Feature flag rollout: dependency_malware_field_project
Summary
Rollout issue for the dependency_malware_field_project feature flag introduced in !233323 (merged).
This flag gates the new malware field on the project-level dependency surfaces:
| Surface | Endpoint / Type |
|---|---|
| GraphQL | DependencyType via DependencyInterface |
| Grape REST API | GET /api/v4/projects/:id/dependencies |
| Controller JSON | GET /projects/:id/-/dependencies.json |
A companion group-level flag (dependency_malware_field_group) is tracked in its own rollout issue alongside MR !233324.
Feature flag
| Flag | Type | Scope | Default |
|---|---|---|---|
dependency_malware_field_project |
wip | project | disabled |
Must be used in conjunction with the sscs_malware_detection WIP feature flag (which gates whether the SSCS add-on is considered active). When sscs_malware_detection is off, the malware field returns null even with this flag enabled.
Field semantics (when flag is enabled)
| Condition | malware value |
|---|---|
| GLAM-prefixed identifier on any vulnerability for the dependency | true |
No GLAM identifier and sscs_malware_detection enabled |
false |
sscs_malware_detection disabled |
null |
When the flag itself is disabled, the field returns null in GraphQL and is omitted in REST / Controller responses.
Rollout steps
Enable on staging
- Enable
dependency_malware_field_projecton staging - Verify the
malwarefield appears in GraphQLDependencyTyperesponses - Verify the
malwarefield appears inGET /api/v4/projects/:id/dependencies - Verify the
malwarefield appears inGET /projects/:id/-/dependencies.json - Verify expected
true/false/nullvalues against test data (see MR description) - Check for query / latency regressions on the dependency list endpoints
Enable on production (percentage rollout)
- Enable for a specific project / group first
- Monitor for errors and latency regressions on the affected endpoints
- Gradually increase rollout percentage
- Enable globally
Cleanup
- Remove the
dependency_malware_field_projectfeature flag and always expose the field - Remove
malware_field_enabled?gates inDependencyInterface,DependencyEntity, andAPI::Entities::Dependency - Update the FF YAML / docs
Related
- Implementation MR: !233323 (merged)
- Companion group-level MR: !233324
- Parent issue: #587647
- Parent epic: gitlab-org#18456