Ryan Lehmann activity https://gitlab.com/rlehmann1 2026-03-13T20:09:05Z tag:gitlab.com,2026-03-13:5202821839 Ryan Lehmann commented on merge request !142847 at GitLab.com / www-gitlab-com 2026-03-13T20:09:05Z rlehmann1 Ryan Lehmann

Thanks, will hold off for now then.

 tag:gitlab.com,2026-03-13:5202553481 Ryan Lehmann commented on issue #593551 at GitLab.org / GitLab 2026-03-13T18:25:47Z rlehmann1 Ryan Lehmann

@sming-gitlab Hmm. Yeah, that is tricky. Would it be accurate to say this (or do you think it's confusing to say it hasn't started yet if the pipeline is pending?):

No pipelines started yet. Results will appear when a pipeline completes.

If not, your wording would work, just change "once" to "when".

 tag:gitlab.com,2026-03-13:5201596325 Ryan Lehmann commented on merge request !142855 at GitLab.com / www-gitlab-com 2026-03-13T14:07:52Z rlehmann1 Ryan Lehmann

đź‘‹ @khornergit. Looks great. Just left some wording suggestions, mostly. The only major thing I noted is the need to update features.yml if we want this to be a primary item. (optional if it's secondary.)

 tag:gitlab.com,2026-03-13:5201596283 Ryan Lehmann commented on merge request !142855 at GitLab.com / www-gitlab-com 2026-03-13T14:07:51Z rlehmann1 Ryan Lehmann 
        This feature is available for Ultimate customers with Duo Agent Platform. The feature must be enabled in your group or project settings.

It's a little unclear what needs to be enabled here. Would break it up for clarity.

 tag:gitlab.com,2026-03-13:5201596257 Ryan Lehmann commented on merge request !142855 at GitLab.com / www-gitlab-com 2026-03-13T14:07:51Z rlehmann1 Ryan Lehmann 

        - Automatic analysis: False positive detection runs automatically after each security scan with no manual intervention required.
        - Manual option: Users can manually run false positive detection for individual vulnerabilities on the vulnerability details page for on-demand analysis.
        - Focus on high-impact findings: Limiting the analysis to critical and high severity SAST vulnerabilities cuts through the noise where it matters most.
        - Contextual AI reasoning: Each assessment explains why a finding may or may not be a false positive, factoring in code context, data flow, and vulnerability characteristics specific to static analysis.
        - Seamless workflow integration: Results surface directly in the vulnerability report alongside existing severity, status, and remediation information — no changes to existing workflows required.

This is a high-level overview, so I would avoid the terms "trigger" and "true positive" where we can write around it.

 tag:gitlab.com,2026-03-13:5201596245 Ryan Lehmann commented on merge request !142855 at GitLab.com / www-gitlab-com 2026-03-13T14:07:51Z rlehmann1 Ryan Lehmann 
        The assessment appears directly in the vulnerability report, giving security engineers the context they need to triage with confidence rather than uncertainty.

Guesswork isn't usually a adverb.

 tag:gitlab.com,2026-03-13:5201596236 Ryan Lehmann commented on merge request !142855 at GitLab.com / www-gitlab-com 2026-03-13T14:07:51Z rlehmann1 Ryan Lehmann 
        When a security scan runs, GitLab Duo analyzes each critical and high severity SAST vulnerability and determines the likelihood that it's a false positive.
tag:gitlab.com,2026-03-13:5201596223 Ryan Lehmann commented on merge request !142855 at GitLab.com / www-gitlab-com 2026-03-13T14:07:51Z rlehmann1 Ryan Lehmann 
        SAST false positive detection, which was first introduced as a beta in 18.7, is now generally available in GitLab 18.10.

We've transitioned to making this lowercase.

 tag:gitlab.com,2026-03-13:5201596198 Ryan Lehmann commented on merge request !142855 at GitLab.com / www-gitlab-com 2026-03-13T14:07:50Z rlehmann1 Ryan Lehmann

For primary features, we also need to update features.yml.

 tag:gitlab.com,2026-03-13:5201596166 Ryan Lehmann commented on merge request !142855 at GitLab.com / www-gitlab-com 2026-03-13T14:07:50Z rlehmann1 Ryan Lehmann

I think we can remove the GA part as well. We typically only tag beta items (and the initials "GA" aren't necessarily meaningful to users). Plus we explain the beta > GA transition in the first sentence.

    - name: "SAST False Positive Detection with GitLab Duo"
 tag:gitlab.com,2026-03-13:5201384605 Ryan Lehmann commented on merge request !227182 at GitLab.org / GitLab 2026-03-13T13:20:36Z rlehmann1 Ryan Lehmann

Hi @nrosandich. Just one adjustment to identify the offerings in the history. From the default_enabled field in the flag MR, it looks to me like this is enabled on all three, but I should probably get you to confirm that before merging.

 tag:gitlab.com,2026-03-13:5201384587 Ryan Lehmann commented on merge request !227182 at GitLab.org / GitLab 2026-03-13T13:20:36Z rlehmann1 Ryan Lehmann 
- Introduced in [epic 17885](https://gitlab.com/groups/gitlab-org/-/work_items/20152) in GitLab 18.10 as a [beta](../../../policy/development_stages_support.md#beta) feature with a [feature flag](../../../administration/feature_flags/_index.md) named `duo_secret_detection_false_positive`. [Enabled on GitLab.com, GitLab Self-Managed, and GitLab Dedicated](https://gitlab.com/gitlab-org/gitlab/-/merge_requests/227074).
 tag:gitlab.com,2026-03-13:5201384555 Ryan Lehmann commented on merge request !227182 at GitLab.org / GitLab 2026-03-13T13:20:35Z rlehmann1 Ryan Lehmann 
- Introduced in [epic 17885](https://gitlab.com/groups/gitlab-org/-/work_items/20152) in GitLab 18.10 as a [beta](../../../../policy/development_stages_support.md#beta) feature with a [feature flag](../../../../administration/feature_flags/_index.md) named `duo_secret_detection_false_positive`. [Enabled on GitLab.com, GitLab Self-Managed, and GitLab Dedicated](https://gitlab.com/gitlab-org/gitlab/-/merge_requests/227074).
 tag:gitlab.com,2026-03-13:5201384429 Ryan Lehmann commented on merge request !227182 at GitLab.org / GitLab 2026-03-13T13:20:33Z rlehmann1 Ryan Lehmann 
- Introduced in [epic 17885](https://gitlab.com/groups/gitlab-org/-/work_items/20152) in GitLab 18.10 as a [beta](../../../policy/development_stages_support.md#beta) feature with a [feature flag](../../../administration/feature_flags/_index.md) named `duo_secret_detection_false_positive`. [Enabled on GitLab.com, GitLab Self-Managed, and GitLab Dedicated](https://gitlab.com/gitlab-org/gitlab/-/merge_requests/227074).
 tag:gitlab.com,2026-03-12:5198794485 Ryan Lehmann commented on merge request !142807 at GitLab.com / www-gitlab-com 2026-03-12T21:00:42Z rlehmann1 Ryan Lehmann

@m-omokoh , @or-gal this looks good to me (I made a couple minor formatting tweaks, but the pipeline is still green), so this is good to go from my perspective. Docs changes are merged.

 tag:gitlab.com,2026-03-12:5198761069 Ryan Lehmann commented on merge request !226175 at GitLab.org / GitLab 2026-03-12T20:48:55Z rlehmann1 Ryan Lehmann

Thanks @arfedoro.

  1. Hmm. Yeah, it's a bit hard to explain, but when we say "If any of the following apply:" and then we have several headings after it, it looks like each of the sections is part of the OR condition. (But they're not. They're nested under the "If all of the following" AND condition). So visually, it looks like if any of the subheadings apply, then the policies applies. It also doesn't help that the AND condition is not very visible hidden in a large text block. I'm not sure if you have any way of nesting the layers visually, for example:

If any of the following apply:

When...targeting any protected branch

And all of the following apply:

API Fuzzing

...

