Remove security_policies_severity_customize feature flag (!233873) · Merge requests · GitLab.org / GitLab

What does this MR do and why?

Removes the security_policies_severity_customize feature flag introduced in 18.9 (default_enabled: true). The flag has been running in production without issues and is ready for cleanup in 19.0.

The flag gated the severity override action in vulnerability management policies — both the backend auto-override pipeline worker/service and the frontend policy editor UI components. All code behind the flag is now unconditional.

References

Cleanup issue: #596540
Original feature issue: gitlab-org#15839 (closed)
Introduced by: !222151 (merged)
Rollout issue: #588540 (closed)

Screenshots or screen recordings

How to set up and validate locally

Ensure no references to security_policies_severity_customize remain: grep -r security_policies_severity_customize ee/ --include="*.rb" --include="*.vue" --include="*.js" --include="*.yml" → should return nothing
Navigate to a project's security policies page
Create a vulnerability management policy — the severity override action type should be available without any feature flag configuration

MR acceptance checklist

Evaluate this MR against the MR acceptance checklist.

Edited Apr 30, 2026 by Alexander Turinske

Remove security_policies_severity_customize feature flag

What does this MR do and why?

References

Screenshots or screen recordings

How to set up and validate locally

MR acceptance checklist

Merge request reports