IaC control not showing
What does this MR do and why?
Fix IaC scanner detection to properly identify when Infrastructure as Code scanning is running. The IaC scanner produces SAST artifacts rather than dedicated IaC artifacts, so the detection logic now specifically looks for the kics-iac-sast job and checks if it has generated SAST artifacts. This ensures the compliance framework correctly reports when IaC scanning is enabled in a project.
References
Screenshots or screen recordings
| Before | After |
|---|---|
How to set up and validate locally
- Create a project like this https://gitlab.com/gitlab-org/security-products/demos/analyzer-configurations/kics/iac-getting-started
- Create a compliance framework and add a Requirement with the control
IaC scanning running - Assign the framework to the project
- Wait 5 mins
- Go to the compliance status report and view the passing or failing status
MR acceptance checklist
Evaluate this MR against the MR acceptance checklist. It helps you analyze changes to reduce risks in quality, performance, reliability, security, and maintainability.
Related to #565653 (closed)
Edited by Nate Rosandich