Enforce IaC Scanning with Scan Execution Policies (SEPs)
Release notes
Users can now require SAST IaC scans to run on a regular schedule or as part of project CI pipelines, independent of the .gitlab-ci.yml file’s contents. This allows security teams to manage these scan requirements separately without allowing developers to change the configuration. You can get started by creating a scan execution policy on the Security & Compliance > Policies page.
Proposal
Add IaC Scanning as a supported scan type for Scan Execution Policies.
This would run the pipeline defined in the SAST-IaC template.
IaC is controlled separately from SAST today, and we should maintain the ability to set policies differently for each. This is because they have different personas and use cases.
Prior art
Dependency Scanning went through a similar process. See these references for the likely scope of this work: