Security Risk Management: Security Policies 18.6 + 18.7 Planning Issue
Security Risk Management: Security Policies 18.6 Planning Issue
Previous planning issue: Security Risk Management: Security Policies 18.... (#570796 - closed)
🎉 Thank You - %18.5 Milestone Deliveries
Excellent work team on completing our %18.5 commitment! We successfully delivered:
- User and Group Exceptions in MR Approval Policies (&18114 (closed)) - Administrators now have comprehensive control over policy bypass permissions
Additionally, we made significant progress on:
- Technical Debt - Advanced Policy Editor Settings (&15106) - Advanced editor toggle implemented, metrics tracking planned for %18.6
- Organization-Level Security Policy Management (Policies v2) Architecture Blueprint (&16664) - Architectural foundation in final review
Thank you to everyone on the team for your dedication and collaborative effort!
FY26-Q4 Start: This milestone marks the beginning of our new quarter with fresh interlock commitments focused on vulnerability management automation and risk-based filtering.
🎯 INTERLOCK COMMITMENTS - Our Primary Focus
Accountability Focus: Epic-level DRI ownership with outcome-focused delivery. DRIs are accountable for their Epic's success and will engage team members as needed.
Feature Flag Strategy: We consider a feature as delivered when the feature flag is enabled globally and BY DEFAULT.
Metrics Requirement: Every delivered Epic must have adoption metrics implemented for tracking usage patterns.
Epic: MR Approval Policies Warn Mode (Beta Release) ⭐ HIGH CONFIDENCE | Complexity: L
Link: &15552 (closed)
DRI: @Andyschoenen (Backend) / @aturinske (Frontend)
Team: @mc_rocha, @imam_h, @bauerdominic, @Andyschoenen, @aturinske
Goal: Deliver Beta release of warn mode with core functionality enabled behind feature flag for early customer feedback. This slipped from %18.5 and is our primary commitment for %18.6, with GA release planned for %18.7.
Key Issues: [Issues carried over from %18.5 - to be determined based on final %18.5 status]
Success Criteria:
- Beta feature flag enabled for selected customers
- Core warn mode functionality tested and validated
- Early customer feedback collection mechanism in place
- Adoption metrics implemented and tracking
- Clear path to GA release in %18.7 documented
Dependencies: None
Epic: Auto-dismiss irrelevant vulnerabilities 🆕 | Complexity: L
Link: &10894 (closed)
Priority: P1 (FY26-Q4 Interlock) | NO COMMITMENT in this milestone
DRI: @mcavoj (Backend) / @aturinske (Frontend)
Backend Support: @sashi_kumar
Goal: Create comprehensive implementation issues, finalize designs, and resolve all requirements uncertainties. Begin backend and frontend implementation if capacity allows.
Key Issues:
Success Criteria:
- All implementation issues created with clear acceptance criteria
- Design requirements finalized and approved
- Technical approach validated through spike or PoC
- Backend and frontend breakdown complete for Q4 delivery
Dependencies: Design completion, requirements finalization
Epic: Add filter option for KEV/EPSS in MR approval policies 🆕 | Complexity: M
Link: &16311
Priority: P3 (FY26-Q4 Interlock) | NO COMMITMENT in this milestone
DRI: @arfedoro (Frontend) / @bauerdominic (Backend)
Backend Support: @imam_h
Goal: Create comprehensive implementation issues, finalize designs, and resolve all requirements uncertainties. Begin implementation if capacity allows.
