[Spike] Investigate how to enforce SAST and Dependency Scanning scans from Security Policies without using child pipelines
Timebox: 3 days
Current scenario
Currently we are running SAST and Dependency Scanning jobs in child pipelines when they are enforced by Scan Execution Policies. For some customers it generates problems, so we would like to verify what we can do to remove this limitation.
Limitations
- We need to remember to verify scenario when SAST is enabled for the project and enforced by Scan Execution Policies. In this case we should see duplicated jobs -> this is accepted.
- To keep consistency with current behavior for Container Scanning or Secret Detection scans enforced by policies, we would like to keep the
index
of the job as a suffix to job name, likebrakeman-sast-0
.
Goal
The goal of this spike is to prepare Proof of Concept with SAST/Dependency Scanning jobs running in the same pipeline, and based on this prepare issue with implementation plan.