Enforce Security Checks at the instance level
Problem to solve
The adoption of our Security Features is currently limited to opt-in users.
They have to configure the right jobs in their CI configuration file (.gitlab-ci.yml
), while it should be running out of the box.
Automatic scheduling and notifications are not even part of our offer now, which should be the first thing to provide.
Intended users
Further details
I'd like to challenge this (crazy) idea: Why don't our security features are always included, in our pipelines, just sitting there to be enabled?
Proposal
We can enforce this behavior at the instance level, but all jobs would be disabled by default. They would be enabled with the inclusion of our SAST.gitlab-ci.yml
template (for backward compatibility), or an env var. The new template would only contain this var enabled.
Now if we start connecting the dots, imagine if we could run regular (weekly) ghost pipelines, where this variable would be enabled. The results would eventually trigger to have alerts ala Github sent by email to project owners and maintainers.
That way, without any intervention, users would start to receive security insights, and Gold/Ultimate users would have up-to-date dashboards.
It could also be an opt-in setting (in the UI) at the project, group, or instance level, like it is on GitHub:
Permissions and Security
TODO
Documentation
TODO
Testing
TODO
What does success look like, and how can we measure that?
Users receive security alerts without any configuration, or without having to run any pipeline.