Control IaC Scanning results separately from SAST in Scan Result Policies (SRPs)
Problem
In Enforce IaC Scanning with Scan Execution Polici... (#392966 - closed) we propose adding IaC Scanning as a scan type for Scan Execution Policies (SEPs). When the results from IaC Scanning are interpreted in Scan Result Policies, they are currently treated the same as non-IaC SAST findings because the findings have the same scan_type.
Proposal
- Document now that SAST SRPs refer to both IaC and SAST results.
- Change behavior
- Add IaC Scanning as a separate scan type for Scan Result Policies.
- For this type of policy, only consider IaC Scanning results.
- Migrate existing SAST Scan Result Policies to refer to both SAST and SAST-IaC, to ensure that we don't inadvertently remove protections that users were relying on.
- Update documentation
- Add IaC Scanning as a separate scan type for Scan Result Policies.
Implementation plan
To be determined. This is a bit complicated due to the fact that IaC results are processed and stored the same way as non-IaC SAST results.
Related issues
Enforce IaC Scanning with Scan Execution Polici... (#392966 - closed)