Why GitLab is deprecating compliance pipelines in favor of security policies

GitLab is introducing pipeline execution policies to combine the flexibility of compliance pipelines with the simplicity of security policies. Compliance pipelines have been deprecated in version 17.3 and will be removed in version 18.0. The new feature allows users to enforce customized CI/CD jobs for all applicable projects with increased focus on compliance enforcement and flexibility. Pipeline execution policies perform a similar function to compliance pipelines but with more benefits. Compliance management in GitLab focuses on understanding compliance posture, reporting to auditors, and surfacing compliance risks. Policy management, on the other hand, supports scalable security initiatives and enforces security controls and compliance workflows. The deprecation of compliance pipelines aims to provide a clearer distinction between compliance management and policy management in GitLab. A step-by-step workflow is available to migrate compliance pipelines to pipeline execution policies, which can be accessed when creating or editing a compliance framework. The migration process allows users to create a new security policy instead of a compliance pipeline, and the new policy will be populated with the compliance pipeline YAML as the remote source. Users are encouraged to start migrating their compliance pipelines to pipeline execution policies as soon as possible before the removal of compliance pipelines in GitLab 18.0.