Migrate USRM triage rules from unified-security-risk-management

Kyle Smithrequested to merge
security-usrm-migration into master

Overview

This merge request migrates triage automation rules for Unified Security Risk Management (USRM) findings from the unified-security-risk-management project into triage-ops, consolidating security triage automation in a single location.

Changes

New Policies

Migrated 4 policy files organized by target scope:

Group-level policies (policies/groups/):

  • gitlab-com/red-team/automation.yml - Red Team recommendations for gitlab-com
  • gitlab-org/red-team/automation.yml - Red Team recommendations for gitlab-org
  • gitlab-com/threat-intel/automation.yml - Threat Intelligence recommendations for gitlab-com
  • gitlab-org/threat-intel/automation.yml - Threat Intelligence recommendations for gitlab-org
Policy Capabilities

Red Team Recommendations (.com & .org)

  • Nudge stale issues (30+ days)
  • Flag long-stalled issues (2+ months)
  • Alert on missing assignees (10+ days old)
  • Prompt for missing due dates (30+ days old)
  • Flag past-due recommendations
  • Validate required labels (Department, priority, severity, STORM Risk, USRM Workflow, FindingCoordinator)
  • Ensure outcome labels on closed items (RecOutcome)

Threat Intelligence Recommendations (.com & .org)

  • Nudge stale issues (30+ days)
  • Flag long-stalled issues (2+ months)
  • Alert on missing assignees (10+ days old)
  • Prompt for missing due dates (30+ days old)
  • Flag past-due recommendations
  • Validate required labels (group, priority, severity, STORM Risk, TIRec, USRM Workflow, FindingCoordinator)
  • Ensure outcome labels on closed items (RecOutcome)

Schedule Configuration

  1. Piggybacked off of existing gitlab-org group daily jobs for red team and threat intel.
  2. Created new group schedule for gitlab-com

Testing

These policies should be tested using the dry-run:custom job before merging:

  1. Navigate to the pipeline for this MR
  2. Select the dry-run:custom job
  3. Add variables:
    • TRIAGE_POLICY_FILE: path to specific policy file
    • TRIAGE_SOURCE_TYPE: projects or groups
    • TRIAGE_SOURCE_PATH: target project/group ID
  4. Trigger the manual job to preview changes

See SCHEDULED.md - Testing Policies and Schedules for detailed testing instructions.

Checklist

  • Policies have been tested with dry-run:custom job
  • Schedule configuration added to pipeline-schedules.yml
  • CI jobs configured to handle new variables
  • No breaking changes to existing schedules
Edited by Kyle Smith

Merge request reports