Hi people,

i am currently trying to find a way to run Gitlab Dependency Scanners via a scheduled pipeline and also on every commit, but i don’t want any other jobs to run…

What is a managable approach to this?

I know that i could add a rule which sets “when: never” if the pipeline is triggered by schedule. But how can i add this rule to all jobs (especially the SAST / Secret detection jobs)?

Is it maybe possible to have a default job definition that is extended by all jobs? Then i would add the rule there.

Simplified pipeline example

include:
  - template: Security/SAST.gitlab-ci.yml
  - template: Security/Secret-Detection.gitlab-ci.yml
  - template: Security/Dependency-Scanning.gitlab-ci.yml

stages:
  - test
  - release

# Release job (should not be executed on schedule)
release:
  stage: release
  script: echo "do release"
  rules:
    - if: "$CI_COMMIT_BRANCH == 'master'"
      when: always
    - when: never

# Some customizations for a SAST job
semgrep-sast:
  variables:
    SEARCH_MAX_DEPTH: 15

I would love to hear how you manage that in your projects to get some new approaches.

Thank you very much in advance!

workflow:rules as a global definition can help to avoid job templates with rules added to every job manually. A decision tree example is available in the GitLab project, running GitLab CI/CD itself.