Make scan execution policy to not fail the pipelines when the project uses unsupported language or framework

Summary

Currently, Scan Execution policies started injecting scan-policies stage into pipelines when the test stage is not present in the project's .gitlab-ci.yml. This prevents developers from circumventing the execution policies. However, this behaviour is problematic for projects that don't have any files matching the if:rules in the security scan templates. In this case, the created job/pipeline will fail with Downstream pipeline cannot be created, no stage/ jobs for this pipeline. This error causes confusions and failed pipelines for developers.

We had a customer ticket (internal link) where the customer really want this current behaviour to change. The desired behaviour is to not inject the stage and job when the Security scan doesn't support the language and framework of the project.

For example, supported languages with SAST

Steps to reproduce

Create a project with just some .md files and enforce SAST jobs by execution policy.
Create .gitlab-ci.yaml file, the pipeline should not have stage test.
Run it.

Example Project

Project: https://gitlab.com/gitlab-org/protect/demos/test-scan-inject
Policy Project: https://gitlab.com/gitlab-org/protect/demos/test-scan-inject-security-policy-project

What is the current bug behavior?

The pipeline fails and downstream pipeline is not getting created with "Downstream pipeline cannot be created, no stage/ jobs for this pipeline ".

What is the expected correct behavior?

Ideal behaviour would be to not create the downstream pipeline if there are no jobs to be executed rather than creating it and marking it as failed.

Relevant logs and/or screenshots

https://gitlab.com/gitlab-org/gitlab/uploads/e00e4e17be7e8660b54fa52de05c621e/Screenshot_2022-04-21_at_10.38.43_PM.png

Output of checks

This bug happens on GitLab.com

Edited Jan 15, 2025 by Kate Grechishkina