Container Scanning does not ingest dotenv

Container Scanning uses the CS_IMAGE variable to set the image to be scanned. This works well when you know the image name in advance or can hard code the variable.

Problem

If I am building an image via a template and the name for that image could vary based on project, I have to set dotenv to get the variable for the image name out to other jobs. For container scanning, the Container-Scanning.gitlab-ci.yml has dependencies: []. Because dotenv is classified as an artifact and not a true environment variable, the container scanning job will never see that variable.

Example

Job that is extended by every team needing to build a docker container. Image name is passed in as a variable, generally derived from upstream job.

Container Scanning job still pulls default CS_IMAGE because it cannot consume the dotenv

Proposed Solution

Remove the hardcoded dependencies: [] line. This can be set by anyone the wants to ingest the template. If it is set in the template, it can't be removed if included.

Implemented Solution

The implemented solution in Remove empty dependencies rule (!202525 - merged) removes dependencies: [] from the latest template. This makes it available to anyone who may want to use it without affecting the current template (updating the current template would be a breaking change).