I am looking to create some automation to ensure that security scans (SAST, Secrets Detection, IaC, etc.) are configured for our various projects. I was exploring API documentation, but no endpoints seems to provide that information, so far as I can tell.
When viewing the security scan section via the Gitlab.com UI, you are prompted to configure scans if none are configured. However, via the API endpoints, namely the /projects endpoint and the /vulnerabilities endpoint, I see no information regarding whether or not any, much less specific, scans are enabled.
I queried multiple projects, some with scans enabled and some without, and saw no difference in the response data. I did see a key/value pair for
security_and_compliance_enabled, but this was True across all projects. It seems that it doesn’t check for scans themselves, but instead that the entire module is not utterly disabled.
Quite possible I missed something, but figured I would reach out to see.
I have discovered an alternative method when digging into this, which is to use a compliance framework, and then I believe I can use the API to validate that all projects are appropriately tagged so that they are thusly targeted by the compliance framework, but wanted to validate my findings regardless.