Clarify Scan Result Policies for SAST include SAST and IaC
Everyone can contribute. Help move this issue forward while earning points, leveling up and collecting rewards.
Release notes
Problem to solve
Our Scan Result Policies already cover IaC under the SAST category. This is the same way the product behaves when you visit the Vulnerability Report page and filter the results by SAST - here as well you will notice there is no separate IaC filter because it is all combined together.
However, when enforcing Scan Execution Policies, SAST IaC was not properly included when users enforce SAST to run in the policy. This gap is being addressed in Enforce IaC Scanning with Scan Execution Polici... (#392966 - closed).
With this change, there could still be some confusion when defining Scan Result Policies. This MR will clarify this in our documentation, but there could be areas to improve our UI to be clearer on this point.
Proposal
For this issue we'll focus on the Short-term solution. We might consider renaming the dropdown for Scan Result Policies to say SAST and IaC or something to that effect.... but if we do rename it then we should probably rename it elsewhere in the product as well (Vulnerability Report and a few other places).
Longer-term, we will probably want to have Threat Insights extend out the report schema to allow for SAST IaC to be reported as its own type of results so these can be managed and filtered independently. The long-term solution will be tracked in Control IaC Scanning results separately from SA... (#392967).
Intended users
This page may contain information related to upcoming products, features and functionality. It is important to note that the information presented is for informational purposes only, so please do not rely on the information for purchasing or planning purposes. Just like with all projects, the items mentioned on the page are subject to change or delay, and the development, release, and timing of any products, features, or functionality remain at the sole discretion of GitLab Inc.