Schoenen • 18.3 • At risk (Deliverable)
• Implement audit events related to security poli... (#539231 - closed) • Sashi Kumar Kumaresan • 18.3 • At risk (Deliverable)

---

Risks and Mitigations

To help us proactively address potential challenges, we've identified key risks for this milestone and corresponding mitigation strategies:

1. High Volume of Committed Deliverables

Risk: Multiple complex epics committed for release in a single milestone may stretch team capacity and increase risk of incomplete delivery.

Mitigation:

• Focus on early completion to allow time for issue resolution
• Implement rigorous testing practices including dedicated bug bash day
• Regular progress check-ins and early communication of any slipping items
• Prioritize the highest-risk epic (Exceptions and Bypasses) for closest monitoring

2. Quality Assurance for Complex Features

Risk: New audit events and complex exception logic may introduce performance issues or unexpected behaviors.

Mitigation:

• Dedicate one full day to organized bug bash activities
• Encourage cross-team member testing and collaboration
• Evaluate performance implications especially for audit events
• Enable feature flags systematically with proper testing at each stage

3. Exceptions and Bypasses Epic Delivery Risk

Risk: This epic has been identified as having the highest risk of missing delivery due to extensive backend and frontend work required.

Mitigation:

• Assign backup DRIs for critical path items
• Implement early warning system - communicate immediately if work is slipping
• Consider scope reduction if necessary to meet core commitments
• Prioritize this epic's critical path items in sprint planning

---

Extra

• Kanban Board with additional more minor maintenance issues and bugs. (Prioritized from top to bottom)
• Group Priorities List

Metrics

• Service Ping Metrics
• Development Metrics

Release post items

Release post items related to current work in the format Epic | Release post | Milestone.

Epic	Release post	Milestone
&15869 (closed)	[TBD]	%18.2
&17392 (closed)	[TBD]	%18.2
&11919 (closed)	[TBD]	%18.2
&14090	[TBD]	%18.2