Hi Team,
Recently, we become an Ultimate client and we are putting special emphasys into security best practices for our community. We’ve started to setup security policies, and there are some questions that we were wondering.
Let’s assume the following example for the creation of a security policy:
---
scan_execution_policy:
- name: SAST - Secret Detection Scan Execution Policy
description: A scan execution policy that runs SAST and Secret Detection on merge into main or master branches.
enabled: true
rules:
- type: pipeline
branches:
- '*'
actions:
- scan: sast
tags: []
- scan: secret_detection
tags: []
- name: Container Scan Execution Policy
description: A scan execution policy that runs Container Scanning on merge into main or master branches.
enabled: true
rules:
- type: pipeline
branches:
- '*'
actions:
- scan: container_scanning
tags: []
We want our users start linking this security policy. However, not all projects require, for example, the container scanning execution. According to Scan execution policies | GitLab, by using CONTAINER_SCANNING_DISABLED: true variable can avoid running this specific policy, however the documentation also states that Disabling jobs this way does not prevent the security jobs defined by scan execution policies from running.
Therefore the question is, is there any way for users to avoid running specific policies, and only run those really needed when using security policies? We would like to avoid creating several projects hosting a different security policy each.
Many thanks in advance.
Ismael