Provide ability to use the UI-based Scan Execution Policy builder to create a Container Scanning policy that only applies to Projects containing a Dockerfile
Everyone can contribute. Help move this issue forward while earning points, leveling up and collecting rewards.
Problem to solve
Presently, when a Scan Execution Policy is created via the UI-based policy builder (Secure → Policies → New Policy → Scan Execution Policy), policies that enforce SAST or Dependency Scanning will auto-detect what languages or manifest/requirements files a Project contains, and subsequently only run the appropriate scanners (for example gemnasium will only run on Projects that have a Maven pom.xml file, and NodeJsScan will only analyze code if the Project contains JavaScript).
Policies that enforce Container Scanning, however, will attempt to analyze all Projects within the specified scope.
Intended users
InfoSec / Application Security / DevSecOps personas who need visibility into what defects are present in Projects that build Docker images.
Further details
Some customers wish to only have Container Scanning run on Projects that contain a Dockerfile. This is possible today by using a pipeline execution policy action for Scan Execution Policies and leveraging the rules engine to define a Job that only executes Container Scanning when a Dockerfile is present.
However, some security teams who configure policies via the UI would prefer to have an option in the policy builder (i.e. the dropdown combo boxes) which will allow them to specify that Container Scanning only executes on Projects where a Dockerfile exists.
Proposal
It would be beneficial to expose an option in the UI-based policy builder which indicates that Container Scanning should only run on a Project if a Dockerfile exists. This would make the behavior of Container Scanning consistent with the behavior of SAST and Dependency Scanning, and thereby make it simpler for security teams to configure Container Scanning policies as well as understand their expected behavior.