Skip to content

[Feature flag] Cleanup enforce_vulnerability_attributes_rules

Summary

This issue is to cleanup the enforce_vulnerability_attributes_rules feature flag, after the feature flag has been enabled by default for an appropriate amount of time in production.

This feature allows security policy rules to filter vulnerabilities by attribute. An expected scenario for these filters would be to create a policy that requires approvals from the Security team only when a fix is available and when the vulnerability is not a false positive. Users will be able to use an "Is" or "Is Not" operator when defining attributes.

  1. Fix Available: Whether or not a fix is available for the vulnerability (only applies to Container and Dependency Scanning)
  2. False Positive: Whether or not the vulnerability has been identified as a false positive

The feature flag is only for the backend part of the feature.

The feature flag has been default enabled with #418784 (closed)

Owners

  • Team: groupsecurity policies
  • Most appropriate slack channel to reach out to: #g_govern_security_policies
  • Best individual to reach out to: @andysoiron
  • PM: @g.hickman

Stakeholders

Expectations

What might happen if this goes wrong?

Cleaning up the feature flag

  • Create a merge request to remove <feature-flag-name> feature flag. Ask for review and merge it.
    • Remove all references to the feature flag from the codebase.
    • Remove the YAML definitions for the feature from the repository.
    • Create a changelog entry.
  • Ensure that the cleanup MR has been deployed to both production and canary. If the merge request was deployed before the code cutoff, the feature can be officially announced in a release blog post.
    • /chatops run auto_deploy status <merge-commit-of-cleanup-mr>
  • Close the feature issue to indicate the feature will be released in the current milestone.
  • If not already done, clean up the feature flag from all environments by running these chatops command in #production channel:
    • /chatops run feature delete <feature-flag-name> --dev
    • /chatops run feature delete <feature-flag-name> --staging
    • /chatops run feature delete <feature-flag-name>
  • Close this rollout issue.
Edited by Alan (Maciej) Paruszewski