v13.x.x Tune up SecOps SAST, DAST, Dependency. License
I would like to limit these scans to merge to ‘develop’ for now vs scanning all the time. Later I may extend that to ‘master’. Mainly I wanted to stop these running on every push/branch and tune it up some its more purposeful.
Main issue is when I set a parent rule:
rules: - if: $CI_MERGE_REQUEST_TARGET_BRANCH_NAME == "develop" # Only on merge request when: always
My assumption is with this new rules setup, it overrides all the rules originally set in the parent SAST, DAST, Code Quality, License Management etc …
Due to this I see it still running sub scans and then ignoring if DIND is false for example.
I saw note of the workflow rules, however that would change everything and I don’t want that either.
Usecase - FF Merge Only (advancing the commit thru not rebuilding/repackaging) and promoting a cached binary (jar, zip etc …)
Flow I’d prefer:
merge x to develop -> Scan, Unit Test. Looks good - Merge, Deploy to Dev Lab
Cut a release/ branch Deploy to SIT lab
Merge that to master, Deploy to Production
For example on NodeJS: setting this rule above stops SAST from running but sub jobs start running on push for all other branches:
- etc … (don’t want this)
Any tips appreciated, I can’t find much else to go on other than getting into some sub level / job overriding which seems a bit excessive.