Breaking change notice: Secure CI/CD template updates in 16.0
For guidance on the overall deprecations, removals and breaking changes workflow, please visit Breaking changes, deprecations, and removing features
Deprecation Summary
GitLab-managed CI/CD templates for security scanning will be updated in the GitLab 16.0 release. The updates will include improvements already released in the Latest versions of the CI/CD templates. We released these changes in the Latest template versions because they have the potential to disrupt customized CI/CD pipeline configurations.
In all updated templates, we're updating the definition of variables like SAST_DISABLED and DEPENDENCY_SCANNING_DISABLED to disable scanning only if the value is "true". Previously, even if the value were "false", scanning would be disabled.
The following templates will be updated:
- API Fuzzing:
API-Fuzzing.gitlab-ci.yml - Container Scanning:
Container-Scanning.gitlab-ci.yml - Coverage-Guided Fuzzing:
Coverage-Fuzzing.gitlab-ci.yml - DAST:
DAST.gitlab-ci.yml - DAST API:
DAST-API.gitlab-ci.yml - Dependency Scanning:
Dependency-Scanning.gitlab-ci.yml - IaC Scanning:
SAST-IaC.gitlab-ci.yml - SAST:
SAST.gitlab-ci.yml - Secret Detection:
Secret-Detection.gitlab-ci.yml
We recommend that you test your pipelines before the 16.0 release if you use one of the templates listed above and you use the _DISABLED variables but set a value other than "true".
Update: We previously announced that we would update the rules on the affected templates to run in merge request pipelines by default.
However, due to compatibility issues discussed in the deprecation issue, we will no longer make this change in GitLab 16.0. We will still release the changes to the _DISABLED variables as described above.
(Content from https://gitlab.com/gitlab-org/gitlab/-/blob/master/data/deprecations/15-9-secure-template-changes.yml?ref_type=heads. The documentation is the single source of truth for deprecations and removals.)
Breaking Change
This is a potential breaking change only under the conditions listed above.
Affected Topology
All users.
Affected Tier
All tiers.
Checklists
Labels
-
This issue is labeled deprecation, and with the relevant ~devops::,~group::, and~Category:labels. -
This issue is labeled breaking change if the removal of the deprecated item will be a breaking change.
Timeline
Please add links to the relevant merge requests.
- As soon as possible, but no later than the third milestone preceding the major release (for example, given the following release schedule:
14.8, 14.9, 14.10, 15.0–14.8is the third milestone preceding the major release):-
A deprecation announcement entry has been created so the deprecation will appear in release posts and on the general deprecation page. -
(N/A) Documentation has been updated to mark the feature as deprecated.
-
-
On or before the major milestone: A removal entry has been created so the removal will appear on the removals by milestones page and be announced in the release post. - On the major milestone:
-
The deprecated item has been removed. -
If the removal of the deprecated item is a breaking change, the merge request is labeled breaking change.
-
Mentions
-
Your stage's stable counterparts have been @mentionedon this issue. For example, Customer Support, Customer Success (Technical Account Manager), Product Marketing Manager.- To see who the stable counterparts are for a product team visit product categories
- If there is no stable counterpart listed for Sales/CS please mention
@timtams - If there is no stable counterpart listed for Support please mention
@gitlab-com/support/managers - If there is no stable counterpart listed for Marketing please mention
@cfoster3
- If there is no stable counterpart listed for Sales/CS please mention
- To see who the stable counterparts are for a product team visit product categories
-
Your GPM has been @mentionedso that they are aware of planned deprecations. The goal is to have reviews happen at least two releases before the final removal of the feature or introduction of a breaking change.