Detect absence/obsolescence of security jobs in a pipeline
Problem to solve
There are several cases where we don't have vulnerabilities reported in a project:
- pipelines are not configured
- pipelines are not run yet
- security jobs are not included in the pipeline
- security jobs use an old syntax, that is not supported anymore (e.g., old artifacts instead of
reports
) - users don't intentionally want security checks
- etc...
We need to help users to figure out if they need to change their configuration in order to have security reports available in the dashboard and in the MR.
Further details
Since it is not simple to access the .gitlab-ci.yml
file, we should understand how to achieve this goal in the most boring way.
Proposal
Check if security jobs are configured correctly, and if not which is the reason.
If a possible misconfiguration is detected, report it in the UI (e.g., in the dashboard or in the MR widget), so users can fix it.
What does success look like, and how can we measure that?
Increase in the number of security jobs.