Add feature to Block from progressing in pipeline if Security Vulnerability is found

Problem to solve

There are cases where users do not wish to move forward in the pipeline if a vulnerability was detected. Currently even if vulnerabilities are detected, if the security job executes successfully, the pipeline will continue to move on (eg. Deploy to Dev Environment, Run Functional Tests, etc.) This causes resources to be used, even if developer would not wish to move on if there are critical vulnerabilities.

Intended users

• Sasha (Software Developer)
• Devon (DevOps Engineer)
• Simone (Software Engineer in Test)
• Allison (Application Ops)

User experience goal

Adding a directive such as allow_progression_on_vuln in the .gitlab-ci.yaml, which if a vulnerability is found, causes the pipeline not to proceed.

sast:
  stage: test
  allow_progression_on_vuln: false

it is similar to the allow_failure directive.

Proposal

A new directive for the security scans in the .gitlab-ci.yaml that can stop the pipeline if a vulnerability is found.

Further details

Allows developer to save time and resources if a they do not wish to proceed when vulnerabilities are detected.

Permissions and Security

Edit permissions on .gitlab-ci.yaml

Documentation

Availability & Testing

What does success look like, and how can we measure that?

What is the type of buyer?

Is this a cross-stage feature?

No, just in the Secure Stage.

Links / references