Compliance Pipeline to Security Policy Migration
# Background Compliance pipelines can be used to ensure specific compliance-related jobs are run on pipelines for all projects in a group. Currently, compliance pipelines are applied to projects through compliance frameworks. # Problem Users need a single solution for enforcing jobs to be run as part of a project pipeline. They want a way to combine the flexibility of [compliance framework pipelines](https://docs.gitlab.com/ee/user/project/settings/index.html#compliance-pipeline-configuration) with the simplicity of [scan execution policies](https://docs.gitlab.com/ee/user/application_security/policies/#scan-execution-policy-schema). Read more about the problem to solve [here](https://gitlab.com/groups/gitlab-org/-/epics/13266#problem-to-solve) # Solution Pipeline execution policies will support migration from [compliance pipelines](https://docs.gitlab.com/ee/user/project/settings/index.html#compliance-pipeline-configuration) to provide users a single solution for enforcing jobs and scripts within a project pipeline. Follow along with progress in https://gitlab.com/groups/gitlab-org/-/epics/13266+. Once the pipeline execution policy type is available, we will provide a step by step workflow for migrating from compliance pipelines to utilizing custom yaml within the new policy type. We plan to complete all the work related to the migration by 19.0. We will communicate this change with affected customers via a number of different ways, including: * The iteration schedule in this issue; * The [communication issue](https://gitlab.com/gitlab-org/gitlab/-/issues/467295), which also lays out the iteration schedule; and * Number of different blog posts, YouTube videos and email outreach to ensure all affected customers receive reasonable notice of this change in advance of 19.0 # Design - \*\*Note: Some design updates required | General banner in list page | In settings page \*\*updates required | |-----------------------------|---------------------------------------| | ![List_of_frameworks-before-migration-1.png](/uploads/5ef2853591eb6ed75d98aa1c5a430497/List_of_frameworks-before-migration-1.png) | ![Edit_existing-remove-yaml-migration.png](/uploads/ca733d37a52d9e623b9b4c9cf1d504ae/Edit_existing-remove-yaml-migration.png) | **The user clicks on Migrate pipeline to a policy.** * MVC -\> Open a new tab on the new policy page | Open a new tab on the new policy page(Highlight the compliance pipeline) - \*\* needs to reflect latest policy action UI | |--------------------------------------------------------------------------------------------------------------------------| | ![scan-excution-policy-dropdown.png](/uploads/23fd5cfe4ad5abc681f02c6e0be9b58d/scan-excution-policy-dropdown.png){width="301" height="212"} | * Iteration (As shown below) -\> Open a modal window -\> Migrate without leaving the page -\> Show status on the compliance center list page <table> <tr> <th> Migration step1 Modal Window </th> <th> Merge is pending - \*\*out of scope </th> <th>After policy merged (when the toast disappear, the green highlight will also disappear)</th> </tr> <tr> <td> ![Modal-migration-step1.png](/uploads/89f70b355620db1aa53920b937da1433/Modal-migration-step1.png) </td> <td> ![Policy-pending.png](/uploads/71a9f0912da87c641d14a63a7ac7429f/Policy-pending.png) </td> <td> ![Edit_existing-remove-yaml.png](/uploads/6f9863c7d5ab4ba1f41ea898b226cb49/Edit_existing-remove-yaml.png) </td> </tr> </table> # Iteration Plan Together with our [communication plan](https://gitlab.com/gitlab-org/gitlab/-/issues/467295) for this deprecation and migration, we aim to be fully transparent with the stages of work so that customers are well aware, ahead of time, what stage of the plan we are in and when they can expect the deprecation and migration to be fully complete: * https://gitlab.com/groups/gitlab-org/-/epics/12324+ * Adding banners and migration workflow, and docs * Working on this now * Scheduled to be released 17.3 * https://gitlab.com/groups/gitlab-org/-/epics/14150+ * Adding warning banners for new pipelines * Encourage users to try the pipeline execution policy instead * Scheduled to start work on this 17.4 * Scheduled to be released 17.6 * https://gitlab.com/groups/gitlab-org/-/epics/12325+ (Remove compliance pipelines) * Scheduled to start work on this 17.8 * Scheduled to be released 19.0 # Removal rollout Plan All of the removal work will be done behind a feature flag. The removal will be developed early to ensure correct testing and alternate use cases are thought through (\~17.8). Between 17.8 - 18.8, we will communicate that the use compliance pipelines is not recommended with certain other features (e.g. pipeline execution policies or multiple compliance framework labels), and that there will be no feature enhancements or bug fixes for compliance pipelines. Communication items is based on our [communication plan here](https://gitlab.com/gitlab-org/gitlab/-/issues/467295). By 18.8, we will plan for next steps based on an agreed to decision matrix + telemetry on how many customers are still using compliance pipelines at this point. ### Acceptance Criteria The following requirements _must be met_. - [ ] The implementation shall not automatically create any new repositories, MRs, or source code without some explicit user action. - [ ] Coordinate with CSMs to communicate upcoming changes based on what we know at that time. This will ensure customers have adequate warning of upcoming changes. ### Documentation 1. https://docs.gitlab.com/ee/user/group/compliance_pipelines.html 1. Update page to deprecated 2. Add a section detailing steps to migrate to pipeline execution policies 2. https://docs.gitlab.com/ee/user/application_security/policies/ 1. New page to be created under this section for pipeline execution policies 2. Add a section reference the deprecated compliance pipelines with a note regarding migration ### Feature Usage Metrics 1. Use "[Companies using selected metric](https://10az.online.tableau.com/#/site/gitlab/views/DRAFTMetricsDemographics/Companiesusingselectedmetric/b252594e-649e-44f0-bd9f-f0e77f313d34/CompaniesusingCompliance?:iid=3)" chart of the Firmographics Dashboard to analyze compliance pipeline usage, which should decrease. <!--triage-serverless v3 PLEASE DO NOT REMOVE THIS SECTION--> _This page may contain information related to upcoming products, features and functionality. It is important to note that the information presented is for informational purposes only, so please do not rely on the information for purchasing or planning purposes. Just like with all projects, the items mentioned on the page are subject to change or delay, and the development, release, and timing of any products, features, or functionality remain at the sole discretion of GitLab Inc._ <!--triage-serverless v3 PLEASE DO NOT REMOVE THIS SECTION--> <!--triage-serverless v3 PLEASE DO NOT REMOVE THIS SECTION--> _This page may contain information related to upcoming products, features and functionality. It is important to note that the information presented is for informational purposes only, so please do not rely on the information for purchasing or planning purposes. Just like with all projects, the items mentioned on the page are subject to change or delay, and the development, release, and timing of any products, features, or functionality remain at the sole discretion of GitLab Inc._ <!--triage-serverless v3 PLEASE DO NOT REMOVE THIS SECTION--> <!-- triage-serverless v3 PLEASE DO NOT REMOVE THIS SECTION --> *This page may contain information related to upcoming products, features and functionality. It is important to note that the information presented is for informational purposes only, so please do not rely on the information for purchasing or planning purposes. Just like with all projects, the items mentioned on the page are subject to change or delay, and the development, release, and timing of any products, features, or functionality remain at the sole discretion of GitLab Inc.* <!-- triage-serverless v3 PLEASE DO NOT REMOVE THIS SECTION -->
epic