Security policy scan execution fails with "jobs config should contain at least one visible job" for new projects without .gitlab-ci.yml and security scanning options enabled

Problem

When creating a new blank project with security scanning options enabled (SAST and/or Secret Detection), the pipeline fails immediately with the error:

Unable to run pipeline

jobs config should contain at least one visible job

This occurs even though a group-level security policy is configured to inject scanning jobs into the pipeline for projects without a .gitlab-ci.yml file.

Expected Behavior

According to GitLab documentation, when a project does not contain a .gitlab-ci.yml file, scanning jobs should be injected into the pipeline by the security policy. The pipeline should execute successfully without errors.

Actual Behavior

The pipeline fails with "jobs config should contain at least one visible job" error, and users receive failure notification emails.

Reproduction Steps

  1. Set up a security scan execution policy at the top-level group level with the following configuration:
    • Scan type: SAST, Secrets Detection, Dependency Scanning
    • Branch type: all
    • Policy scope: all projects
    • Enabled: true

Example yaml:

---
scan_execution_policy:
- name: 'SECPOL: scan all branches for vulnerabilities '
  description: |-
    SAST
    SAST IaC
    Dependency Scanning
    Secret Detection
  enabled: true
  policy_scope:
    projects:
      excluding: []
  rules:
  - type: pipeline
    branch_type: all
  actions:
  - scan: sast
  - scan: dependency_scanning
  - scan: sast_iac
  - scan: secret_detection
  skip_ci:
    allowed: true
    allowlist:
      users: []
  1. Create a new blank project in the group
  2. During project creation, enable "Static Application Security Testing (SAST)" and/or "Enable Secret Detection" checkboxes
  3. After project creation, navigate to the CI/CD pipeline page

Expected Result

Pipeline should execute successfully with injected security scanning jobs

Actual Result

Pipeline shows as failed with error: "jobs config should contain at least one visible job"

Environment

  • GitLab.com (SaaS)
  • Reproduced on latest version

Additional Context

The issue appears to be a conflict between:

  1. The project creation checkboxes for enabling SAST/Secret Detection
  2. The group-level security policy that should inject scanning jobs

This collision breaks the project's CI/CD configuration and causes the pipeline to fail.

Edited by Daniel Diniz