Compliance controls scan-based status

Duo Developerrequested to merge
workloads/e8c490fa9de into master

What does this MR do and why?

This MR updates compliance controls to show success/failure based on scan completion rather than overall pipeline status. This improves the accuracy of compliance reporting by recognizing when security scans complete successfully even if other pipeline jobs fail.

The changes include:

  • Scan-based Status: Compliance controls now check if security scans completed and produced artifacts, regardless of pipeline status
  • Support for Failed Pipelines: Controls show success when scans complete in failed or cancelled pipelines
  • Improved Accuracy: Better reflects actual security scanning compliance vs. overall pipeline health

References

Relates to #579849

Screenshots / recordings

Screenshots to be added showing compliance status with failed pipeline but successful scans

How to set up and validate locally

  1. Create a project with compliance framework:

    • Create or use an existing project
    • Apply a compliance framework with security scanning controls (e.g., "SAST running", "Dependency scanning running")

  2. Set up a pipeline that will fail:

    • Add a security scan job (SAST, DAST, dependency scanning, etc.)
    • Add another job that will intentionally fail (e.g., a test job with exit 1)
    • Ensure the security scan job completes successfully before the failing job

  3. Run the pipeline:

    • Push a commit to trigger the pipeline
    • Verify the security scan job completes successfully and produces artifacts
    • Verify the pipeline overall status is "failed" due to the other job

  4. Check compliance status:

    • Navigate to group → SecureCompliance centerStatus
    • Verify the security scanning control shows as PASSED (not failed)
    • Confirm the control recognizes the scan completed despite pipeline failure

  5. Test with cancelled pipeline:

    • Trigger a pipeline and cancel it after the security scan completes
    • Verify the compliance control still shows as PASSED

MR acceptance checklist

Please evaluate this MR against the MR acceptance checklist. It helps you analyze changes to reduce risks in quality, performance, reliability, security, and maintainability.

Edited by Nate Rosandich

Merge request reports