Security Risk Management: Security Policies 18.3 Planning Issue

Previous planning issue: Security Risk Management: Security Policies 18.... (#549770 - closed)

Narrative

IMPORTANT: This is a DRAFT planning issue prepared in advance, contingent on successful delivery of our %18.2 commitments.

Assuming successful completion of our %18.2 milestone, our team will have delivered significant capabilities including Security Policy Audit Events (Security policy audit events (&15869 - closed)), Centralized Security Policy Management as a beta feature (Centralized Security Policy Management (Beta) (&17392 - closed)), Flexible Scan Execution Policy Trigger Conditions (Scan Execution Policy Templates (&11919 - closed)), and Exceptions/Bypasses functionality through Source Branch Pattern Exceptions (Source branch pattern exceptions for MR Approva... (&18113 - closed)) and Service Account & Access Token Exceptions (Service Account & Access Token Exceptions for M... (&18112 - closed)). These deliverables will significantly enhance our users' control and flexibility over their security policy workflows.

For %18.3, our primary focus will be on building upon this foundation with three key initiatives:

• MR Approval Policies Warn Mode (MR Approval Policies Warn Mode (&15552)) - We'll begin implementation of this highly requested feature, starting with backend MVC development and initial frontend work to enable warn mode capabilities and enforcement level configuration
• User and Group Exceptions in MR Approval Policies (User and Group Exceptions in MR Approval Policies (&18114)) - Continuing our exceptions work by adding user and group selection capabilities to policy bypass options, providing even more granular control for our users
• Security Policies v2 Foundation (Organization-Level Security Policy Management w... (&16664)) - Starting our architectural exploration for the next generation of Security Policies with improved scalability and UX through a comprehensive spike and proof of concept

This plan assumes successful %18.2 delivery and may require adjustment based on actual delivery outcomes, user feedback, and design completion status. We'll need to remain flexible and adapt our priorities based on real-world results from our %18.2 features.

As always, we'll continue to improve the quality of our Security Policies features, address bugs, and ensure reliable performance as more customers adopt these capabilities. Let's work together to deliver these important enhancements while maintaining the high quality our users expect!

Priorities

To release

User and Group Exceptions in MR Approval Policies (&18114)

Target release: %18.3

BE DRI: @sashi_kumar Backend backup DRI: @imam_h
FE DRI: @arfedoro

Building on the foundation established in %18.2 with source branch and service account exceptions, we'll extend our policy bypass capabilities to include user and group selection options. This will provide administrators with comprehensive control over who can bypass security policy requirements.

• Success criteria:

  • Backend implementation supports user and group bypass selections
  • Frontend policy editor includes roles and groups options
  • Feature works behind feature flag with comprehensive testing
  • Integration with existing exceptions framework is seamless

• Tasks:

  • BE: Extend policy bypass option to include user... (#549797 - closed) (BE: Extend policy bypass option to include user/group selection)
  • [Frontend]: Add roles option for bypass setting... (#548484 - closed) (Frontend: Add roles option for bypass settings in policy editor)
  • [Frontend]: Add groups option for bypass settin... (#548610 - closed) (Frontend: Add groups option for bypass settings in policy editor)

To start/continue working on

MR Approval Policies Warn Mode (&15552)

Target release: %18.5

BE DRI: @Andyschoenen Backend backup DRI: @bauerdominic
FE DRI: @aturinske

We'll begin implementation of MR Approval Policies Warn Mode, starting with backend MVC development and initial frontend components. This feature will allow policies to operate in a warning-only mode, providing valuable feedback without blocking merge requests.

• Success criteria:

  • Backend MVC demonstrates warn mode functionality
  • Frontend components support warn mode enablement
  • Enforcement level configuration based on policy scope is functional
  • Vulnerability Report filtering integration is working

• Tasks:

  • [Spike] Create backend MVC for MR Approval Poli... (#536153 - closed) (Spike: Create backend MVC for MR Approval Policies Warn Mode)
  • FE: Add ability to enable MR Approval Policy in... (#549783 - closed) (FE: Add ability to enable MR Approval Policy in Warn Mode)
  • FE: Add ability to specify enforcement level ba... (#549785 - closed) (FE: Add ability to specify enforcement level based on group/project policy scope)
  • FE: Add filters and icon to Vulnearbility Repo... (#549786) (FE: Add filtering on Vulnerability Report for vulnerabilities with policy violations)

Organization-Level Security Policy Management w... (&16664)

Target release: %18.5 (PoC)

BE DRI: @mcavoj (initial phase), then @bauerdominic Backend backup DRIs: @mc_rocha, @sashi_kumar

We'll begin foundational work on Security Policies v2 with comprehensive architectural planning and proof of concept development. This initiative will establish the groundwork for next-generation security policy management with improved scalability and user experience.

