Security Risk Management: Security Policies 18.5 Planning Issue
Security Risk Management: Security Policies 18.5 Planning Issue
Previous planning issue: Security Risk Management: Security Policies 18.... (#561766 - closed)
📅 Team Availability & Capacity Context
Capacity Constraints: 2 team members currently on parental leave, with additional vacation time planned by other team members throughout the milestone.
Impact: Limited capacity reinforces our focus on committed interlock items and may affect ability to extend scope or add additional team members to projects.
Q4 Volunteer Needs: We are actively seeking volunteers for both frontend and backend implementation of our FY26-Q4 interlock commitments. Please reach out if you're interested in contributing to auto-dismiss vulnerabilities or KEV filtering capabilities.
🎯 INTERLOCK COMMITMENTS - Our Primary Focus
Accountability Focus: We're emphasizing Epic-level DRI ownership with outcome-focused delivery. DRIs are accountable for their Epic's success and will engage team members as needed to ensure delivery.
Feature Flag Strategy: Every feature we introduce should have a feature flag enabled. We consider a feature as delivered when the feature flag is enabled globally and BY DEFAULT.
Metrics Requirement: Every delivered Epic should have metrics added so we can track adoption and usage patterns.
Epic: User and Group Exceptions in MR Approval Policies ⭐ HIGH CONFIDENCE | Complexity: M
Link: &18114
DRIs: @sashi_kumar (Backend) / @arfedoro (Frontend)
Goal: Complete delivery and enable by default, providing administrators with comprehensive control over who can bypass security policy requirements through user and group selection options. We are finalizing this feature and are in the last step before enabling it.
Key Issues:
- [Feature flag] Rollout feature flag security_po... (#551920 - closed) • Sashi Kumar Kumaresan • 18.5
- BE: Extend policy bypass option to include user... (#549797 - closed) • Sashi Kumar Kumaresan • 18.5 • At risk
- [Frontend] Add bypass options to a merge reques... (#541468 - closed) • Artur Fedorov • 18.5 • At risk
Success Criteria:
- Feature flag enabled globally and by default with comprehensive testing completed
- Demo video documented in Epic showing complete functionality
- Seamless integration with existing exceptions framework validated
- Adoption metrics implemented and tracking
Epic: MR Approval Policies Warn Mode ⚠️ MEDIUM CONFIDENCE | Complexity: L
Link: &15552
DRI: @Andyschoenen (Backend) / @aturinske (Frontend)
Team: @mc_rocha, @imam_h, @bauerdominic (during @imam_h vacation), @Andyschoenen, @aturinske
Goal: Deliver functional warn mode capabilities with carefully managed scope to ensure delivery confidence. We have limited the initial scope due to unplanned complexity that affected our delivery capability.
Key Issues:
- BE: Add rule bypass indicator field to MergeReq... (#569681 - closed) • Marcos Rocha • 18.5 • On track
- Implement audit trails for bypassed security po... (#569628 - closed) • Andy Schoenen • 18.6 • On track
- BE: Extend PolicyViolationInfo API to include I... (#569270 - closed) • Imam Hossain • 18.5 • On track
- BE: Update GraphQL API to accept reason and dis... (#568966 - closed) • Imam Hossain • 18.5 • On track
- BE: Optimize performance and add comprehensive ... (#561890) • Andy Schoenen • 18.6 • At risk
- BE: Update Security Policy Bot comments for war... (#561889 - closed) • Andy Schoenen • 18.5 • At risk
- BE: Update merge request approval policy violat... (#561888) • Dominic Bauer • 18.5 • On track
- BE: Build dismissal service layer and GraphQL A... (#561887 - closed) • Andy Schoenen, Imam Hossain • 18.5 • On track
- BE: Integrate with vulnerability reporting and ... (#561739 - closed) • Andy Schoenen, Marcos Rocha • 18.5 • At risk
- FE: Update MR widget for warn mode (#561650 - closed) • Alexander Turinske • 18.5 • On track
- FE: Add badge to dependency list (#561600) • Alexander Turinske • 18.6 • At risk
- BE: Update dependency list to include policy in... (#562185) • Andy Schoenen, Dominic Bauer • 18.6 • On track
Success Criteria:
- Feature flag enabled globally and by default
- Reduced scope MVC implementation completed and tested
- Adoption metrics implemented and tracking
Risk Mitigation: By Week 2, we will decide on next steps and scope adjustments to ensure delivery confidence.
Epic: Organization-Level Security Policy Management (Policies v2) ⭐ HIGH CONFIDENCE | Complexity: XL
Link: &16664
DRI: @alan (interim), transitioning to @mcavoj when available
Goal: Review and merge the architectural blueprint for next-generation security policy management. This milestone focuses solely on architectural foundation rather than implementation.
