Trigger security scan on pipeline/MR when introducing a new language or package manager
Problem to solve
With the removal of DinD and the orchestration layer for SAST and Dependency Scanning, Security Scans are triggered based on the content of CI_PROJECT_REPOSITORY_LANGUAGES, and since this value is only updated when pushing changes in the default_branch we can allow people to introduce vulnerabilities without noticing it.
Indeed, if an MR adds some files or dependencies from a new language, this won't be listed in CI_PROJECT_REPOSITORY_LANGUAGES and the corresponding Analyzer jobs won't be executed.
Intended users
- Delaney (Development Team Lead)
- Sasha (Software Developer)
- Devon (DevOps Engineer)
- Sam (Security Analyst)
Further details
Even if this is far from ideal, the vulnerabilities will be reported in the default_branch after the merge, so visible on the security dashboard.
Proposal
Check if possible to test for new languages and update CI_PROJECT_REPOSITORY_LANGUAGES on all branches. See discussion.
Any other solution is also welcome.
Permissions and Security
Documentation
-
Update any related doc that may state the current behavior (that should have been added as part of #211694 (closed))
Availability & Testing
What does success look like, and how can we measure that?
When adding files or dependencies for a new language or package manager, the corresponding analyzer jobs are triggered to report vulnerabilities immediately in the MR, instead to have to wait for the merge.
What is the type of buyer?
Is this a cross-stage feature?
Yes, this impacts: