Select Runner tags for DAST on demand site profile validation

Summary

Steps to reproduce

  • Create a project
  • Create a runner for the project: leave the Run untagged jobs checkbox unchecked (default)
  • Go to Secure > On demand Scans > New
  • Create a new Site Profile, with any name and any Target URL
  • Save

This will trigger a new Validation pipeline to validate the Site Profile. This job does not have any tag. So no runner can pick it up.

This fails the validation and prevent running the On-Demand Scan with the message "You cannot run an active scan against an unvalidated site."

Example Project

What is the current bug behavior?

  • Screenshot_2025-07-11_at_17.14.46
  • image

What is the expected correct behavior?

  • Screenshot_2025-07-11_at_17.18.17
  • image

Output of checks

Possible fixes

Allow setting tags for runners on the validation job.

Patch release information for backports

If the bug fix needs to be backported in a patch release to a version under the maintenance policy, please follow the steps on the patch release runbook for GitLab engineers.

Refer to the internal "Release Information" dashboard for information about the next patch release, including the targeted versions, expected release date, and current status.

High-severity bug remediation

To remediate high-severity issues requiring an internal release for single-tenant SaaS instances, refer to the internal release process for engineers.

Edited by 🤖 GitLab Bot 🤖