Frontend: Implementation plan for Security Attributes

Context
Implementation plan

Context

Why are we doing this work

We want to provide a way to tag projects (assets) so that they can be grouped in more flexible ways on dashboards with broader scopes.

more flexible ways: by business context, application, exposure level, location, customer... any arbitrary attribute you can think of
dashboards: Security Inventory, Security Dashboard, Vulnerability Report, Security Policies

Relevant links

design issue: Design: Security Attributes (#547963) 🎨
feature epic: Security Attributes/Context Filtering (&18010)
root epic: Security Asset Inventories (&16483)
Filters for Business Context on the Vuln Report (&17784)
Security Dashboard Page Level Filters: Report T... (&17287 - closed)
Automate the application of compliance framewor... (&17113)
Security Assets Classification (internal link)

Non-functional requirements

Feature development slack channel: #f_security_attributes
Documentation: #️⃣ Docs: Add documentation for Security labels (#550476 - closed)
Feature flag(s): to add in #️⃣ #550473 (closed)
Add licensed feature to check in features.rb in #️⃣ #550473 (closed)
Usage data: #️⃣ Frontend: Track views for security attributes (#550580 - closed)

Functional requirements

🏷️ Built-in categories and attributes

See: &18010

⚠️ assumption: The built-in categories and attributes will be defined somewhere in the backend and will get merged with custom categories and attributes before they are passed to the frontend.

Each category is one of the following types:

🔒 Category locked (This category cannot be edited or deleted. Category attributes are fixed.)
- example: design 🎨
  - name: Business Impact
  - description: Classify project by their importance to business operations.
  - attributes:
    - Mission Critical
    - Business Critical
    - Business Operational
    - Business Administrative
    - Non-essential
✏️ Limited edits allowed (This category cannot be deleted, but attributes can be edited.)
- example: design 🎨
  - name: Application
  - description: Categorize projects by application type and technology stack.
  - attributes: user-defined
Fully editable, no badge shown
- example: design 🎨
  - name: user-defined
  - description: user-defined
  - attributes: user-defined

🔄 Category's selection type

Changing from Single selection to Multiple selection seems fairly straightforward and low-risk. However, changing from Multiple selection to Single selection is more complex, especially if projects are already using multiple attributes from that category.

Set once, not editable: Allow users to define the selection type during category creation, but prevent changes afterward.

🧵 #547963[Security_configuration_-_group-level_-_security_labels_-_category_details_-_full_edit.png] (comment 2575305696)

Implementation plan

Future-proofing note: Which GitLab entities (instances, organizations, root groups, subgroups, projects) these screens are available for will likely change in the future. These should be built in a component-ized/modular/composable way in order to allow us to adapt to these changes.

Implementation tasks

🗺️ Navigation

group level: add to sidebar in #️⃣ Frontend: Scaffold group-level `Security config... (#550472 - closed)
project level: Secure => Security configuration already links to existing [PROJECT URL]/-/security/configuration page

📄 Category attribute configuration screen (for group)

design: #547963[Security_configuration_-_group-level_-_security_labels_-_category_details_-_full_edit.png] 🎨

📄 Category attribute application screen (for project)

design: #547963[Security_configuration-_project-level_-_apply_label.png] 🎨

🏗️ Modifications to existing pages

Timeline/Phases/MVC/Iterations/Roll-out

📋 View these issues on an issue board by milestone

List of unassigned issues ready for development

fields: title, milestone
display: table
limit: 20
query: project = "gitlab-org/gitlab" and epic = "18010" and label = "workflow::ready for development" and assignee = none and label != ~backend

18.2 | work: 2025-06-14 - 2025-07-11 | release: 2025-07-17

working days (left) in milestone: <15

fields: title, labels("workflow::*"), weight, assignee
display: table
limit: 10
query: project = "gitlab-org/gitlab" and milestone = "18.2" and epic = "18010" and label != ~backend

18.3 | work: 2025-07-12 - 2025-08-15 | release: 2025-08-21

working days in milestone: 25

fields: title, labels("workflow::*"), weight, assignee
display: table
limit: 20
query: project = "gitlab-org/gitlab" and milestone = "18.3" and epic = "18010" and label != ~backend

18.4 | work: 2025-08-16 - 2025-09-12 | release: 2025-09-18

working days in milestone: 20

🌴 `@mfluharty` OOO: 2025-08-13 to 2025-09-01 (-11 workdays from %18.4)

fields: title, labels("workflow::*"), weight, assignee
display: table
limit: 20
query: project = "gitlab-org/gitlab" and milestone = "18.4" and epic = "18010" and label != ~backend

18.5 | work: 2025-09-13 - 2025-10-10 | release: 2025-10-16

working days in milestone: 20

fields: title, labels("workflow::*"), weight, assignee
display: table
limit: 20
query: project = "gitlab-org/gitlab" and milestone = "18.5" and epic = "18010" and label != ~backend

18.6 | work: 2025-10-11 - 2025-11-14 | release: 2025-11-20

working days in milestone: 25

fields: title, labels("workflow::*"), weight, assignee
display: table
limit: 20
query: project = "gitlab-org/gitlab" and milestone = "18.6" and epic = "18010" and label != ~backend

Not allocated to a milestone (should contain only meta-issues)

fields: title, labels("workflow::*")
display: table
limit: 20
query: project = "gitlab-org/gitlab" and milestone != (%18.2, %18.3, %18.4, %18.5, %18.6) and epic = "18010" and label != ~backend and label != ~type::ignore

Validation/verification steps

create a validation issue like #546381 (closed)
create a feedback issue
open an engineering decisions issue like we did for inventory #552410

Edited Oct 07, 2025 by Miranda Fluharty

Frontend: Implementation plan for Security Attributes

Context

Why are we doing this work

Relevant links

Non-functional requirements

Functional requirements

🏷️ Built-in categories and attributes

🔄 Category's selection type

Implementation plan

Implementation tasks

🗺️ Navigation

📄 Category attribute configuration screen (for group)

#️⃣ Frontend: Scaffold group-level `Security config... (#550472 - closed)

#️⃣ Frontend: Build category label configuration sc... (#550483 - closed)

#️⃣ Frontend: Hook up category attribute configurat... (#550582 - closed)

#️⃣ Frontend: Build attribute editing drawer (#550486 - closed)

#️⃣ Frontend: Hook up attribute editing drawer (#550583 - closed)

📄 Category attribute application screen (for project)

#️⃣ Frontend: Scaffold `Security labels` tab in pro... (#550473 - closed)

#️⃣ Frontend: Build drawer for applying attributes ... (#550489 - closed)

#️⃣ Frontend: Hook up drawer for applying attribute... (#550581 - closed)

#️⃣ Frontend: Build project security attributes list (#550488 - closed)

#️⃣ Frontend: Hook up project security attributes list (#550584 - closed)

#️⃣ Frontend: Build filter bar for project attributes (#550490)

🏗️ Modifications to existing pages

Security Inventory

#️⃣ Frontend: Scaffold `Security attributes` column... (#550478 - closed)

#️⃣ Frontend: Show project attributes in inventory ... (#550491 - closed)

#️⃣ Frontend: Filter inventory by security attributes (#550497)

#️⃣ Frontend: Reuse drawer for applying attributes ... (#550498 - closed)

#️⃣ Frontend: Build bulk editing for project attrib... (#550499)

#️⃣ Frontend: Hook up loading project attributes in... (#560246 - closed)

#️⃣ Frontend: Hook up bulk editing for project attr... (#550585)

Vulnerability Report and Dependency List

Group Security Dashboard

Policies