Fix scan execution policy variables overriding YAML variables
What does this MR do and why?
Fixes an issue where scan execution policy variables would incorrectly override variables defined in job YAML configuration, causing the first scheduled scan execution policy to run a regular scan instead of a historic scan.
Problem: When security policies inject variables like SECRET_DETECTION_HISTORIC_SCAN, they were unconditionally overriding the same variables that were correctly calculated during pipeline creation and stored in the job's YAML variables. This caused the first scheduled scan to set SECRET_DETECTION_HISTORIC_SCAN=false instead of true, violating the documented behavior that "for scheduled scan execution policies, secret detection by default runs first in historic mode."
Solution: This MR introduces a new inject_scan_execution_policy_variables method that checks if a variable already exists in the job's YAML variables before injecting policy variables. If a conflict is detected, the YAML variable is preserved and the policy variable is skipped. This ensures that values calculated during pipeline creation are not accidentally overwritten while still allowing policy variables to be added when they don't conflict.
Changelog: fixed EE: true
References
Closes #570139
How to set up and validate locally
- Create a scan execution policy with a scheduled secret detection scan:
scan_execution_policy: - name: Scheduled Secret Detection description: Should run historic scan on first execution enabled: true rules: - type: schedule branch_type: default cadence: 0 16 * * * - Trigger the first scheduled run
- Verify that
SECRET_DETECTION_HISTORIC_SCAN=truein the pipeline logs - Confirm that a historic scan is performed (git log-based scan, not directory scan)
MR acceptance checklist
Evaluate this MR against the MR acceptance checklist. It helps you analyze changes to reduce risks in quality, performance, reliability, security, and maintainability.