Scan Execution Policy - prevent skip_ci does not work with scheduled scans.

Summary

In a Scan execution policy, it is possible to prevent users from using [skip_ci] to bypass security scans. It is also possible to setup scheduled scans that will be run daily or weekly.

However when combining these, the skip_ci setting of false is not applied.

Steps to reproduce

  1. Setup a Scan Execution Policy similar to below:
Policy yaml 
scan_execution_policy:
  - name: Daily Scan
    description: ''
    enabled: true
    policy_scope:
      projects:
        excluding: []
    skip_ci:
      allowed: false
    rules:
      - type: schedule
        cadence: 0 0 * * *
        branch_type: protected
        timezone: Etc/UTC
    actions:
      - scan: secret_detection

2, In a test project create a commit with a commit message that ends with [skip_ci]. 3. Apply the daily scan security policy to the test project 4. check-in on it the next day

allow_skip_ci_false_not_applied_to_scheduled_scans

Notice that non of the scans ran for any of the branches. The behaviour works as expected if the SEP is set to triggered instead of scheduled.

Example Project

What is the current bug behavior?

Users are able to bypass the security scans using [skip_ci] if the security scans are scheduled. This is not true if the security scans are triggered.

What is the expected correct behavior?

The [skip_ci] setting should apply to scheduled scans as it works for triggered scans.

Relevant logs and/or screenshots

Policy set to triggered

allow_skip_ci_false_is_applied_to_triggered_scans

Policy set to 'scheduled'

allow_skip_ci_false_not_applied_to_scheduled_scans

Output of checks

Possible fixes