Allow filtering scan execution policies based on pipeline source type

Release notes

Scan execution policies have now been enhanced to allow for an optional value of only running against specific pipelines that match one or more CI_PIPELINE_SOURCE values. For example, an administrator may want to disregard schedule source pipelines, but always enforce execution on push source pipelines.

Problem to solve

This might be considered an addition to this epic where new patterns for policy settings are being explored. A Large SaaS Customer recently expressed interest in this ticket to have the ability to control when a scan execution policy runs, specifically against CI_PIPELINE_SOURCE status.

Intended users

Personas are described at https://handbook.gitlab.com/handbook/product/personas/

• Alex (Security Operations Engineer)

Proposal

Provide an ability for scan execution policies to read the pipeline source of a pipeline, and determine whether or not to proceed if this matches an established list.

A UI component can be presented in the create/edit page for a scan execution policy that includes all common source types:

• push
• web
• schedule
• api
• external
• chat
• webide
• merge_request_event
• external_pull_request_event
• parent_pipeline
• trigger
• pipeline

Available Tier

• Ultimate/Gold