Security Risk Management: Security Policies 18.4 Planning Issue

Previous planning issue: Security Risk Management: Security Policies 18.... (#549805 - closed)

18.4 Planning - groupsecurity policies

🎉 Thank You - %18.3 Milestone Deliveries

Fantastic work team on delivering our %18.3 commitments! We successfully completed:

• Service Account & Access Token Exceptions for Merge Request Approval Policies (&18112 (closed)) - Providing administrators with granular bypass control
• Security Policy Audit Events (&15869 (closed)) - Giving customers visibility into policy-related actions
• Scan Execution Policy Templates (&11919 (closed)) - Enabling flexible trigger conditions for security scans
• Pipeline Execution Policy Setting Control (#524124 (closed)) - Programmatic enable/disable capabilities

Thank you to everyone on the team for your dedication and collaborative effort in delivering these important security enhancements! 🎉

---

🎯 INTERLOCK COMMITMENTS - Our Primary Focus

Accountability Shift: We're focusing on Epic-level ownership rather than individual task tracking. DRIs are accountable for their Epic's success and will engage team members as needed to ensure delivery.

Epic: User and Group Exceptions in MR Approval Policies

Link: &18114
DRIs: @sashi_kumar (Backend) / @arfedoro (Frontend)

Goal: Deliver the feature within the milestone and enable by default, extending policy bypass capabilities to include user and group selection options.

Key Issues:

• #541468 (closed) (Frontend: Add bypass options to merge request widget)
• #549797 (closed) (BE: Extend policy bypass option to include user/group selection)
• #548484 (closed) (Frontend: Add roles option for bypass settings in policy editor)

Success Criteria:

• Feature flag enabled by default with comprehensive testing
• Demo video documented in Epic showing complete functionality
• Seamless integration with existing exceptions framework

Dependencies: None identified

---

Epic: MR Approval Policies Warn Mode

Link: &15552
DRIs: @Andyschoenen (Backend) (@mc_rocha as backup DRI in this milestone) / @aturinske (Frontend)

Goal: Collaborate with PM and UX to materialize the feature concept, develop backend PoC, and start frontend implementation behind feature flag. Establish clear delivery plan for %18.5 with scope clarification if needed.

Key Issues:

• [Spike] Create backend MVC for MR Approval Poli... (#536153 - closed)
• BE: Implement enforcement_type schema and polic... (#561885 - closed)
• BE: Create dismissal tracking infrastructure an... (#561886 - closed)
• BE: Build dismissal service layer and GraphQL A... (#561887 - closed)

Success Criteria:

• Working proof of concept demonstrating warn mode functionality
• Clear implementation plan with started implementation for %18.5 delivery
• Defined scope with stakeholder alignment on any limitations

Dependencies: UX designs are not fully completed yet

Team: @Andyschoenen + @mc_rocha + @imam_h (Backend) / @aturinske (Frontend)

---

Epic: Organization-Level Security Policy Management (Policies v2)

Link: &16664
DRI: @alan (interim), transitioning to @mcavoj when available

Goal: Collaborate with PM and UX to establish clear requirements for improved policy architecture and usability. Build lightweight PoC while coordinating with Security Platform Management team on potential integration with Secret Push Protection Configuration Profile.

Key Issues:

• #549779 (closed) (Spike: Foundation Architecture Blueprint & PoC for Security Policies v2)

Success Criteria:

• Completed spike with architecture blueprint and working PoC
• Finalized designs and implementation issues for backend/frontend work
• Epic split into milestone-sized deliverables with clear roadmap

Dependencies: Secret Push Protection Configuration Profile (&18524) depends on this feature

Team: @mcavoj/@alan + @bauerdominic + other team members (it will be effort for the whole team as we clarify the scope) (Backend) / @aturinske + @arfedoro (Frontend)

---

Epic: Technical Debt - Simplify YAML Syntax and Preview

Link: &15106
DRI: @arfedoro

Goal: Address user feedback by implementing identified improvements and clarifying future direction with PM for the advanced security policy editor.

