Replace dependency_scanning job definition with a vendored template
Problem to solve
Job definition for ~"dependency scanning" is frozen, and can't be easily updated without creating breaking changes.
Further details
With https://gitlab.com/gitlab-org/gitlab-ce/issues/53445, we'll be able to ship a template embedded with each version of GitLab. The template can be updated from one version to another, without impacting our users.
Proposal
What does success look like, and how can we measure that?
The new official job definition is a single inclusion instruction:
include:
template: Dependency-Scanning.gitlab-ci.yml
(see the discussion and final syntax)
Links / references
Execution
-
Add the Dependency-Scanning.gitlab-ci.yml
with the contents from the example to the templates dir underSecurity
subdir [ ] Update the CI template inclusion logic to search for files inee/lib/gitlab/ci/templates/
in GitLab EE-
Add check for EE-licensed feature to the job definition -
Add the except
section with variable to disable the job -
Test in the development environment on a test project -
Update the ~Documentation for the Dependency Scanning CI configuration -
docs page, see https://gitlab.com/gitlab-org/gitlab-ee/merge_requests/9875 -
security products release process (add a section to check the vendored template are up-to-date)
-
This page may contain information related to upcoming products, features and functionality. It is important to note that the information presented is for informational purposes only, so please do not rely on the information for purchasing or planning purposes. Just like with all projects, the items mentioned on the page are subject to change or delay, and the development, release, and timing of any products, features, or functionality remain at the sole discretion of GitLab Inc.