Introduce Scan Result Security Policies
<!-- The first section "Release notes" is required if you want to have your release post blog MR auto generated. Currently in BETA, details on the **release post item generator** can be found in the handbook: https://about.gitlab.com/handbook/marketing/blog/release-posts/#release-post-item-generator and this video: https://www.youtube.com/watch?v=rfn9ebgTwKg. The next four sections: "Problem to solve", "Intended users", "User experience goal", and "Proposal", are strongly recommended in your first draft, while the rest of the sections can be filled out during the problem validation or breakdown phase. However, keep in mind that providing complete and relevant information early helps our product team validate the problem and start working on a solution. --> ### Release notes <!-- What is the problem and solution you're proposing? This content sets the overall vision for the feature and serves as the release notes that will populate in various places, including the [release post blog](https://about.gitlab.com/releases/categories/releases/) and [Gitlab project releases](https://gitlab.com/gitlab-org/gitlab/-/releases). " --> ### Problem to solve <!-- What problem do we solve? Try to define the who/what/why of the opportunity as a user story. For example, "As a (who), I want (what), so I can (why/value)." --> Currently, the Vulnerability Check functionality has several problems: - The Vulnerability Check rules are not flexible enough as they do not allow users to customize several key aspects of the check - Permissions to edit Vulnerability Check rules cannot be limited to just the security team - There is no way to enforce a two-step approval process for changes to the vulnerability check - Vulnerability check must be set up for each project in the organization, which does not scale for organizations that have thousands of projects - Vulnerability check cannot be configured at the group or workspace levels - Vulnerability check is configured in a different location from the rest of the project's security policies ### Intended users <!-- Who will use this feature? If known, include any of the following: types of users (e.g. Developer), personas, or specific company roles (e.g. Release Manager). It's okay to write "Unknown" and fill this field in later. Personas are described at https://about.gitlab.com/handbook/marketing/product-marketing/roles-personas/ * [Cameron (Compliance Manager)](https://about.gitlab.com/handbook/marketing/product-marketing/roles-personas/#cameron-compliance-manager) * [Parker (Product Manager)](https://about.gitlab.com/handbook/marketing/product-marketing/roles-personas/#parker-product-manager) * [Delaney (Development Team Lead)](https://about.gitlab.com/handbook/marketing/product-marketing/roles-personas/#delaney-development-team-lead) * [Presley (Product Designer)](https://about.gitlab.com/handbook/marketing/product-marketing/roles-personas/#presley-product-designer) * [Sasha (Software Developer)](https://about.gitlab.com/handbook/marketing/product-marketing/roles-personas/#sasha-software-developer) * [Devon (DevOps Engineer)](https://about.gitlab.com/handbook/marketing/product-marketing/roles-personas/#devon-devops-engineer) * [Sidney (Systems Administrator)](https://about.gitlab.com/handbook/marketing/product-marketing/roles-personas/#sidney-systems-administrator) * [Sam (Security Analyst)](https://about.gitlab.com/handbook/marketing/product-marketing/roles-personas/#sam-security-analyst) * [Rachel (Release Manager)](https://about.gitlab.com/handbook/marketing/product-marketing/roles-personas/#rachel-release-manager) * [Alex (Security Operations Engineer)](https://about.gitlab.com/handbook/marketing/product-marketing/roles-personas/#alex-security-operations-engineer) * [Simone (Software Engineer in Test)](https://about.gitlab.com/handbook/marketing/product-marketing/roles-personas/#simone-software-engineer-in-test) * [Allison (Application Ops)](https://about.gitlab.com/handbook/marketing/product-marketing/roles-personas/#allison-application-ops) * [Priyanka (Platform Engineer)](https://about.gitlab.com/handbook/marketing/product-marketing/roles-personas/#priyanka-platform-engineer) * [Dana (Data Analyst)](https://about.gitlab.com/handbook/marketing/product-marketing/roles-personas/#dana-data-analyst) * [Eddie (Content Editor)](https://about.gitlab.com/handbook/marketing/product-marketing/roles-personas/#eddie-content-editor) --> * [Cameron (Compliance Manager)](https://about.gitlab.com/handbook/marketing/product-marketing/roles-personas/#cameron-compliance-manager) * [Devon (DevOps Engineer)](https://about.gitlab.com/handbook/marketing/product-marketing/roles-personas/#devon-devops-engineer) * [Sidney (Systems Administrator)](https://about.gitlab.com/handbook/marketing/product-marketing/roles-personas/#sidney-systems-administrator) * [Alex (Security Operations Engineer)](https://about.gitlab.com/handbook/marketing/product-marketing/roles-personas/#alex-security-operations-engineer) ### Design: User experience goal * Figma: https://www.figma.com/file/actVYkcrS1tcHCc890DOdv/Vulnerability-check-approval-rules?node-id=120%3A4988 * Video walkthrough: https://youtu.be/-WHILcrp0Wc * Design issue: For the detail of the design, please see this issue: https://gitlab.com/gitlab-org/gitlab/-/issues/334848 | Animated workflow | | ------ | | ![1](/uploads/0ea83fec9bf5ec7af93cd79fa3ab2136/1.gif) | | MR approval area- empty policy status |MR approval area- empty policy status | MR approval area-policy status, detail opened | | ------ | ------ | ------ | | ![mr-approvals-separate-policies-no-policy-yet](/uploads/a1c86028a214e07d48dfd8bffddd4495/mr-approvals-separate-policies-no-policy-yet.png) | ![mr-approvals-separate-policies](/uploads/9541803c39e6d3d7a2f8a5c229afccdc/mr-approvals-separate-policies.png) |![mr-approvals-separate-policies-expanded](/uploads/53538f2af62a82249cc67216bdf3d3ac/mr-approvals-separate-policies-expanded.png) | | Policy empty status | New policy step 1: choose policy type |New policy step 2: add details|add more details|add more details| | ------ | ------ |------ |------ |------ | |![create-policy-flow-1](/uploads/0adeb178064e3f2b65b4a3d067028e04/create-policy-flow-1.png)| ![create-policy-flow-2](/uploads/1661864049bf4bf390284b453af50fda/create-policy-flow-2.png) |![create-policy-flow-3.0-approval-policy-tokens](/uploads/1f7246e10007e12379c4d02100ee8b72/create-policy-flow-3.0-approval-policy-tokens.png)|![create-policy-flow-3.1-approval-policy-tokens](/uploads/a282da163e0b25590ed89bf344b3782c/create-policy-flow-3.1-approval-policy-tokens.png)|![create-policy-flow-4-approval-policy-add-another-approver](/uploads/c0bfbea5c5291f8b55e1fb82b1571edf/create-policy-flow-4-approval-policy-add-another-approver.png)| | Create MR page | After creating MR, go back to policy list |open Mr popover|merge policy page|after merge,policy list page, policy enabled| | ------ | ------ |------ |------ |------ | | ![create-policy-flow-5-create-merge-request](/uploads/6318fd03f252438608e4bdb207c8ac42/create-policy-flow-5-create-merge-request.png) | ![create-policy-flow-6-policies-states-pending](/uploads/1cbecf839a6826dc3ba355e9d75da4b5/create-policy-flow-6-policies-states-pending.png) |![create-policy-flow-6.2-policies-states-open-mr](/uploads/fa8e85de56ae04e1d74c5b3464f9ae82/create-policy-flow-6.2-policies-states-open-mr.png)|![create-policy-flow-7-open-merge-request](/uploads/8685a45a381c9184ddf60cbb06562cc6/create-policy-flow-7-open-merge-request.png)| ![create-policy-flow-8-policies-states-enabled](/uploads/40c9977b475dcc8a7b67fa51712c501d/create-policy-flow-8-policies-states-enabled.png)| | Policy page with drawer open| policy list, different popovers example |policy list, tooltip | | ------ | ------ |------ | | ![policies-open-drawer](/uploads/f6bdb5babacb5863d9af89dcb3c28181/policies-open-drawer.png) |![policies-states-popovers](/uploads/58ed23dc68a6c7cfc0da877ccbe45f3e/policies-states-popovers.png) |![policies-states-tooltip](/uploads/11942a3c84ed8344b04f8fd3bcb6f358/policies-states-tooltip.png)| ### Proposal <!-- How are we going to solve the problem? Try to include the user journey! https://about.gitlab.com/handbook/journeys/#user-journey --> **Migration Proposal** 1. For projects that do not yet have a linked/associated Security Policy Project, a new Security Policy Project will be automatically created 1. The newly created project will have the same access permissions as the development project (the same owners, maintainers, developers, reporters, etc.) 1. The newly created project will be configured with the default branch set to be a protected branch, requiring maintainer or higher access to push or merge into the default branch 1. The newly created project will be pre-populated with a security policy that matches the vulnerability check rule that existed previously in the development project 1. For projects that already have a linked/associated Security Policy Project, the migration path is still to be determined. This is likely to be a breaking change for these users. **Feature/Functionality Proposal** 1. Vulnerability Check will no longer be configurable in the `Settings -> General -> Merge Request Approvals` section. 1. The `Settings -> General -> Merge Request Approvals` section will contain a read-only view of the Vulnerability Check rules that exist to allow users to still be able to view all MR approval rules in a single location. 1. A link will be provided in the `Settings -> General -> Merge Request Approvals` section to the security policy page along with a note (design is still pending) stating that Vulnerability Check approvals are managed by Security Policies. 1. Vulnerability Check will be managed as a Scan Results policy and will be stored as a yaml file in a linked Security Policy Project. This will provide customers with several benefits: 1. The ability to customize who has permission to view, create, edit, and delete these policies. 1. The ability to require a two-step (MR Approval) process for any edits to the policy. 1. Any creates/edits/deletes of a Scan Results policy will result in an entry being added to the GitLab Audit Log. 1. Users will be able to customize the following characteristics (see [prototype](https://gitlab-org-protect-demos-policy-mock.104.198.5.242.nip.io/create.html) for reference) 1. Which scanners will trigger vulnerability check 1. The number and severity of vulnerabilities per scanner that will trigger vulnerability check 1. Which branch(es) will trigger vulnerability check 1. Only when the default branch is selected (`main` in the prototype), then users can select whether vulnerabilities should be newly detected, pre-existing dismissed, or pre-existing detected, or pre-existing confirmed. These states will map to the values in the table below. 