Key Issues:

• Implement Experimental Banners for Advanced Security Policy Editor

Success Criteria:

• Delivered functionality enabled globally on GitLab.com
• User feedback collection mechanism in place
• Clear direction established for future iterations

Dependencies: None

Team: @arfedoro

---

📋 Additional Work - Supporting Our Goals

Critical Bug Fixes

• #561292 (Dismissing vulnerability record not triggering webhook events)
• #548967 (closed) (Compliance framework policy count incorrect)
• #560859 (closed) (Group settings page breaks for large namespaces)

Future Milestone Preparation

• Auto-dismiss irrelevant vulnerabilities (&10894) - Create implementation issues for Q4 interlocked item - @mc_rocha + @arfedoro
• Add filter option for KEV in MR approval policies (&16311) - Prepare backend/frontend breakdown for Q4 delivery - @sashi_kumar + @aturinske

---

⚠️ Key Risks & Mitigations

Primary Risk: Incomplete Requirements and UX Designs

Impact: Could derail interlock commitments if scope remains unclear

Mitigation Plan:

• Schedule immediate requirements clarification sessions with PM
• Prioritize UX design completion for MR Approval Policies Warn Mode
• Establish clear scope boundaries with stakeholder sign-off
• Implement regular check-ins to surface requirement gaps early
• Prepare scope reduction options if design completion delays occur

---

🚀 Next Steps

1. DRIs: Review your Epic sections and confirm accountability for delivery
2. Team: Engage with your assigned Epic DRIs for task coordination
3. Requirements: Schedule immediate PM/UX alignment sessions for incomplete designs
4. Communication: Use this issue for milestone progress updates and blockers

Issue assignments are based on expertise, capacity, and DRI responsibilities. Epic DRIs will ensure delivery through proper planning and team coordination focused on outcomes rather than task completion.

Say/Do

@imam_h

• BE: Build dismissal service layer and GraphQL A... (#561887 - closed) • Andy Schoenen, Imam Hossain • 18.5 • On track (Deliverable)
• BE: Implement enforcement_type schema and polic... (#561885 - closed) • Imam Hossain • 18.4 • On track (Deliverable)
• Allow scheduled pipeline execution policy bot t... (#551958) • Alan (Maciej) Paruszewski • 18.6 • On track (Deliverable)
• Existing security policies are accessible in pr... (#431229) • Imam Hossain • 18.6 • At risk (Deliverable)
• Remove Security::RefreshComplianceFrameworkSecu... (#545101 - closed) • Imam Hossain • 18.4 • On track (Deliverable)
• Show correct error message when creating policy... (#538577 - closed) • Marcos Rocha • 18.4 • On track (Deliverable)
• Add metric to measure successful policy YAML an... (#550443) • Imam Hossain • 18.4 (Stretch)

@mc_rocha

• BE: Create dismissal tracking infrastructure an... (#561886 - closed) • Marcos Rocha • 18.5 • At risk (Deliverable)
• Remove software_licenses table (#497969) • Marcos Rocha • 18.6 • At risk (Deliverable)
• Pipeline execution policy custom stages ignorin... (#526072 - closed) • Marcos Rocha, Martin Cavoj • 18.5 • At risk (Deliverable)
• Follow-up from "Add failed pipelines with secur... (#554233) • Marcos Rocha • 18.6 (Stretch)
• Follow-up from "Send a audit event for pep erro... (#560145) • Marcos Rocha • 18.6 (Stretch)
• Follow-up from "Send a audit event for pep erro... (#558812) • Marcos Rocha • 18.6 (Stretch)
• Follow-up from "Ignore software_license_id in S... (#550228 - closed) • Imam Hossain • 18.5 (Stretch)
• [FF] `collect_security_policy_skipped_pipelines... (#550772 - closed) • Marcos Rocha • 18.4 (feature flag)
• [FF] `collect_security_policy_failed_pipelines_... (#554064) • Marcos Rocha • 18.6 (feature flag)
• Security::OrchestrationConfigurationRemoveBotWo... (#520685) • Marcos Rocha • 18.6 (Stretch)
• [Feature flag] Enable static_licenses (#499430 - closed) • Marcos Rocha • 18.4 (feature flag)

