Abort pipeline when the security scan jobs find new vulnerabilities

Everyone can contribute. Help move this issue forward while earning points, leveling up and collecting rewards.

• Close this issue

Proposal

The customer is requesting the feature to pause the pipeline and prevent subsequent jobs from running if the security scan (SAST, secret detection, etc.) detects a new vulnerability. Such a pipeline should be able to run subsequent jobs only with some sort of approval.

The purpose of this request is to prevent vulnerable resources from being deployed. Typically, such use cases utilize Merge request approval policies, but they do not use merge requests for the following reasons.

Our current working in our organisation consist of a number of project which compose various branches. Upon doing CD from any pipeline and pipeline is being triggered via user through any random branch inside the project, so here we are not using the merge requests feature provided by gitlab.

This is a unique use case. On the other hand, it seems to be a common use case that "when a new vulnerability is detected, the first priority is to confirm the vulnerability, so any job execution should be suppressed".

This request relates to these discussions:

• 🎨 Design: Update secure job status with corresp... (#300415)
• Discussion: can allow_failure l merge with secu... (#300129 - closed)