Fix compliance framework controls to detect scans from scan execution policies

Hitesh Raghuvanshirequested to merge
fix-compliance-framework-scan-execution-policies into master

What does this MR do and why?

Fixes #582291 (closed) and #579849

This MR fixes a bug where compliance framework controls (e.g., "Dependency scanning running") incorrectly report as FAILED when security scans are executed via scan execution policies.

Root Cause

The compliance check uses ci_pipelines association which excludes security_orchestration_policy pipelines (classified as "dangling sources").

Solution

Introduces latest_successful_pipeline_for_default_branch_including_security_policies method that uses the ci_and_security_orchestration_sources scope to include both regular CI pipelines and security orchestration policy pipelines.

How to validate

  1. Create a scan execution policy to run dependency scanning
  2. Create a compliance framework with "Dependency scanning running" control
  3. Apply framework to project and trigger pipeline
  4. Verify compliance status shows PASSED (previously showed FAILED)
Edited by Nate Rosandich

Merge request reports