Warn about Dependency Scanning jobs using unauthorized Docker images
Release notes
Problem to solve
As a user of Dependency Scanning (DS), I want the names of the Docker images used by the scanning jobs to be carefully reviewed. If I need to change CI variables SECURE_ANALYZERS_PREFIX
and DS_ANALYZER_IMAGE
to use non-default images, then I want these variables to be set in the CI config of my project (or in a shared CI config), and I want this change to be reviewed in a merge request. I want to prevent developers from setting these CI variables dynamically when triggering a pipeline, or else I want to be notified when this happens.
CLOSED: The risk can be mitigated by using compliance pipelines. See #337295 (comment 1086888013)
Proposal
Show a warning when the dynamic value of SECURE_ANALYZERS_PREFIX
doesn't match what's set in project CI config.
Is this a cross-stage feature?
This might be relevant to the entire sectionsec section.