Secret Detection

  • New and needs triage
 tag:gitlab.com,2026-03-12:5198739424 Ryan Lehmann pushed to project branch master at GitLab.org / GitLab 2026-03-12T20:41:26Z rlehmann1 Ryan Lehmann

Ryan Lehmann (a629f712) at 12 Mar 20:41

Merge branch 'duo-edit-20260312-181033' into 'master'

... and 1 more commit

tag:gitlab.com,2026-03-12:5198739295 Ryan Lehmann deleted project branch duo-edit-20260312-181033 at GitLab.org / GitLab 2026-03-12T20:41:23Z rlehmann1 Ryan Lehmann

Ryan Lehmann (f9f62f58) at 12 Mar 20:41

tag:gitlab.com,2026-03-12:5198737691 Ryan Lehmann accepted merge request !227134: Docs: Simplify security configuration profiles documentation at GitLab.org / GitLab 2026-03-12T20:40:53Z rlehmann1 Ryan Lehmann

What does this MR do?

This merge request simplifies the security configuration profiles documentation by reducing technical depth while maintaining essential information.

Changes

  • Replace inheritance explanation with clearer group/project application description
  • Simplify secret detection profile description by removing detailed scan trigger list
  • Rename and streamline profile details section (Scan triggers → Active Triggers)
  • Remove detailed coverage status indicator explanations
  • Reduce technical depth while maintaining essential information

Related issues

Applies PM feedback on documentation clarity and simplification.

 tag:gitlab.com,2026-03-12:5198735062 Ryan Lehmann approved merge request !142807: RP - Pipeline secret detection in security configuration profiles at GitLab.com / www-gitlab-com 2026-03-12T20:40:06Z rlehmann1 Ryan Lehmann

Team members for review and approval: Engineer(s): `` | Product Marketing: @PMM | Tech Writer: `@rlehmann1` | Product Designer(s): `@mfangman`

Engineering Manager to merge when the feature is deployed and enabled: @or-gal

Important note on tier labels: Until further notice, due to change management reasons, please leverage label core to indicate 'free' tier in all code and templates.

Please review the guidelines for content block creation at https://handbook.gitlab.com/handbook/marketing/blog/release-posts/#content-blocks. They are frequently updated, and everyone should make sure they are aware of the current standards (PM, PMM, EM, and TW). There are separate (and slightly different) templates for primary and secondary features, bugs, removals, and upgrade notes. Please make sure to use the right template!

Please be aware deprecations follow a different process in a different project and you should not be using this MR template unless you are making edits to a release post prior to 14.4.

Links

  • Feature Issue (required): gitlab-org#19802
  • Pricing theme MR (required for primary features in Premium or Ultimate only):
  • Feature MR (optional):
  • Feature Flag Issue (optional):

Release Post

---
features:
  secondary:
  - name: "Pipeline secret detection in security configuration profiles"
    available_in: [ultimate]
    documentation_link: 'https://docs.gitlab.com/ee/user/application_security/configuration/security_configuration_profiles.html'
    gitlab_com: true
    self_managed: true
    gitlab_dedicated: true
    gitlab_dedicated_for_government: true
    add_ons: []
    reporter: m-omokoh
    stage: security_risk_management
    categories:
    - 'Vulnerability Management'
    image_url: '/images/unreleased/security-platform-management-pipeline-sd-profiles.png'
    issue_url:
    - 'https://gitlab.com/groups/gitlab-org/-/work_items/19802'
    description: |
      In GitLab 18.9, we introduced security configuration profiles with the Secret Detection - Default profile, starting with push protection. You can now apply standardized secret scanning enablement across hundreds of projects without touching a single CI/CD configuration file.

      The Secret Detection - Default profile now extends to cover pipeline-based scanning, completing a unified control surface for secret detection across your entire development workflow.

      The profile activates three scan triggers:

      - **Push Protection**: Scans all Git push events and blocks pushes where secrets are detected, preventing secrets from ever entering your codebase.
      - **Merge Request Pipelines**: Automatically runs a scan each time new commits are pushed to a branch with an open merge request. Results are scoped to new vulnerabilities introduced by the merge request.
      - **Branch Pipelines (default only)**: Runs automatically when changes are merged or pushed to the default branch, providing a complete picture of your default branch's secret detection posture.

      Applying the profile requires no YAML configuration. The profile can be applied at the group level to propagate coverage across all projects in scope, or at the project level for more granular control.

Key dates

  • By Monday of the week the milestone ends: PMs should draft/submit for review ALL release post item content, whether they are feature or recurring blocks, earlier and no later than the Monday of the week the milestone ends.
  • By Thursday, the day before the milestone ends: All required TW reviews as well as any optional PMM and PM Director/Group Manager reviews and resulting revisions should get done no later than Thursday, the day before the milestone ends.
  • By the Friday the milestone ends: Release post items need to be marked with the Ready label in order to be merged for the current release post.
  • By the end of the Friday the milestone ends: EMs will merge RP items with the Ready label by the end of day 11:59PM PT on the Friday the milestone ends. Any MRs merged into master after 11:59PM PT will not make the release post and need to follow this process:

If you need to make a change or addition to a release post item after 11:59PM PT on the Friday the milestone ends, open a new MR targeting the release-X-Y branch and assign to the Release Post Manager, with @mention of the lead Tech Writer and PMM. Please do not re-target the existing MR. Revisions for content in the release post branch should be made with new MRs targeted to the release post branch. It is important you follow the instructions on how to create a new MR to the release X-Y branch in Adding, editing, or removing merged content blocks after the Monday of release week and before the release date. It's highly recommended the PM connect with the release post manager to make sure content can still be added prior to creating the new MR.

Notes: Drafting release post content well in advance of the Monday of the week the milestone ends is highly recommended so reviews/revisions can happen in a rolling fashion and not bottleneck against the merge due date which is the Friday the milestone ends.

Getting ready for merge

Reminder: Make sure any feature flags have been enabled or removed!

Once all content is reviewed and complete, add the Ready label and set the Engineering Manager (EM) as the Assignee. The EM is responsible for merging as soon as the implementing feature is deployed to GitLab.com, after which this content will appear on the GitLab.com Release page and can be included in the next release post. All release post items must be merged on or before the Friday the milestone ends. If a feature is not ready by the due date of the Friday the milestone ends the EM should push the release post item to the next milestone.

PM release post item checklist

Expand for Details

Please only mark a section as completed once you performed all individual checks!

  • Set yourself as the Assignee.
  • Why? – The benefit of this feature to the user is clearly explained
    • What is the problem we are solving for the user, and how is the situation improved?
    • Be specific about the problem, using examples so that the reader can recall the last time they had that problem.
    • Be specific about the solution, using examples so that the reader can quickly understand the improvement.
    • Describe the benefits in terms of outcomes like productivity, efficiency, velocity, communication.
    • Avoid feature language, like removing a limitation, that focuses on the product and not our users.
    • Avoid assumed knowledge, assume a customer or prospect will be linked this description without context.
  • Title:
  • Content:
    • Make it clear if it is a new feature, or an improvement to an existing feature.
    • If your item is a deprecation, upgrade or removal reference the appropriate section in the release-posts handbook page for guidance. Please also see communication guidelines for breaking changes.
    • Make sure your content is reasonably aligned with guidance in Writing about features
    • Check title is in sentence case, and feature and product names are in capital case.
    • Run the content through an automated spelling and grammar check.
    • Validate all links are functional and have meaningful text for SEO (e.g., "click here" is bad link text).
  • Images and Video:
    • Screenshot or video is included (required for all changes with a visible UI component). Consider preferring a speed run video since this will showcase your feature better, and also serve as a functional test to validate that it actually works as expected.
    • Check that the image follows the image guidelines. It should be less than 150 KB, and minimizes empty space.
    • Check if the image shadow is applied correctly. Add image_noshadow: true when an image already has a shadow.
    • Ensure screenshots have realistic looking data. Avoid screenshots that say "test", "demo", "example".
    • Remove any remaining instructions (comments).
  • Frontmatter:
    • Check feature availability frontmatter (available_in:) is correct: (Core, Premium, Ultimate). Make sure to set gitlab_com: false when the feature isn't available for GitLab.com users.
    • Check documentation link points to the latest docs (documentation_link:), and includes the anchor to the relevant section on the page if possible.
    • Check that documentation is updated, very clearly talks about the feature (mentions it by the same name consistently in all resources).
    • Check that all links to about.gitlab.com content are relative URLs.
  • Review Experiment, Beta, and General Availability guidelines
  • Add Reviewers: Once the above are complete, add the Tech Writer, PMM, and Group Manager or Director as Reviewers.
  • If this MR is a community contribution, consider nominating the contributor for MVP.

