Recently, we become an Ultimate client and we are putting special emphasys into security best practices for our community. We’ve started to setup security policies, and there are some questions that we were wondering.
Let’s assume the following example for the creation of a security policy:
--- scan_execution_policy: - name: SAST - Secret Detection Scan Execution Policy description: A scan execution policy that runs SAST and Secret Detection on merge into main or master branches. enabled: true rules: - type: pipeline branches: - '*' actions: - scan: sast tags:  - scan: secret_detection tags:  - name: Container Scan Execution Policy description: A scan execution policy that runs Container Scanning on merge into main or master branches. enabled: true rules: - type: pipeline branches: - '*' actions: - scan: container_scanning tags: 
We want our users start linking this security policy. However, not all projects require, for example, the container scanning execution. According to Scan execution policies | GitLab, by using
CONTAINER_SCANNING_DISABLED: true variable can avoid running this specific policy, however the documentation also states that
Disabling jobs this way does not prevent the security jobs defined by scan execution policies from running.
Therefore the question is, is there any way for users to avoid running specific policies, and only run those really needed when using security policies? We would like to avoid creating several projects hosting a different security policy each.
Many thanks in advance.