Allow forcing vulnerability findings storage and deduplication before pipeline completion
Everyone can contribute. Help move this issue forward while earning points, leveling up and collecting rewards.
Release notes
Problem to solve
When running security scan jobs on the default branch, vulnerability findings are de-duplicated and then persisted to the database only on pipeline completion (even if the pipeline fails). In these instances, the vulnerabilities in the pipeline security tab reflect the project's Vulnerability Report. Some users have processes that require a manual job as a final pipeline step to review the results to determine whether or "accept" or "reject" the pipeline, typically as a final gate to before automated deployment.
In this scenario, the pipeline security tab will show the latest vulnerabilities present but the Vulnerability Report may not match as the pipeline has not completed. This makes auditing/comparison a challenge. We need to enable customers that have a manual pipeline action after securing scan jobs to be able to force the de-duplication and persistence before pipeline completion.
Intended users
User experience goal
Proposal
Create a mechanism to manually force the de-duplication and vulnerability persistence process that normally triggers on pipeline completion. The mechanism should be straightforward to add to any pipeline. If feasible, use some kind of flag or CI variable that can be easily configured.
Further details
This new mechanism should only work when used after all scanning jobs configured for a pipeline complete. Ideally, this mechanism cannot be triggered prior to the scanning jobs completing. If this isn't feasible, improper configuration should generate the appropriate error message.
For consider: Should this mechanism only be available when using a manual pipeline step between the scanners and pipeline completion?