• Success criteria:

  • Foundation architecture blueprint is completed and reviewed
  • Proof of concept demonstrates key architectural concepts
  • Technical feasibility is validated for improved scalability
  • Implementation roadmap for future milestones is established

• Tasks:

  • Spike: Architecture Blueprint for Security Poli... (#549779 - closed) (Spike: Foundation Architecture Blueprint & PoC for Security Policies v2)

To investigate

We'll conduct several important investigations to inform our implementation approaches and ensure we're building on solid foundations:

• [Spike] Create backend MVC for MR Approval Poli... (#536153 - closed) (Spike: Create backend MVC for MR Approval Policies Warn Mode)
• Spike: Disable policies and cleanup records in ... (#472276 - closed) (Spike: Disable policies and cleanup records in database after downgrading license from Ultimate)
• Spike: Evaluate impact on approval rules create... (#490587) (Spike: Evaluate impact on approval rules created through security policies)

Quality Improvements

As in every milestone, we'll dedicate time to improving the quality of our Security Policies features. This includes addressing bugs, refining user experiences, and ensuring our features work reliably at scale.

• Success criteria:

  • Critical bugs from %18.2 features are addressed promptly
  • Performance optimizations are implemented based on %18.2 feedback
  • Documentation is enhanced for newly released features
  • User guidance reflects latest capabilities and best practices

• Tasks:

  • Address critical bugs and usability issues (DRI: All team members)
  • Implement performance improvements based on %18.2 feedback (DRI: All team members)
  • Enhance documentation for %18.2 released features (DRI: All team members)

---

Say/Do

@sashi_kumar

• BE: Extend policy bypass option to include user... (#549797 - closed) • Sashi Kumar Kumaresan • 18.5 • At risk (Deliverable)
• Add pagination to `dependantSecurityPolicies` p... (#517036) • Unassigned • Backlog (Stretch)
• Remove old code related to scan_result_policy_read (#504296) • Sashi Kumar Kumaresan • 18.6 (Stretch)
• Spike: Evaluate impact on approval rules create... (#490587) • Sashi Kumar Kumaresan • 18.7 (Stretch)

@aturinske

• QA: Perform and document manual feature tests f... (#549571 - closed) • Alexander Turinske, Grant Hickman • 18.3 (Deliverable)
• [FF] flexible_scan_execution_policy (#541689 - closed) • Alexander Turinske • 18.3 (Deliverable)
• [SPIKE] Foundation: Policy propagation progress... (#528300 - closed) • Dominic Bauer, Martin Čavoj • 18.4 (Deliverable)
• [FE] Add policy scope to exclude any group from... (#552271) • Alexander Turinske • 18.7 (Deliverable)
• [FE] Conditionally show `all projects in linked... (#554036 - closed) • Alexander Turinske • 18.3 (Deliverable)
• FE: Add filters and icon to Vulnearbility Repo... (#549786) • Alexander Turinske • 18.6 • At risk (Deliverable)
• FE: Add ability to specify enforcement level ba... (#549785 - closed) • Alexander Turinske • 18.3 • At risk (Deliverable)
• FE: Add ability to enable MR Approval Policy in... (#549783 - closed) • Alexander Turinske • 18.6 • At risk (Deliverable)
• The policy list intermittently shows policies f... (#515341 - closed) • Alexander Turinske • 18.5 (Stretch)

@mcavoj

• Spike: Architecture Blueprint for Security Poli... (#549779 - closed) • Alan (Maciej) Paruszewski, Martin Čavoj • 18.6 • At risk (Deliverable)
• Pipeline Execution Policy Change - Showing mult... (#544001 - closed) • Martin Čavoj • 18.6 • At risk (Deliverable)
• Inconsistent behavior of the merge request appr... (#514201) • Martin Čavoj • 18.6 (Stretch)

@Andyschoenen

• [Spike] Create backend MVC for MR Approval Poli... (#536153 - closed) • Andy Schoenen, Imam Hossain • 18.4 • On track (Deliverable)
• Clean up `columns_changing_default` for `spp_re... (#549777 - closed) • Andy Schoenen • 18.3 (Stretch)
• Spike: Disable policies and cleanup records in ... (#472276 - closed) • Imam Hossain • 18.4 (Stretch)
• Refactor PipelineContext to decouple `command` (#503788 - closed) • Andy Schoenen • 18.3 (Deliverable)
• Remove delegations from `ExecutionPolicies::Pip... (#517294 - closed) • Andy Schoenen • 18.3 (Deliverable)
• Add `dry_run` option to PipelineContext for sch... (#555367) • Andy Schoenen • 18.7 • At risk (Deliverable)

@arfedoro

• [Frontend]: Add groups option for bypass settin... (#548610 - closed) • Artur Fedorov • 18.3 • On track (Deliverable)
• [Frontend]: Add roles option for bypass setting... (#548484 - closed) • Artur Fedorov • 18.3 • At risk (Deliverable)
• Implement Experimental Banners for Advanced Sec... (#545145 - closed) • Artur Fedorov • 18.4 • On track (Deliverable)
• Inherited policy tooltip component (#526599 - closed) • Artur Fedorov • 18.3 (Stretch)
• [Frontend]: Hide token dropdown from service ac... (#557057 - closed) • Artur Fedorov • 18.3
• [Frontend]: Add users option for bypass setting... (#557379 - closed) • Artur Fedorov • 18.3
• [Frontend] Add bypass information for branch pa... (#558885 - closed) • Artur Fedorov • 18.3
• [Frontend]: Update payload for custom roles (#560031 - closed) • Artur Fedorov • 18.3

@imam_h

• Show correct error message when creating policy... (#538577 - closed) • Marcos Rocha • 18.4 • On track (Deliverable)
• Remove Security::RefreshComplianceFrameworkSecu... (#545101 - closed) • Imam Hossain • 18.4 • On track (Deliverable)
• [FF] `collect_security_policy_audit_events` -- ... (#548416 - closed) • Imam Hossain • 18.3 (feature flag)
• Add limit to description field in security policy (#505275 - closed) • Andy Schoenen • 18.3 (Stretch)

@bauerdominic

• Security policies from the new parent group are... (#545805 - closed) • Andy Schoenen • 18.3 • On track (Deliverable)
• Auto disable "Pipeline Must Succeed" not clear ... (#534276 - closed) • Dominic Bauer • 18.3 • On track (Deliverable)
• Replace cron job `CreateOrchestrationPolicyWork... (#512615) • Unassigned • Backlog (Stretch)

@mc_rocha

• Spike: Refactoring Merge Request Approval Polic... (#523067 - closed) • Alan (Maciej) Paruszewski, Marcos Rocha • 18.5 • On track (Stretch)

---

Risks and Mitigations

To help us proactively address potential challenges, we've identified key risks for this milestone and corresponding mitigation strategies:

1. Dependency on %18.2 Successful Delivery

Risk: This entire plan is contingent on successful delivery of %18.2 commitments. Delays or issues with %18.2 features could significantly impact %18.3 priorities.

Mitigation:

• Monitor %18.2 progress closely and communicate any potential delays early
• Prepare alternative %18.3 priorities if %18.2 items need to carry over
• Schedule plan review meeting immediately after %18.2 completion
• Maintain flexibility in %18.3 scope to accommodate %18.2 feedback

2. Design Completion Risk for Warn Mode

Risk: MR Approval Policies Warn Mode currently has only basic designs generated using Claude. Lack of proper GitLab-standard designs could block frontend implementation progress.

Mitigation:

• Prioritize design completion with UX team early in the milestone
• Schedule design review sessions with stakeholders promptly
• Prepare backend work to proceed independently while designs are finalized
• Consider scope reduction if design completion is significantly delayed

3. Feedback Integration from %18.2 Features

Risk: User feedback from newly released %18.2 features may require immediate attention and could impact %18.3 planned work.

Mitigation:

• Allocate buffer time for addressing %18.2 feedback
• Establish clear criteria for what feedback requires immediate vs. future milestone attention
• Maintain communication channels with early adopters of %18.2 features
• Plan for potential scope adjustments based on user needs

4. Timeline Considerations

Risk: Starting planning one month early may result in outdated assumptions by the time %18.3 actually begins.

Mitigation:

• Schedule mandatory plan review and update session after %18.2 completion
• Document assumptions clearly so they can be validated later
• Prepare for potential re-prioritization based on actual %18.2 outcomes
• Maintain regular check-ins on external dependencies and design progress

---

Extra

• Kanban Board with additional more minor maintenance issues and bugs. (Prioritized from top to bottom)
• Group Priorities List

Metrics

• Service Ping Metrics
• Development Metrics

Release post items

Release post items related to current work in the format Epic | Release post | Milestone.

Epic	Release post	Milestone
&18114	[TBD]	%18.3