Security Risk Management: Security Policies 18.8 Planning Issue

Security Risk Management: Security Policies 18.8 Planning Issue

Previous planning issue: #577677 (closed)

🎉 Thank You - %18.7 Milestone Deliveries

Incredible work team on delivering MR Approval Policies Warn Mode to GA! 🎉

We successfully completed and released MR Approval Policies Warn Mode (&15552 (closed)) as a GA feature in %18.7. This was a complex, high-value feature that gives security teams the flexibility to deploy policies with measured impact while maintaining governance controls. All final MRs were merged, feature flags enabled globally and by default, with no last-minute issues during rollout.

Special Recognition: Thank you to @aturinske for exemplary DRI leadership throughout the Warn Mode execution. The approach of forming focused teams with clear ownership and decision-making authority proved highly effective and serves as an excellent model for future Epic delivery. This leadership style enabled the team to work with autonomy while maintaining alignment on delivery goals.

Thank you to the entire team - @Andyschoenen, @mc_rocha, @imam_h, @bauerdominic, and @aturinske - for your dedication, collaboration, and hard work in delivering this important capability! 🎉

Additionally, we made strong progress on Auto-dismiss irrelevant vulnerabilities with most MRs either merged or in review, positioning us well for %18.8 delivery.

FY26-Q4 Milestone: This is the final milestone of our Q4 commitments with primary focus on delivering Auto-dismiss irrelevant vulnerabilities.

CRITICAL: Important Dates & Timeline Constraints

Milestone Timeline:

  • Starts: December 15, 2025
  • Code freeze: January 9, 2026
  • Release: January 15, 2026

Holiday Impact:

  • December 25-26: Christmas (National Holiday in most countries)
  • December 26, 29, 30, 31: Family and Friends Days
  • January 1: New Year's Day (National Holiday in most countries)

🚨 End-of-Year Hard Production Change Lock (PCL):

  • Active: December 22, 2025 22:00 UTC → January 5, 2026 02:00 UTC
  • No deployments, feature flag changes, or infrastructure changes allowed

⚠️ CRITICAL CONSTRAINT: We have only 4 working days in January (Jan 6-9) to enable Auto-dismiss by default and complete final release preparation. This means ALL implementation work must be completed and feature flags ready for enablement by December 20, 2025.

🎯 INTERLOCK COMMITMENTS - Our Primary Focus

Feature Flag Strategy: We consider a feature as delivered when the feature flag is enabled globally and BY DEFAULT.

Metrics Requirement: Every delivered Epic must have adoption metrics implemented for tracking usage patterns.

Epic: Auto-dismiss irrelevant vulnerabilities HIGH CONFIDENCE | Complexity: L

Link: &10894 (closed)\ Priority: P1 (FY26-Q4 Interlock - Final Milestone)
DRI: @mcavoj (Backend) / @arfedoro (Frontend)

Goal: Complete delivery and enable by default, providing security teams with automated vulnerability dismissal based on configurable criteria (directory, file path, identifier). This is our primary Q4 commitment and must be completed before the holiday PCL.

Success Criteria:

  • Feature flag enabled globally and by default by January 9, 2026
  • All implementation completed before December 20, 2025 PCL deadline
  • Vulnerability Report filtering functional
  • Switching mechanism implemented and tested
  • Adoption metrics implemented and tracking
  • Demo video and documentation complete

Critical Path:

  • By Dec 20: All critical MRs merged, feature ready for staging rollout
  • Dec 16-20: Final staging validation
  • Jan 6-9: Enable by default and final release preparation

📋 Additional Work - Supporting Our Goals

Follow-up Work from Warn Mode GA

  • Address non-critical follow-ups identified during GA rollout
  • Performance monitoring and optimization
  • Documentation refinements based on early user feedback

KEV/EPSS Filtering Preparation for Q1

Backend Work - Target %18.8 | Complexity: M
Link: &16311\ DRI: @imam_h (Backend) / @arfedoro (Frontend)

Goal: Complete backend implementation for KEV/EPSS filters behind feature flag, preparing for frontend delivery in %18.9.

Key Issues:

Note: Updated designs significantly changed policy YAML structure. Backend filters may be completed in %18.8 behind feature flag, with full frontend integration in %18.9 (Q1 2025).

