## Problem to Solve <!--template sourced from https://gitlab.com/gitlab-org/gitlab/-/blob/master/.gitlab/issue_templates/Default.md--> The feedback from customers who want to enforce security/compliance around security scans is that using child pipelines allows for flexibility and helps to avoid disruption. However, the workflow does not work end to end as the generated artifacts from the security scans that are used for the vulnerability reporting and for security policy evaluation (for MR approval policies) can not be read by the parent. This could give customers an additional path with likely a better method of "sandboxing" security scans or other compliance jobs. With other jobs if they are managed in a child pipeline (or triggered pipeline - understanding that is outside of the scope here) could allow for control over users in that project, limiting access for example to any variables enabled or used there. So this could be further secured. ## Proposal Support the following Security and Compliance reports from a dynamically generated child pipelines to be shown in MR - Listed in order of priority 1. [Artifacts_report:sast](https://docs.gitlab.com/ee/ci/yaml/artifacts_reports.html#artifactsreportssast) 2. [Artifacts:reports:secret_detection](https://docs.gitlab.com/ee/ci/yaml/artifacts_reports.html#artifactsreportssecret_detection) 3. [Artifacts:reports:dependency_scanning](https://docs.gitlab.com/ee/ci/yaml/artifacts_reports.html#artifactsreportsdependency_scanning) (Potentially covers[ artifact:reports:cyclonedx](https://docs.gitlab.com/ci/yaml/artifacts_reports/#artifactsreportscyclonedx) but needs further investigation) 4. [Artifacts:reports:container_scanning](https://docs.gitlab.com/ee/ci/yaml/artifacts_reports.html#artifactsreportscontainer_scanning) 5. [Artifacts:reports:dast](https://docs.gitlab.com/ee/ci/yaml/artifacts_reports.html#artifactsreportsdast) 6. [Artifacts:reports:api_fuzzing](https://docs.gitlab.com/ee/ci/yaml/artifacts_reports.html#artifactsreportsapi_fuzzing) 7. [Artifacts:reports:coverage_fuzzing](https://docs.gitlab.com/ee/ci/yaml/artifacts_reports.html#artifactsreportscoverage_fuzzing) ## Supports * Reports generated by child pipelines (same project), including dynamically generated child pipelines * Reports generated by [Pipeline Execution Policies](https://docs.gitlab.com/user/application_security/policies/pipeline_execution_policies/) ## Limitations Reports created as part of [Scan Execution Policies](https://docs.gitlab.com/user/application_security/policies/scan_execution_policies/) will not be supported