Not require pipelines to complete as part of the scan result policy
Everyone can contribute. Help move this issue forward while earning points, leveling up and collecting rewards.
Proposal
This proposal is to not require pipelines to complete as part of the scan result policy because it says it requires security approval and causes lots of confusion and making teams hesitant to adopt the policy.
Customer feedback from Ultimate Self-Managed customer:
Based on my testing and what our engineers are seeing, it looks like the core problem is that it takes up to five minutes for gitlab to update the need for approval for the policy, and often never updates until the page is refreshed, even after several minutes.
This isn't great, ofc, but could be managed with more easily if GitLab didn't require pipelines to complete or else trigger Security approval. Because of GitLab's decision to enforce any policy when the pipeline isn't successful, even if there's no vulnerabilities found, every single MR starts out saying that it needs security approval because, obviously, an MR doesn't start out with a completed pipeline.
So, due to these two things, we are getting a lot of noise about needing to approve something that isn't actually violating the policy, simply because it just takes too long for GitLab to update the approval rule after the pipeline completes. To the dev it looks like they have 0 new vulns, a successful pipeline, with everything else up-to-date, but they still need Security approval. This is causing lots of confusion and making teams hesitant to adopt the policy.
TL;DR - We'd like to not require pipelines complete as part of the scan result policy but GitLab doesn't allow for that right now. Ideally we'd only require that the security related scans complete.
I understand why it would need the security scans to complete, but right now our policy is looking for vulns detected by secret detection and SAST, both of which are done statically on the code committed, so I don't think it always should require the pipeline to complete
Requesting customers: