Currently our Secure templates only run on branches, but not on Merge Request only pipelines. For example this `.gitlab-ci.yml` doesn't add any of the requested jobs in Merge Requests: ```yaml include: - template: Dependency-Scanning.gitlab-ci.yml - template: License-Scanning.gitlab-ci.yml - template: SAST.gitlab-ci.yml workflow: rules: - if: $CI_COMMIT_REF_NAME == "master" when: always - if: $CI_MERGE_REQUEST_IID when: always - when: never ``` In our templates [we use rules like](https://gitlab.com/gitlab-org/gitlab/-/blob/a92eb346e387be021d0ae1295798709d37016b7c/lib/gitlab/ci/templates/Security/Dependency-Scanning.gitlab-ci.yml#L154-161) e.g. ```yaml - if: $DEPENDENCY_SCANNING_DISABLED || $DS_DISABLE_DIND == 'false' when: never - if: $CI_COMMIT_BRANCH && $GITLAB_FEATURES =~ /\bdependency_scanning\b/ && $DS_DEFAULT_ANALYZERS =~ /retire.js/ exists: - 'package.json' ``` ## Proposal Update `rules` within ~"section::sec" templates to support MR pipelines using the following configuration (as suggested [below](https://gitlab.com/gitlab-org/gitlab/-/issues/217668#note_502308480)): ```yaml job: rules: - if: $CI_MERGE_REQUEST_IID # Add the job to merge request pipelines if there's an open merge request. - if: $CI_OPEN_MERGE_REQUESTS # Don't add it to a *branch* pipeline if it's already in a merge request pipeline. when: never - if: $CI_COMMIT_BRANCH # If there's no open merge request, add it to a *branch* pipeline instead. ``` ### Implementation plan - [x] Introduce `.latest.gitlab-ci.yml` templates when missing - [x] [`Jobs/SAST.latest.gitlab-ci.yml`](https://gitlab.com/gitlab-org/gitlab/-/blob/master/lib/gitlab/ci/templates/Jobs/SAST.latest.gitlab-ci.yml) | https://gitlab.com/gitlab-org/gitlab/-/merge_requests/81847 - [x] [`Jobs/SAST-IaC.latest.gitlab-ci.yml`](https://gitlab.com/gitlab-org/gitlab/-/blob/master/lib/gitlab/ci/templates/Jobs/SAST-IaC.latest.gitlab-ci.yml) | https://gitlab.com/gitlab-org/gitlab/-/merge_requests/94429 - [x] [`Jobs/Secret-Detection.latest.gitlab-ci.yml`](https://gitlab.com/gitlab-org/gitlab/-/blob/master/lib/gitlab/ci/templates/Jobs/Secret-Detection.latest.gitlab-ci.yml) | https://gitlab.com/gitlab-org/gitlab/-/merge_requests/81847 - [x] [`Jobs/Dependency-Scanning.latest.gitlab-ci.yml`](https://gitlab.com/gitlab-org/gitlab/-/blob/master/lib/gitlab/ci/templates/Jobs/Dependency-Scanning.latest.gitlab-ci.yml) | https://gitlab.com/gitlab-org/gitlab/-/merge_requests/97323 - [x] [`Jobs/Container-Scanning.latest.gitlab-ci.yml`](https://gitlab.com/gitlab-org/gitlab/-/blob/master/lib/gitlab/ci/templates/Jobs/Container-Scanning.latest.gitlab-ci.yml) | https://gitlab.com/gitlab-org/gitlab/-/merge_requests/97323 - [x] [`Jobs/License-Scanning.latest.gitlab-ci.yml`](https://gitlab.com/gitlab-org/gitlab/-/blob/master/lib/gitlab/ci/templates/Jobs/License-Scanning.latest.gitlab-ci.yml) | https://gitlab.com/gitlab-org/gitlab/-/merge_requests/97323 - [x] [`Jobs/DAST.latest.gitlab-ci.yml`](https://gitlab.com/gitlab-org/gitlab/-/blob/master/lib/gitlab/ci/templates/Jobs/DAST.latest.gitlab-ci.yml) | https://gitlab.com/gitlab-org/gitlab/-/merge_requests/97886 - [x] [`Jobs/DAST-API.latest.gitlab-ci.yml`](https://gitlab.com/gitlab-org/gitlab/-/blob/master/lib/gitlab/ci/templates/Jobs/DAST-API.latest.gitlab-ci.yml) | https://gitlab.com/gitlab-org/gitlab/-/merge_requests/97886 - [x] [`Jobs/API-Fuzzing.latest.gitlab-ci.yml`](https://gitlab.com/gitlab-org/gitlab/-/blob/master/lib/gitlab/ci/templates/Jobs/API-Fuzzing.latest.gitlab-ci.yml) | https://gitlab.com/gitlab-org/gitlab/-/merge_requests/97886 - [x] [`Jobs/Coverage-Fuzzing.latest.gitlab-ci.yml`](https://gitlab.com/gitlab-org/gitlab/-/blob/master/lib/gitlab/ci/templates/Jobs/Coverage-Fuzzing.latest.gitlab-ci.yml) | https://gitlab.com/gitlab-org/gitlab/-/merge_requests/97886 - [x] Update `rules` job configurations for `latest` templates with `CI_OPEN_MERGE_REQUESTS` configuration described above - [x] Update [documentation](https://docs.gitlab.com/ee/user/application_security/#use-security-scanning-tools-with-merge-request-pipelines) to include support for Merge Request pipelines out of the box | https://gitlab.com/gitlab-org/gitlab/-/merge_requests/100760 - [ ] Within MAJOR version release (%16.0), graduate `latest` template changes to stable templates