Q1 FY27 Preparation

Automated Vulnerability Severity Overrides/Customization Policy | Complexity: TBD
Link: &15839 (closed) | Target: 18.11 (Q1 FY27)
Looking for Frontend & Backend Volunteers

%18.8 Action Required: All team members should read through the Epic and start raising questions to @g.hickman. We need DRIs to step forward for this P2 interlock commitment. (Grant note: @tparker1 is working on designs 😄 )

Q2 FY26 Committed Items (Clarification early next year)

Seeking DRI volunteers for these committed deliverables:

  1. Scheduled Pipeline Execution Policies - GA Release - Finalizing and officially releasing with capabilities like Test Run, service account selection, increased limits | Complexity: M
  2. MR Approval Policy Malicious Packages Attribute - Adding new attribute similar to KEV/EPSS filtering | Complexity: L
  3. Security Policy Integration with Security Attributes - Expanding Policy Scope to allow Security Attributes selection | Complexity: M/H

%18.8 Goal: Identify DRIs and begin early planning discussions.

Quality & Maintenance

  • Critical bug fixes and performance optimizations
  • Documentation updates for Warn Mode GA
  • Monitoring and metrics validation for delivered features

📅 Sprint/Weekly Breakdown

CRITICAL: All Auto-dismiss implementation must be completed by December 20 to avoid PCL conflict.

Week 1 (Dec 15-20): Implementation Sprint

  • Auto-dismiss: Complete all remaining MRs and merge before PCL
  • Auto-dismiss: Final staging validation
  • KEV/EPSS Backend: Continue backend filter implementation
  • Q1 Preparation: Create implementation issues for deferred epics

Week 2-3 (Dec 21 - Jan 5): HOLIDAY PCL PERIOD

  • No deployments, feature flag changes, or infrastructure modifications allowed
  • Team downtime for holidays
  • Planning and preparation work only
  • Working on tasks/bugs assigned to you

Week 4 (Jan 6-9): CRITICAL RELEASE WINDOW

  • Auto-dismiss: Enable feature flag by default
  • Auto-dismiss: Final validation and release preparation
  • Auto-dismiss: Documentation and demo video finalization
  • All work must be completed by January 9 code freeze

⚠️ Key Risks & Mitigations

Primary Risk: PCL Timing Constraint

Impact: Only 4 working days in January to enable Auto-dismiss by default and complete release

Mitigation Plan:

  • All implementation work completed by December 20, 2025 (hard deadline)
  • Feature fully tested and validated on staging before PCL begins
  • Feature flag rollout plan pre-approved and documented
  • Clear rollback procedures established
  • DRI availability confirmed for January 6-9 window

Secondary Risk: Holiday Team Availability

Impact: Reduced availability during critical implementation period and January release window

Mitigation Plan:

  • Front-load all critical work into December 15-20 window
  • Identify backup DRI coverage for January 6-9 period
  • Document all decisions and rollout procedures before holidays
  • Establish emergency escalation paths for January release week

Third Risk: UX Review Availability

Impact: Missing UX review for switching mechanism and KEV/EPSS design changes

Mitigation Plan:

  • Proceeding with proposed approach for Auto-dismiss switching mechanism to avoid delays
  • KEV/EPSS frontend deferred to %18.9 to allow time for proper UX review
  • Document UX decisions and rationale for post-holiday review

🚀 Next Steps

  1. DRIs: Confirm availability for critical December 15-20 implementation sprint and January 6-9 release window
  2. Auto-dismiss DRIs (@mcavoj, @arfedoro): Prioritize all remaining work for December 20 completion
  3. Q1 DRI Volunteers: Review Q1 and Q2 epics and volunteer for ownership
  4. Team: Read Automated Vulnerability Severity Overrides Epic and raise questions to @g.hickman

📊 Planning Approach Reminder

Epic-level accountability continues. All items with Deliverable label scheduled for %18.8 must be delivered or rescheduled immediately. Given the PCL constraint, any items that cannot be completed by December 20 must be moved to %18.9 now.

Q1 DRIs: Ensure all implementation issues are created by end of %18.8 milestone to prepare for smooth Q1 execution.

Kanban Board: Security Policies Board
Group Priorities: Security Policies Direction

Edited by Grant Hickman