Security policies should be configureable to allow projects to be excluded

Proposal

A customer reported that when a new project was created in a group with an enforced Scan Result Policy, MR approvals were required. This dev comment shows that this is by design and requires a pipeline to be run that shows there are no vulnerabilities. There should be a way for certain projects to be excluded. For example, projects without CI jobs configured or projects that contain a wiki only. As a workaround, the customer is using a dummy CI job to run a pipeline and which in turn shows zero vulnerabilities, allowing MRs to no longer require approvals.

The ability to exclude certain projects or groups from a security policy should be a feature in GitLab

Duplicate

Closing as a duplicate of &5510 (closed).