1. Which groups of individuals are eligible to provide approval and how many approvals are required from each group. **Value map table** | Menu option | State of finding in default branch | |-------------|------------------------------------| | Newly detected | N/A (does not exist in default branch) OR `resolved` OR has been marked as "resolved on default branch" (aka disappeared) | | pre-existing dismissed | `dismissed` | | pre-existing detected | `detected` | | pre-existing confirmed | `confirmed` | ### Further details <!-- Include use cases, benefits, goals, or any other details that will help us understand the problem better. --> This approach is not a breaking change as it only adds functionality to what exists today. Some key benefits of the new approach include the following: 1. The ability to have a single policy that is applied to multiple projects 1. The ability for security teams to enforce a two-step approval process for any changes to the Vulnerability Check 1. The ability for users to configure multiple Vulnerability Check rules 1. The future ability for users to manage these rules at the group and workspace levels 1. The ability to limit who can edit Vulnerability Check rules to just the security department, providing separation of duties between those who have permissions to edit other MR approval rules 1. Consolidation of all of GitLab's Security Policy management into a single place in the UI - the persona that is managing vulnerability check is not the same persona that is managing the rest of the approval rules. Ideally, they would be able to manage all of their security policies in a single, central location. ### Permissions and Security <!-- What permissions are required to perform the described actions? Are they consistent with the existing permissions as documented for users, groups, and projects as appropriate? Is the proposed behavior consistent between the UI, API, and other access methods (e.g. email replies)? Consider adding checkboxes and expectations of users with certain levels of membership https://docs.gitlab.com/ee/user/permissions.html * [ ] Add expected impact to members with no access (0) * [ ] Add expected impact to Guest (10) members * [ ] Add expected impact to Reporter (20) members * [ ] Add expected impact to Developer (30) members * [ ] Add expected impact to Maintainer (40) members * [ ] Add expected impact to Owner (50) members --> ### Documentation <!-- See the Feature Change Documentation Workflow https://docs.gitlab.com/ee/development/documentation/workflow.html#for-a-product-change * Add all known Documentation Requirements in this section. See https://docs.gitlab.com/ee/development/documentation/feature-change-workflow.html#documentation-requirements * If this feature requires changing permissions, update the permissions document. See https://docs.gitlab.com/ee/user/permissions.html --> ### Availability & Testing <!-- This section needs to be retained and filled in during the workflow planning breakdown phase of this feature proposal, if not earlier. What risks does this change pose to our availability? How might it affect the quality of the product? What additional test coverage or changes to tests will be needed? Will it require cross-browser testing? Please list the test areas (unit, integration and end-to-end) that needs to be added or updated to ensure that this feature will work as intended. Please use the list below as guidance. * Unit test changes * Integration test changes * End-to-end test change See the test engineering planning process and reach out to your counterpart Software Engineer in Test for assistance: https://about.gitlab.com/handbook/engineering/quality/test-engineering/#test-planning --> ### What does success look like, and how can we measure that? <!-- Define both the success metrics and acceptance criteria. Note that success metrics indicate the desired business outcomes, while acceptance criteria indicate when the solution is working correctly. If there is no way to measure success, link to an issue that will implement a way to measure this. Create tracking issue using the the Snowplow event tracking template. See https://gitlab.com/gitlab-org/gitlab/-/blob/master/.gitlab/issue_templates/Snowplow%20event%20tracking.md --> ### What is the type of buyer? <!-- What is the buyer persona for this feature? See https://about.gitlab.com/handbook/marketing/product-marketing/roles-personas/buyer-persona/ In which enterprise tier should this feature go? See https://about.gitlab.com/handbook/product/pricing/#four-tiers --> ~"GitLab Ultimate" ### Is this a cross-stage feature? <!-- Communicate if this change will affect multiple Stage Groups or product areas. We recommend always start with the assumption that a feature request will have an impact into another Group. Loop in the most relevant PM and Product Designer from that Group to provide strategic support to help align the Group's broader plan and vision, as well as to avoid UX and technical debt. https://about.gitlab.com/handbook/product/#cross-stage-features --> ### Links / references <!-- triage-serverless v3 PLEASE DO NOT REMOVE THIS SECTION --> *This page may contain information related to upcoming products, features and functionality. It is important to note that the information presented is for informational purposes only, so please do not rely on the information for purchasing or planning purposes. Just like with all projects, the items mentioned on the page are subject to change or delay, and the development, release, and timing of any products, features, or functionality remain at the sole discretion of GitLab Inc.* <!-- triage-serverless v3 PLEASE DO NOT REMOVE THIS SECTION -->
epic