Run standalone security tests not in a pipeline
Problem to solve
Security testing (SAST, DAST, etc) are now run only if they are defined in the project's pipeline definition (or if the project has Auto DevOps enabled). This works well, but if someone wants to give it a try the steps needed to enable the tests require some manual change that may create friction.
We also have the problem that security checks may vary with time even if the code doesn't change, because vulnerabilities are added to the database of known problems independently, so security testing should be a "background" process that runs continuously to report problems as soon as the information is available.
Proposal
Implement a solution to allow security testing jobs to be run standalone, and not as part of a regular pipeline.
For the technical implementation, runners and jobs can be reused, but they should not be managed and driven by the .gitlab-ci.yml config or shown with other pipelines.
This feature can then be leveraged to run one-shot tests, or to schedule constant security monitoring for existing assets (e.g., environments). Then can be managed in the Security Control Panel (https://gitlab.com/gitlab-org/gitlab-ee/issues/7207)
What does success look like, and how can we measure that?
Users are checking security of their applications using this built-in feature.