The variables in the CI config file can also be overridden

From the thread here with @r_williams #393960 (comment 1437362050)

I seem to be able to overwrite explicitly defined variables from a compliance pipeline job using a projects CI/CD variables set in project settings or at time of triggering, even with the project configuration included as the first include, or not including at all. I have a compliance pipeline with the job

variable from compliance job:
  stage: pre-compliance
  variables:
    FOO: compliance
  script: echo ${FOO}
  rules:
    - when: always

and the framework is applied to a project with the CICD Variable from the project settings set to project and the job will output project

further testing seems feels like this is around variable precedence. Group level variables also overwrite the compliance pipeline.

This would mean that compliance pipeline jobs can only be non-variable driven for key aspects, such as SAST with the SAST_EXCLUDED_PATHS variable virtually bypassed in the compliance framework adhering project.