Override [ci skip] for scan execution policies

Release notes

Problem to solve

Similar to the improvements we made in pipeline execution policies to override [ci skip] behavior, we should align scan execution policies to do the same. This aligns with our goals for ensuring security and compliance.

Proposal

Similar to the improvements we made in pipeline execution policies to override [ci skip] behavior, we should align scan execution policies to do the same.
As we have to avoid introducing a breaking change, based on !174191 (comment 2233601465), we should make this configurable (disabled by default) and align the approach with the configuration we're adding for pipeline execution policies: Allow users to configure skip ci behavior for p... (!173480 - merged)

Steps to reproduce

Create new Project (ensure that AudoDevops is disabled)
Add Scan Execution Policy (Secure -> Policies -> Add new)
Merge MR with the updated policy
Commit to the project with [skip ci] in the commit body
CI will not execute for that commit

Verification steps

Example policy YAML:

scan_execution_policy:
  - name: Secrets
    description: ''
    enabled: true
    rules:
      - type: pipeline
        branch_type: all
    actions:
      - scan: secret_detection
    skip_ci:
      allowed: false

Example policy YAML with allowlist:

scan_execution_policy:
  - name: Secrets
    description: ''
    enabled: true
    rules:
      - type: pipeline
        branch_type: all
    actions:
      - scan: secret_detection
    skip_ci:
      allowed: false
      allowlist:
        users:
          - id: 13904527

Intended users

Feature Usage Metrics

Does this feature require an audit event?

Edited Jan 15, 2025 by Martin Čavoj