Trigger security scan on pipeline/MR when introducing a new language or package manager
Problem to solve
With the removal of DinD and the orchestration layer for SAST and Dependency Scanning, Security Scans are triggered based on the content of
CI_PROJECT_REPOSITORY_LANGUAGES, and since this value is only updated when pushing changes in the
default_branch we can allow people to introduce vulnerabilities without noticing it.
Indeed, if an MR adds some files or dependencies from a new language, this won't be listed in
CI_PROJECT_REPOSITORY_LANGUAGES and the corresponding Analyzer jobs won't be executed.
- Delaney (Development Team Lead)
- Sasha (Software Developer)
- Devon (DevOps Engineer)
- Sam (Security Analyst)
Even if this is far from ideal, the vulnerabilities will be reported in the
default_branch after the merge, so visible on the security dashboard.
Check if possible to test for new languages and update
CI_PROJECT_REPOSITORY_LANGUAGES on all branches. See discussion.
Any other solution is also welcome.
Permissions and Security
- Update any related doc that may state the current behavior (that should have been added as part of #211694 (closed))
Availability & Testing
What does success look like, and how can we measure that?
When adding files or dependencies for a new language or package manager, the corresponding analyzer jobs are triggered to report vulnerabilities immediately in the MR, instead to have to wait for the merge.
What is the type of buyer?
Is this a cross-stage feature?
Yes, this impacts: