Security scan MR widget not shown when pipeline is triggered by $CI_PIPELINE_SOURCE == "merge_request_event"
Summary
Our security scanners default to using
rules:
if: $CI_COMMIT_BRANCH
If these security scanners are run on a project that has >= 1 job with
rules:
if: '$CI_PIPELINE_SOURCE == "merge_request_event"'
Two pipelines are run in parallel - one for the CI_COMMIT_BRANCH
jobs (Secure scans), and another for the merge_request_event.
This situation causes the MR widget to stop working - it is never displayed, even when the Security Scans successfully detect and report vulnerabilities.
Steps to reproduce
- Import
https://gitlab.com/greg/263535
to a new project using Import > Repo by URL - Trigger pipeline on default branch (to get baseline scan)
- Switch to
bugreport
branch, add some text to README.md and create MR - Let the two pipelines successfully run
- View merge request - note that there is no MR widget
Example Project
https://gitlab.com/greg/263535
Example use case
Customer has a custom job that checks the title of an MR and standardizes/prefixes it. This should only be run in the context of a MR, so this job it uses rules $CI_PIPELINE_SOURCE == "merge_request_event"
.
include:
-ing all the Security templates alongside this job prevents MR widget from populating.
What is the current bug behavior?
Security scanners detect new vulnerabilities in a merge request, but MR widget does not appear or display them.
What is the expected correct behavior?
When Security Scanners detect new vulnerabilities, they show the results in the MR widget.
Relevant logs and/or screenshots
Expected behavior:
Actual behavior:
Output of checks
This happens on GitLab.com
Results of GitLab environment info
This happens on GitLab.com
Results of GitLab application Check
This happens on GitLab.com