Key Issues:
Success Criteria:
- Architectural blueprint reviewed, approved, and merged
- Technical feasibility documented and validated
- Foundation established for future implementation phases
Dependencies: Coordination with Secret Push Protection Configuration Profile team
Epic: Technical Debt - Simplify YAML Syntax and Preview ⭐ HIGH CONFIDENCE | Complexity: S
Goal: Add user setting to enable/disable the advanced policy editor, store it in user settings, and implement comprehensive usage tracking metrics.
Success Criteria:
- User setting implemented and stored in user settings
- Advanced editor can be toggled on/off per user preference
- Metrics tracking implemented for editor usage patterns
- Feature flag enabled globally and by default
📋 Additional Work - Supporting Our Goals
Stretch Goals (when capacity allows)
-
Centralized Security Policy Management (GA) | Complexity: M · &19090 (frontend @aturinske / backend @bauerdominic) - deliver progress bar UI, validate performance of CSP
-
Scheduled pipeline execution policies (GA) | Complexity: L · &14147 (frontend @aturinske / backend @Andyschoenen) - deliver improvements to move it to GA state, due to the Warn Mode work this is postponed and most probably we will not be able to delivery anything related to this one
-
Spike: Refactoring Merge Request Approval Policies with Strategy Pattern | Complexity: M (#523067 (closed)) - Due to limited capacity, will deliver either WIP PoC or architecture artifact for future implementation
-
Other fixes, improvements.
Future Milestone Preparation - FY26-Q4 Interlock Commitments
Based on our FY26-Q4 interlock commitments, we need to prepare implementation issues and resolve design/requirements uncertainties for:
- Auto-dismiss irrelevant vulnerabilities (&10894) - Looking for volunteers for both frontend and backend implementation
- Add filter option for KEV in MR approval policies (&16311) - Looking for volunteers for both frontend and backend implementation
- Organization-Level Security Policy Management (Policies v2) - PoC delivery (already covered above)
Milestone %18.5 Goal: Create comprehensive implementation issues for epics #1 (closed) and #3 (closed), finalize designs, and resolve all requirements uncertainties to ensure smooth Q4 delivery.
Quality & Maintenance
- Critical bug fixes and performance optimizations
- Documentation updates for completed features
📅 Sprint/Weekly Breakdown
Critical Timeline: All work related to committed Epics should be completed by the end of Week 2, leaving 2 weeks for feature flag enablement and bug fixes.
Week 1-2: Core Implementation Phase
- User and Group Exceptions: Complete final implementation and integration testing
- Warn Mode: Complete reduced-scope MVC implementation
- Policies v2: Complete architectural blueprint review and approval process
- Technical Debt: Implement user settings and metrics tracking
Week 3: Feature Flag Rollout and Integration Testing
- Enable feature flags for completed features
- Comprehensive integration testing across all new features
- Performance validation and optimization
- Cross-Epic integration verification
Week 4: Release Preparation and Bug Fixes
- Address any critical bugs discovered during Week 3 testing
- Documentation updates and user guides
- Demo video recording for completed features
- Metrics validation and monitoring setup
- Final release preparation and sign-off
⚠️ Key Risks & Mitigations
Primary Risk: Insufficient Testing Time
Impact: Could compromise quality of delivered features, especially for Warn Mode with modified scope
Mitigation Plan:
- Front-load development work to maximize testing time in Weeks 3-4
- Implement automated testing early in Week 1-2 development phase
- Schedule dedicated testing phases with clear quality gates
- Warn Mode Specific: By Week 2, we will decide on next steps and scope adjustments to ensure delivery confidence
- Establish clear quality gates before feature flag enablement
Secondary Risk: Limited Team Capacity
Impact: Reduced flexibility to address unexpected issues or scope changes
Mitigation Plan:
- Maintain strict focus on committed interlock items only
- Establish clear escalation paths for blocking issues
- Cross-train team members on critical Epic components where possible
- Prepare contingency plans for each Epic if capacity becomes critically constrained
🚀 Next Steps
- DRIs: Review your Epic sections and confirm delivery approach given capacity constraints
- Team: Focus exclusively on interlock commitments to maximize delivery success
- Testing: Schedule dedicated testing phases early in milestone timeline
- Communication: Use this issue for progress updates and immediate escalation of any blockers
Epic DRIs are accountable for delivery success through proper planning, team coordination, and proactive risk management focused on outcomes rather than task completion.
Kanban Board: Security Policies Board
Group Priorities: Security Policies Direction