## Summary Create a Proof of Concept (PoC) to extend security policy scope with the ability to select security attributes. This spike focuses on **backend implementation only**. ## Background As part of [&18312](https://gitlab.com/groups/gitlab-org/-/work_items/18312) (Security Policy Integration with Security Attributes), we need to explore how to integrate security attributes into the policy scoping mechanism. This will enable attribute-based policy targeting, allowing security teams to apply policies based on business context rather than manual project selection. ## Goals 1. **Investigate** the current policy scope implementation and identify extension points 2. **Design** a backend approach to add security attributes as a scoping criterion 3. **Implement** a working PoC demonstrating: - Querying available security attributes - Adding security attributes to policy scope definition - Evaluating policy applicability based on project security attributes 4. **Document** findings, technical decisions, and recommended approach for production implementation ## Scope ### In Scope - Backend API changes to support security attributes in policy scope - Policy evaluation logic to match projects by security attributes - Integration with existing security attributes system - Support for attribute categories: Business Impact, Application, Business Unit, Internet Exposure, Lifecycle Stage ### Out of Scope - Frontend/UI changes - Production-ready implementation - Performance optimization - Full test coverage ## Technical Considerations - How to extend the existing policy scope YAML schema - Query mechanism for fetching security attributes - Policy evaluation performance with attribute-based filtering - AND/OR logic for multiple attribute conditions (reference [#569793](https://gitlab.com/gitlab-org/gitlab/-/issues/569793)) ## Acceptance Criteria - [ ] PoC demonstrates adding security attributes to policy scope definition - [ ] PoC shows policy evaluation based on project security attributes - [ ] Technical findings documented - [ ] Recommended approach for production implementation outlined **Labels:** `~"group::security policies"` `~"section::sec"` `~"devops::security risk management"` `~"type::feature"` `~"workflow::refinement"` **Parent Epic:** [&18312](https://gitlab.com/groups/gitlab-org/-/work_items/18312)