Engineering workflows

[ambitious-octopus]

🛠️ PR Summary

_{Made with ❤️ by Ultralytics Actions}

🌟 Summary

The development workflow documentation for Ultralytics has been completely overhauled, introducing detailed engineering standards, security protocols, review processes, and a structured software development life cycle (SDLC) to guide all contributors. 🚀🔒

📊 Key Changes

• Comprehensive Engineering Guidelines: Added clear principles on code quality, security, collaboration, and transparency.
• Mandatory Code Review Policies: Defined strict requirements for code reviews, including multi-reviewer rules for critical changes.
• Security Standards: Outlined security review processes, best practices, and when additional scrutiny is required.
• Documentation & Testing Standards: Set expectations for code documentation, architecture diagrams, and both automated/manual testing.
• Structured SDLC: Introduced a seven-phase SDLC tailored for computer vision and AI projects, with security checkpoints at every stage.
• CI/CD Pipeline Standards: Detailed automated quality gates, security scans, and deployment best practices.
• Knowledge Sharing & Mentorship: Encouraged internal communication, mentorship, and continuous learning.
• Incident Response & Compliance: Provided clear procedures for bug reporting, emergency handling, and regulatory compliance.
• FAQ Section: Addressed common questions about code review, urgent fixes, reviewer expertise, and supporting tools.
• Technical Enhancement: Enabled Mermaid diagrams in documentation for clearer visual workflows.

🎯 Purpose & Impact

• Higher Code Quality & Security: Ensures all contributions meet rigorous standards, reducing bugs and vulnerabilities. 🛡️
• Consistency Across Teams: Aligns all contributors with unified workflows, making collaboration smoother and onboarding easier.
• Transparency & Accountability: Clear documentation and review processes foster trust and shared responsibility.
• Faster, Safer Releases: Automated testing and deployment practices minimize downtime and speed up delivery.
• Empowered Community: Contributors have access to best practices, mentorship, and clear guidelines, making it easier to get involved and grow. 🌍
• Future-Proofing: The living document approach ensures the handbook evolves with new technologies and team needs.

This update marks a major step forward in professionalizing and securing Ultralytics engineering practices, benefiting both internal teams and the wider open-source community.

[vercel]

The latest updates on your projects. Learn more about Vercel for Git ↗︎

Name	Status	Preview	Comments	Updated (UTC)
handbook	✅ Ready (Inspect)	Visit Preview	💬 Add feedback	Jul 13, 2025 9:49pm

[UltralyticsAssistant]

👋 Hello @ambitious-octopus, thank you for submitting an ultralytics/handbook 🚀 pull request! This is an automated response to help ensure your contribution integrates smoothly. An Ultralytics engineer will review your PR in detail soon.

Please review this checklist to make sure everything is in order:

• ✅ Define a Purpose: Clearly explain the purpose of your changes in your PR description, and link to any relevant issues. Ensure your commit messages are clear, concise, and follow project conventions.
• ✅ Synchronize with Source: Make sure your PR is up to date with the ultralytics/handbook main branch. If needed, update by clicking 'Update branch' or by running git pull and git merge main locally.
• ✅ Ensure CI Checks Pass: Check that all Ultralytics Continuous Integration (CI) checks are passing. Please address any failing checks.
• ✅ Update Documentation: Update the relevant documentation for any new or modified features.
• ✅ Add Tests: If applicable, include or update tests to cover your changes, and confirm that all tests pass.
• ✅ Sign the CLA: If this is your first Ultralytics PR, please sign our Contributor License Agreement (CLA) by commenting "I have read the CLA Document and I sign the CLA" in this thread.
• ✅ Minimize Changes: Please limit your changes to the minimum necessary for your enhancement or fix. "It is not daily increase but daily decrease, hack away the unessential. The closer to the source, the less wastage there is." — Bruce Lee

For further guidance, check out our Contributing Guide. If you have any questions, feel free to leave a comment here. Thank you for contributing to Ultralytics! 🌟🛠️

[ambitious-octopus]

Action Items:

• Role Structure & Assignment: @ambitious-octopus @kayselmecnun Implement engineering role separation with clear responsibilities Establish triage assignment process and ownership

• Asset Management Review: @ambitious-octopus @kayselmecnun Conduct comprehensive asset management audit, Review current asset tracking and maintenance procedures

• Documentation Review: @zkontri and @sokrisba to review and update current documentation. Ensure alignment with new role structure and processes.

[zkontri]

Policy Scope:
Is this policy intended exclusively for the YOLO team, or does it also apply to the HUB team?

Penetration Testing Requirements:
If this policy applies only to the YOLO team, should we include penetration testing requirements? Including this requirement means we must conduct penetration testing and provide supporting evidence to aditors.

[zkontri]

For ISO 27001 compliance, this policy requires expansion to include description of the vulnerability management processes.

ISO 27001 specifically mandates:
"Provide documentation outlining the process for identifying, tracking, and remediating vulnerabilities using external threat intelligence sources."

Required Documentation Must Include:

• Procedural documentation describing how vulnerability scan results are reviewed and incorporated into threat analysis
• Evidence of monitoring external threat intelligence sources (vendor alerts, RSS feeds, security bulletins)
• Clear examples of vulnerability prioritization and remediation processes, including ticketing workflows and remediation reports

Recommended Enhancements:

I suggest extending this policy to include:

• Discovery methods
• Service Level Agreements (SLAs) with severity-based timelines
• Remediation Process

Reference Materials:

As good examples, you can use:

• GitLab's Vulnerability Management SLA framework:
• Policy on Vulnerability Management from Notion

[zkontri]

To align with industry best practices, I would add reference to established security frameworks to demonstrate our commitment to following recognized security practices and provides development teams with clear, industry-accepted guidance:

OWASP Secure Development Principles - for implementing security controls throughout the software development lifecycle
OWASP Top 10 Vulnerability Awareness - for maintaining current knowledge of the most critical web application security risks

[zkontri]

Just a quick suggestion - if this policy is meant to apply to the entire development team (both YOLO & PLATFORM), it is better to change it to 'The Ultralytics development team follows a structured, security-focused SDLC...'

[glenn-jocher]

Thanks for the review comments @zkontri!