Key Issues:
- Design: Filter options for KEV/EPSS (#556415 - closed) • Torian Parker • 18.10
- [Frontend]: Add KEV filter to a policy editor (#576860 - closed) • Artur Fedorov • 18.6
- [Feature flag]: Roll out feature flag security_... (#576858 - closed) • Marcos Rocha, Artur Fedorov+ • 18.11
- BE: Add support for KEV and EPSS filter in MRAP... (#577672 - closed) • Marcos Rocha, Imam Hossain • 18.9
- BE: Add support for EPSS filter in MRAP policy (#577671 - closed) • Imam Hossain • 18.8
Success Criteria:
- All implementation issues created with clear acceptance criteria
- Design requirements finalized and approved
- Technical feasibility validated
- Implementation plan ready for Q4 delivery
Dependencies: Design completion in %18.6
Epic: Organization-Level Security Policy Management (Policies v2 - PoC) ⭐ HIGH CONFIDENCE | Complexity: XL
Link: &16664
Priority: P3 (FY26-Q4 Interlock)
DRI: @alan
Backend Support Team: Entire backend team
Goal: Complete PoC implementation demonstrating key architectural concepts with working prototype for single policy type. This builds on the architectural blueprint completed in %18.5.
Key Issues:
Success Criteria:
- Working PoC with single policy type (Scan Execution Policy)
- API-first CRUD operations functional
- Policy reference system working
- Performance targets validated
- Foundation ready for full implementation planning
Dependencies: Coordination with Secret Push Protection Configuration Profile team
📋 Additional Work - Supporting Our Goals
Quality & Maintenance
- Spike: Refactoring Merge Request Approval Policies with Strategy Pattern | Complexity: M (#523067 (closed)) - Architecture artifact or WIP PoC as capacity allows
- Critical bug fixes and performance optimizations
- Documentation updates for %18.5 delivered features
📅 Sprint/Weekly Breakdown
Critical Timeline: All work related to committed Epic (Warn Mode Beta) should be completed by end of Week 2, with Weeks 3-4 for feature flag rollout and validation.
Week 1-2: Core Implementation Phase
- Warn Mode Beta: Complete remaining implementation and integration testing
- Auto-dismiss vulnerabilities: Create implementation issues, finalize designs, begin development
- KEV filtering: Create implementation issues, finalize designs, begin development
- Policies v2 PoC: Build working prototype with API-first approach
Week 3: Feature Flag Rollout and Integration Testing
- Enable Warn Mode Beta feature flag for selected customers
- Comprehensive integration testing for all new work
- Performance validation and optimization
- Q4 Epic progress validation
Week 4: Release Preparation and Customer Feedback
- Warn Mode Beta customer feedback collection
- Documentation updates and user guides
- Bug fixes for any critical issues
- Q4 Epic readiness assessment for upcoming milestones
⚠️ Key Risks & Mitigations
Primary Risk: Q4 Epic Preparation Delay
Impact: Could delay FY26-Q4 interlock deliveries if design/requirements not finalized in %18.6
Mitigation Plan:
- Prioritize design finalization for Auto-dismiss and KEV filtering in Week 1
- Create implementation issues by end of Week 2 at latest
- Front-load technical feasibility validation
- Identify any scope reduction opportunities early
Secondary Risk: Warn Mode Beta Slip
Impact: Missing Beta release would push GA release beyond %18.7
Mitigation Plan:
- Warn Mode is sole HIGH CONFIDENCE commitment for %18.6
- Focus team capacity on completing Beta implementation
- Reduce Q4 prep work scope if Warn Mode shows any delays
- Establish go/no-go decision point by end of Week 1
🚀 Next Steps
- DRIs: Review your Epic sections and confirm delivery approach
- Team: Prioritize Warn Mode Beta as primary commitment
- Q4 Preparation: Engage with design finalization for Auto-dismiss and KEV filtering
- Communication: Use this issue for progress updates and escalate blockers immediately
📊 Planning Approach Reminder
We've shifted from individual task tracking to Epic-level accountability. All items with Deliverable label scheduled for %18.6 must be delivered or rescheduled immediately. Review your assigned work on the Security Policies milestone board and reschedule anything you cannot commit to delivering in full.
Epic DRIs are fully accountable for complete delivery - no partial completions accepted.
Kanban Board: Security Policies Board
Group Priorities: Security Policies Direction