The variables in the CI config file can also be overridden
From the thread here with @r_williams
#393960 (comment 1437362050)
I seem to be able to overwrite explicitly defined variables from a compliance pipeline job using a projects CI/CD variables set in project settings or at time of triggering, even with the project configuration included as the first include, or not including at all. I have a compliance pipeline with the job
variable from compliance job: stage: pre-compliance variables: FOO: compliance script: echo ${FOO} rules: - when: always
and the framework is applied to a project with the CICD Variable from the project settings set to
project
and the job will outputproject
further testing seems feels like this is around variable precedence. Group level variables also overwrite the compliance pipeline.
This would mean that compliance pipeline jobs can only be non-variable driven for key aspects, such as SAST with the
SAST_EXCLUDED_PATHS
variable virtually bypassed in the compliance framework adhering project.