Scheduled security scans are skipped if the previous pipeline was skipped

Summary

When executing a scheduled security scan via a security scan policy, if the preceding pipeline has been skipped, the security scan does not run as intended — it is instead skipped. This behavior is unexpected and might potentially lead to overlooked vulnerabilities.

Steps to reproduce

  1. Create a security policy project with a scheduled security scan run
  2. Create a change in a codebase that has the security policy.
  3. Push the change to GitLab using the -o ci.skip flag: git push gitlab_origin HEAD:main -o ci.skip
  4. Notice that the pipeline for this push is skipped.
  5. Allow the scheduled security scan to trigger based on your scan policy.

What is the current bug behavior?

The security scan is skipped if the preceding pipeline was skipped.

What is the expected correct behavior?

The scheduled security scan should run independently of the state of the preceding pipeline.

Relevant logs and/or screenshots

From top to bottom:

  1. Skipped security job
  2. Tagged job (might also be skipped due to the same issue?)
  3. Push with -o ci.skip flag
  4. Regular pipeline run

Screenshot 2023-08-17 at 10.15.26.png

Output of checks

Possible fixes

Edited by Jonathan Jeding