@aturinske

• BE: Integrate with vulnerability reporting and ... (#561739 - closed) • Andy Schoenen, Marcos Rocha • 18.5 • At risk (Deliverable)
• FE: Add filters and icon to Vulnearbility Repo... (#549786 - closed) • Alexander Turinske • 18.6 • At risk (Deliverable)
• FE: Add ability to enable MR Approval Policy in... (#549783 - closed) • Alexander Turinske • 18.6 • At risk (Deliverable)
• Improve CSP warning modal (#560726 - closed) • Alexander Turinske, Dominic Bauer • 18.4 • On track (Deliverable)
• FE: Add banner to policies list announcing warn... (#561580 - closed) • Alexander Turinske • 18.4 (Stretch)
• FE: Update MR widget for warn mode (#561650 - closed) • Alexander Turinske • 18.5 • On track (Stretch)
• [FE] Actions should not be selected by default (#554043) • Alexander Turinske • 18.6 (~"")
• [FE] Add policy scope to exclude any group from... (#552271) • Alexander Turinske • 18.7 (~"")
• FE: Add badge to dependency list (#561600) • Alexander Turinske • 18.6 • At risk (Stretch)
• [Feature flag] Cleanup flexible_scan_execution_... (#561067) • Alexander Turinske • 18.6 (feature flag)
• Compliance framework policy count not correct (#548967 - closed) • Alexander Turinske • 18.4 (~"")
• Update feature tests (#545422) • Alexander Turinske • 18.7 (Stretch)
• [Feature flag] Enable `security_policy_approval... (#505352) • Andy Schoenen, Alexander Turinske • 18.6 (feature flag)
• Merge request approval policy with block_branch... (#494948) • Alexander Turinske • 18.6 (Stretch)

@alan

• Dismissing vulnerability record on an MR is not... (#561292) • Alan (Maciej) Paruszewski • 18.6 • At risk (Deliverable)
• Spike: Architecture Blueprint for Security Poli... (#549779 - closed) • Alan (Maciej) Paruszewski, Martin Cavoj • 18.6 • At risk (Deliverable)
• Protected‑branch tooltip links to invalid URL w... (#537491) • Artur Fedorov • 18.6 (Stretch)
• Prepare separate PolicyBranchesServices for Sca... (#532491 - closed) • Alan (Maciej) Paruszewski • 18.4 (~"")
• New merge request approval policy grammatical bugs (#528987) • Alan (Maciej) Paruszewski, Ryan Lehmann+ • 18.6 (Stretch)
• Spike: Explore Changing Security Policy Limits ... (#519311) • Alan (Maciej) Paruszewski • 18.8 (Stretch)
• Enhance performance testing infrastructure (#517710 - closed) • Alan (Maciej) Paruszewski • 18.4 (Stretch)
• Add job source claims to ID tokens (#459001) • Alan (Maciej) Paruszewski, Martin Cavoj • 18.6 (~"")

@sashi_kumar

• Group settings page breaks for large namespace ... (#560859 - closed) • Sashi Kumar Kumaresan • 18.4 • On track (Deliverable)
• Deprecate scan_result_policy_reads and use appr... (#510281) • Sashi Kumar Kumaresan • 18.6 • At risk (Deliverable)
• ActiveRecord::QueryCanceled in Security::Relate... (#538144) • Sashi Kumar Kumaresan • 18.6 • At risk (Deliverable)
• BE: Extend policy bypass option to include user... (#549797 - closed) • Sashi Kumar Kumaresan • 18.5 • At risk (Deliverable)
• Merge Request Approval Policy Time Window (#525509) • Dominic Bauer • 18.5 • At risk (Deliverable)
• Allow "Pipeline Must Succeed" for security poli... (#552085 - closed) • Imam Hossain • 18.4 (~"")
• [Feature flag] Rollout feature flag security_po... (#551920 - closed) • Sashi Kumar Kumaresan • 18.5 (feature flag)
• [Feature flag] Rollout of `deprecate_scan_resul... (#510282) • Sashi Kumar Kumaresan • 18.6 (feature flag)
• Improve bot comments regarding newly detected C... (#547772) • Martin Cavoj • 18.6 (~"")
• Remove old code related to scan_result_policy_read (#504296) • Sashi Kumar Kumaresan • 18.6 (Stretch)

