Spike: Make sure security policy compliance pipelines can not be overwritten
Time-box: 5 days
We are introducing an experimental feature that allows to run custom CI configurations as part of a security policy. In the MVC version, the CI configuration get's merged with the project CI configuration. Variables or jobs of the security policy configuration can be overwritten by the projects CI configuration.
The goal of this feature is to replace the compliance pipelines feature. To archive this, we have to make sure security policy CI configuration can not be overwritten so jobs are always run.
Variables defined in the custom ci_configuration should take the highest precedence.
Edited by Alan (Maciej) Paruszewski