<details> <summary>Table of Contents</summary> [[_TOC_]] </details> # :lock: Interlock details --- ## Executive Summary Policies lack full context into risk in projects, whereas integration of [Security Attributes](https://gitlab.com/groups/gitlab-org/-/epics/18010) will help to more effectively map security requirements to project-level risk factors and business context. By connecting the experience of policy creation to attributes, we have an opportunity better support new contexts for making decisions, such as projects that belong to a particular business unit, projects that make up a single defined application in the business context, internet exposure, SDLC stage, and business/security criticality. Additionally, by connecting policies to projects based on risk/business context, the maintenance burden also decreases. Should a project/repo move within a GitLab organization/instance from one group to another, context can be maintained, requiring no change to policy. ## Engineering Assessment TBD ## :chart_with_upwards_trend: Target Metrics 1. One or more policies updated to use attributes in 10+ accounts (instances/namespaces) with more than 100 active projects. ## Dependencies - Team dependencies: - Design is complete/ready for dev - We'll need to account for how labels are managed for CSPs or if we keep CSPs out of scope - Epic/Issue dependencies - _Link to dependent epics/issues via the linked items widget below for ease of drill down_ - External dependencies: - ~"group::security platform management" - as we'll need to query the attributes to display in the editor list, and check project attributes to handle enforcement - Possible consideration for CSP integration ## DRIs - **PM**: @g.hickman - **EM**: @alan - **UX/PDM**: @tparker1 - **Group(s)**: ~"group::security policy management" - **Engineering Owner**: @rvider ## Initiative Driver - Product or Engineering? ~"Interlock Priority::P3" # :package: Product Delivery Plans ## Problem to Solve Security teams need to efficiently apply and manage security policies across projects based on business context rather than manual project selection. Currently, security policies require manual project scoping, which becomes unmanageable at scale and doesn't adapt to organizational changes. Based on plans in https://gitlab.com/groups/gitlab-org/-/epics/18010, we have an opportunity to extend security policies to better support new contexts, such as projects that belong to a particular business unit, projects that make up a single defined application in the business context, internet exposure, SDLC stage, and business/security criticality. ## Proposal Integrate the security attributes system with GitLab's security policies to enable: **1. Attribute-Based Policy Scoping** - Apply security policies to projects based on security attribute criteria - Support multiple attribute conditions (AND/OR logic) - Dynamic policy application as attributes change **2. Policy Templates by Business Context** - Pre-configured policy templates for different business impact levels - Stricter policies for "Mission Critical" and "Business Critical" projects - Graduated policy enforcement based on attribute combinations **3. Automated Policy Management** - Policies automatically include/exclude projects when attributes are updated - Inheritance of policies from parent groups based on attribute hierarchies - Bulk policy application across attribute-filtered project sets ## Key Features **Core Integration Points:** - **Vulnerability Management Policies:** Target projects by security attributes (such as by business unit or application context) - **Scan Execution Policies**: Target projects by security attributes (e.g., all "Mission Critical" + "Production" projects) - **Scan Result Policies**: Apply different approval requirements based on business impact attributes - **Pipeline Execution Policies**: Enforce security scans on projects with specific exposure levels **Advanced Capabilities:** - **Dynamic Scoping**: Real-time policy updates when project attributes change - **Audit Trail**: Track policy applications and changes based on attribute modifications ## Requirements **Technical Requirements:** - Ultimate tier feature - Support for all existing security attribute categories: - Business Impact (Mission Critical, Business Critical, etc.) - Application (custom values) - Business Unit (custom values) - Internet Exposure (True/False) - Lifecycle Stage (Production/Development) **User Experience Requirements:** - Policy creation wizard with attribute-based targeting (very similar experience to the existing Compliance Framework labels) - Visual policy coverage mapping showing which projects are affected - Clear indication of policy inheritance and conflicts **Performance Requirements:** - Efficient policy evaluation for large project sets - Minimal impact on pipeline execution times - Scalable to thousands of projects with complex attributes combinations ## Dependencies - Completion of Security Attributes/Context Filtering epic - Security policy framework enhancements for dynamic scoping - Integration with existing policy evaluation engine ## Relevant Links 1. [Security Attributes/Context Filtering](/groups/gitlab-org/-/epics/18010)