@bauerdominic

• [BE] CSP policy propagation loading indicators ... (#559273 - closed) • Dominic Bauer, Torian Parker • 18.4 • On track (Deliverable)
• [FF] `security_policies_group_transfer_sync` --... (#557122 - closed) • Dominic Bauer • 18.5 (feature flag)
• Add policy limit metrics to Internal Events tra... (#549476) • Dominic Bauer • 18.8 (~"")
• [BE] Validate performance with CSP (#541522 - closed) • Dominic Bauer • 18.6 (Stretch)
• [SPIKE] Foundation: Policy propagation progress... (#528300 - closed) • Dominic Bauer, Martin Cavoj • 18.4 (~"")
• Spike: refine performance improvements to Pipel... (#521591) • Dominic Bauer • 18.8 (Stretch)
• Improve CSP warning modal (#560726 - closed) • Alexander Turinske, Dominic Bauer • 18.4 • On track (Deliverable)

@arfedoro

• Implement Experimental Banners for Advanced Sec... (#545145 - closed) • Artur Fedorov • 18.4 • On track (Deliverable)
• Fix ee/spec/frontend/analytics/cycle_analytics/... (#557622 - closed) • Artur Fedorov • 18.4 (Stretch)
• Fix spec/frontend/ci/artifacts/components/artif... (#557665 - closed) • Artur Fedorov • 18.4 (Stretch)
• [Frontend] Show more information for the bypass... (#554066 - closed) • Artur Fedorov • 18.4 (~"")
• [FF] `security_policies_split_view` advanced se... (#555128) • Artur Fedorov • 18.6 (feature flag)
• [Feature flag]: Roll out feature flag security_... (#552189 - closed) • Artur Fedorov • 18.5 (feature flag)
• Two Add new CI Variable buttons on Policy Edito... (#546405 - closed) • Artur Fedorov • 18.4 (Stretch)
• Audit grammar in PEP policy editor (#530290) • Artur Fedorov, Ryan Lehmann+ • 18.6 (Stretch)
• Disable the three dot menu for policies if the ... (#526069 - closed) • Artur Fedorov • 18.5 (Stretch)
• [Integration tests]: Add integration tests for ... (#525132) • Artur Fedorov • 18.6 (Stretch)

@Andyschoenen

• [Spike] Create backend MVC for MR Approval Poli... (#536153 - closed) • Andy Schoenen, Imam Hossain • 18.4 • On track (Deliverable)
• Add `dry_run` option to PipelineContext for sch... (#555367) • Andy Schoenen • 18.7 • At risk (Deliverable)
• Enforce variable precedence from scheduled PEP (#543105) • Andy Schoenen • 18.7 • At risk (Deliverable)
• Spike: Scheduled PEP test-run feature (#556127) • Andy Schoenen • 18.7 (Stretch)
• Add branch_type support to pipeline execution s... (#547933) • Andy Schoenen • 18.7 (Stretch)
• [FE] Add latest pipeline information into the p... (#528299) • Andy Schoenen, Alexander Turinske • 18.7 (Stretch)
• [backend] Add pipeline execution schedule polic... (#504143) • Andy Schoenen • 18.7 (Stretch)
• Spike: Disable policies and cleanup records in ... (#472276 - closed) • Imam Hossain • 18.4 (Stretch)

---

Kanban Board: Security Policies Board
Group Priorities: Security Policies Direction