Show security reports from a child pipeline in a MR
Problem to Solve
The feedback from customers who want to enforce security/compliance around security scans is that using child pipelines allows for flexibility and helps to avoid disruption. However, the workflow does not work end to end as the generated artifacts from the security scans that are used for the vulnerability reporting and for security policy evaluation (for MR approval policies) can not be read by the parent.
This could give customers an additional path with likely a better method of "sandboxing" security scans or other compliance jobs.
With other jobs if they are managed in a child pipeline (or triggered pipeline - understanding that is outside of the scope here) could allow for control over users in that project, limiting access for example to any variables enabled or used there. So this could be further secured.
Proposal
Support the following Security and Compliance reports from a dynamically generated child pipelines to be shown in MR - Listed in order of priority
- Artifacts_report:sast
- Artifacts:reports:secret_detection
- Artifacts:reports:dependency_scanning (Potentially covers artifact:reports:cyclonedx but needs further investigation)
- Artifacts:reports:container_scanning
- Artifacts:reports:dast
- Artifacts:reports:api_fuzzing
- Artifacts:reports:coverage_fuzzing
Supports
- Reports generated by child pipelines (same project), including dynamically generated child pipelines
- Reports generated by Pipeline Execution Policies
Limitations
Reports created as part of Scan Execution Policies will not be supported