V13 Tuning when SecOps scans with new rules

v13.x.x Tune up SecOps SAST, DAST, Dependency. License

I would like to limit these scans to merge to ‘develop’ for now vs scanning all the time. Later I may extend that to ‘master’. Mainly I wanted to stop these running on every push/branch and tune it up some its more purposeful.

Main issue is when I set a parent rule:

rules:
    - if: $CI_MERGE_REQUEST_TARGET_BRANCH_NAME == "develop" # Only on merge request
      when: always

My assumption is with this new rules setup, it overrides all the rules originally set in the parent SAST, DAST, Code Quality, License Management etc …

Due to this I see it still running sub scans and then ignoring if DIND is false for example.

I saw note of the workflow rules, however that would change everything and I don’t want that either.

Usecase - FF Merge Only (advancing the commit thru not rebuilding/repackaging) and promoting a cached binary (jar, zip etc …)

Flow I’d prefer:
merge x to develop → Scan, Unit Test. Looks good - Merge, Deploy to Dev Lab
Cut a release/ branch Deploy to SIT lab
Merge that to master, Deploy to Production

For example on NodeJS: setting this rule above stops SAST from running but sub jobs start running on push for all other branches:

  • eslint-sast
  • nodejs-scan-sast
  • retire-js-dependancy-scanning
  • etc … (don’t want this)

Any tips appreciated, I can’t find much else to go on other than getting into some sub level / job overriding which seems a bit excessive.