Pricing theme updates for Premium and Ultimate primary features

This is required as part of the release post workflow. However, since review/alignment on this may take longer than the release post allows, please use a separate MR to de-couple timeline dependencies.

Expand for Details
  • In the bottom right corner of this screen, copy the name of the "Source branch"
  • Create a new branch
  • Paste the name of this branch into the name and append it with "-pricing-theme"
  • Select this branch name as the source from the "Create from" field
  • Click "Create Branch"
  • Click the "Create merge request" button that appears near the top of the UI
  • Choose the Pricing Theme template in the new MR and follow the steps in the template

Review

When the above is complete and the content is ready for review, it must be reviewed by Tech Writing. It can also be reviewed by Product Marketing, Product Design, and the Product Leader for this area.

Use the Reviewers for Merge Requests feature in GitLab when adding team members for content reviews. Reviewers will then approve the MR and remove themselves from Reviewers when their review is complete.

Tip: Try using the Review App in this MR to see exactly how the release post item is rendered.

Tech writer review

Expand for Details

After the technical writer from the corresponding group is added as a reviewer to this merge request, they will perform their review.

Please mark a section as complete only after you performed all individual checks!

  • Feature: If the feature is listed as secondary, updating features.yml is optional.
  • Name/title: Try to limit to 7 words (not including articles or prepositions). Use sentence case.
  • Feature availability: Ensure available_in: is correct. Ensure the offering fields (gitlab_com:, self_managed:, gitlab_dedicated:, gitlab_dedicated_for_government:) are accurately set to true or false.
  • Documentation link: Ensure the documentation_link links to the correct document and anchor, and is wrapped in single quotes.
  • Image URL: The image should be smaller than 150 KB.
  • Links: Make sure the linked issue_url or epic_url is correct. Verify that all links and anchors work as intended.
  • Description: Review the content. Make sure it accurately describes the feature. Look for typos or grammar mistakes.

Notes:

  • If checklist items are incomplete, tell the PMs or other team members. You can remove yourself as a reviewer, but request to be added back after the missing tasks are done.
  • After all checklist items are done, approve the merge request, select your checkbox in the review checklist, and remove yourself from the list of reviewers. Your job is done!

PMM review

PMM Review is Optional

Expand for Details

Please only mark this section as completed once you performed all individual checks! When your review is complete, please approve this MR and remove yourself from Reviewers.

  • PMM review
    • problem/solution: Does this describe the user pain points (problem) as well as how the new feature removes the pain points (solves the problem)?
      • short/pithy: Is this communicated clearly with the fewest words possible?
      • tone clarify: Is the language and sentence structure clear and grammatically correct?
      • technical clarity: Does the description of the feature make sense for various audiences, including folks who are not deeply familiar with GitLab?
    • Check/copyedit all your content blocks (including links/images)
    • If you think any features should change from primary to secondary, add a suggestion to the release post item and ping the PM owner to review.
    • Check/copyedit features.yml

EM release post item checklist

Expand for Details
  • Set at least one code MR as a blocker for this MR by going to Edit > Merge request dependencies.
  • When this MR is labeled as Ready and assigned to you:
    • Confirm the feature is in the release and note the following:
      • Be aware that merging code to master "does not guarantee that the feature will be in the release" (source).
      • If in doubt, you should confirm the feature commits are in the x-y-stable-ee branch (for example, 13-12-stable-ee).
      • You can also use the chatops command /chatops run release check [MR_URL] [RELEASE] to check if the MR will be included in the release.
    • If the feature has a feature flag, verify it is enabled by default.
    • If before 11:59PM PT on the Friday the milestone ends, merge this merge request to the master branch. If after that time, but you believe this should be merged late, follow the process for late additions and be sure to inform the release post manager.