[FF] vulnerability_flag_status_based_gating -- Gate FP badge on flag status instead of confidence score

Summary

This issue is to roll out the feature on production, that is currently behind the vulnerability_flag_status_based_gating feature flag.

Owners

• Most appropriate Slack channel to reach out to: #sec-ai-experiments
• Best individual to reach out to: @xanf

Expectations

What are we expecting to happen?

When enabled, the FP (false positive) badge visibility will be gated on the vulnerability flag's status field instead of confidenceScore. This enables showing badges for AI-detected flags regardless of confidence score, including pending and failed detection states.

What can go wrong and how would we detect it?

• FP badges could disappear or appear incorrectly on the vulnerability report or vulnerability details page.
• The dismiss false positive button could become unavailable for completed detections.
• Monitor the vulnerability report and individual vulnerability pages for correct badge rendering.

Rollout Steps

Note: Please make sure to run the chatops commands in the Slack channel that gets impacted by the command.

Rollout on non-production environments

• Verify the MR with the feature flag is merged to master and has been deployed to non-production environments with /chatops gitlab run auto_deploy status <merge-commit-of-your-feature>
• Deploy the feature flag at a percentage (recommended percentage: 50%) with /chatops gitlab run feature set vulnerability_flag_status_based_gating 50 --actors --dev --pre --staging --staging-ref
• Monitor that the error rates did not increase (repeat with a different percentage as necessary).
• Enable the feature globally on non-production environments with /chatops gitlab run feature set vulnerability_flag_status_based_gating true --dev --pre --staging --staging-ref
• Verify that the feature works as expected. The best environment to validate the feature in is staging-canary as this is the first environment deployed to. Make sure you are configured to use canary.
• If the feature flag causes end-to-end tests to fail, disable the feature flag on staging to avoid blocking deployments.

Before production rollout

• If the change is significant and you wanted to announce in #whats-happening-at-gitlab, it best to do it before rollout to gitlab-org/gitlab-com.

Specific rollout on production

For visibility, all /chatops commands that target production must be executed in the #production Slack channel and cross-posted (with the command results) to the responsible team's Slack channel.

• Ensure that the feature MRs have been deployed to both production and canary with /chatops gitlab run auto_deploy status <merge-commit-of-your-feature>
• Depending on the type of actor, pick one of these options:
  • For project-actor: /chatops gitlab run feature set --project=gitlab-org/gitlab vulnerability_flag_status_based_gating true
  • For group-actor: /chatops gitlab run feature set --group=gitlab-org vulnerability_flag_status_based_gating true
• Verify that the feature works for the specific actors.

Preparation before global rollout

• Set a milestone to this rollout issue to signal for enabling and removing the feature flag when it is stable.
• Check if the feature flag change needs to be accompanied with a change management issue.
• Ensure that you or a representative in development can be available for at least 2 hours after feature flag updates in production.
• Ensure that documentation exists for the feature, and the version history text has been updated.
• Notify the #support_gitlab-com Slack channel and your team channel.

Global rollout on production

For visibility, all /chatops commands that target production must be executed in the #production Slack channel and cross-posted (with the command results) to the responsible team's Slack channel.

• Incrementally roll out the feature on production.
  • Example: /chatops gitlab run feature set vulnerability_flag_status_based_gating <rollout-percentage> --actors.
  • Between every step wait for at least 15 minutes and monitor the appropriate graphs on https://dashboards.gitlab.net.
• After the feature has been 100% enabled, wait for at least one day before releasing the feature.

Release the feature

After the feature has been deemed stable, the clean up should be done as soon as possible to permanently enable the feature and reduce complexity in the codebase.

• Create a merge request to remove the vulnerability_flag_status_based_gating feature flag.
• Ensure that the cleanup MR has been included in the release package.
• Close the feature issue to indicate the feature will be released in the current milestone.
• Once the cleanup MR has been deployed to production, clean up the feature flag from all environments: /chatops gitlab run feature delete vulnerability_flag_status_based_gating --dev --pre --staging --staging-ref --production
• Close this rollout issue.

Rollback Steps

• This feature can be disabled on production by running the following Chatops command:

/chatops gitlab run feature set vulnerability_flag_status_based_gating false

• Disable the feature flag on non-production environments:

/chatops gitlab run feature set vulnerability_flag_status_based_gating false --dev --pre --staging --staging-ref

• Delete feature flag from all environments:

/chatops gitlab run feature delete vulnerability_flag_status_based_gating --dev --pre --staging --staging-ref --production