### Release notes <!--What is the problem and solution you're proposing? This content sets the overall vision for the feature and serves as the release notes that will populate in various places, including the \\\[release post blog\\\](https://about.gitlab.com/releases/categories/releases/) and \\\[Gitlab project releases\\\](https://gitlab.com/gitlab-org/gitlab/-/releases). "--> GitLab 17.11 introduces a new feature that allows users to verify the origin of build artifacts by tracking the source of CI/CD jobs. This enhancement is particularly valuable for security and compliance workflows. Jobs in GitLab now store and display a `source` value that identifies whether they originated from: * A scan execution policy * A pipeline execution policy * A regular pipeline This information can be accessed through the `Build > Jobs` page with a new filter option, using the Jobs API, or through ID token `claims` for artifact verification. This feature addresses a critical security need: verifying that security scan artifacts were generated by trusted policy-defined jobs rather than potentially modified by developer-defined jobs. Organizations can now: * Verify the authenticity of security scan results * Filter jobs by source type to quickly identify policy-enforced scans * Implement cryptographic verification of artifacts using the new ID token claims * Ensure compliance requirements are met with proper audit trails Security teams can leverage this feature by: 1. Using the new filter on the Jobs page to view only policy-enforced jobs 2. Accessing the `source` field in the Jobs API for automation 3. Implementing artifact verification using the new ID token claims: * `job_source`: Identifies the job's origin * `job_policy_ref_uri`: Points to the policy file (for policy-defined jobs) * `job_policy_ref_sha`: Contains the git commit SHA of the policy This enhancement is particularly valuable for organizations implementing software supply chain security measures and those requiring verifiable evidence of security scans for compliance purposes. ### Problem to solve <!--What problem do we solve? Try to define the who/what/why of the opportunity as a user story. For example, "As a (who), I want (what), so I can (why/value)."--> Users need a way to verify that build artifact files have been built by Scan Execution Policy jobs. Currently users can sign the artifact file, and the id_tokens value includes the job_id, but there is no way to verify whether the job came from a developer-defined job or from a scan execution policy-defined job. Additionally, users want to be able to filter by source type on the Build \> Jobs page so they can easily see the jobs that ran as part of a scan execution policy. ### Intended users * [Cameron (Compliance Manager)](https://about.gitlab.com/handbook/marketing/product-marketing/roles-personas/#cameron-compliance-manager) ### Proposal <!--How are we going to solve the problem? Try to include the user journey! https://about.gitlab.com/handbook/journeys/#user-journey--> 1. The job `source` will be associated with all Jobs that are run in GitLab. 1. For jobs that are created by a scan execution policy, the value will be `scan_execution_policy`. 2. For all other jobs, the value will be inherited from the Pipeline. See the [source value in these docs](https://docs.gitlab.com/ee/api/pipelines.html#list-project-pipelines) for a listing of possible values. 2. Users will be able to filter by `source` on the Build \> Jobs page. 3. The `source` field will be returned in the API response when calling the [Jobs API](https://docs.gitlab.com/ee/api/jobs.html#get-a-single-job). 4. A new `job_source` claim will be added to our [id_token claims](https://docs.gitlab.com/ee/ci/secrets/id_token_authentication.html). The value will be the same as requirement 1 listed above. 5. For jobs that are run by a security policy project, a new `job_policy_ref_uri` claim will be added to our [id_token claims](https://docs.gitlab.com/ee/ci/secrets/id_token_authentication.html). 1. The value will be null for jobs that do not come from a scan execution policy. 2. The value will point to the scan execution policy file for jobs that do come from a scan execution policy. 3. The format will be `gitlab.example.com/my-group/my-project//.gitlab-ci.yml@refs/heads/main`. 6. For jobs that are run by a security policy project, a new `job_policy_ref_sha` claim will be added to our [id_token claims](https://docs.gitlab.com/ee/ci/secrets/id_token_authentication.html). 1. The value will be null for jobs that do not come from a scan execution policy. 2. The value will be the git commit SHA for the `job_policy_ref_uri` for jobs that do come from a scan execution policy. ### Permissions and Security This will not change permissions ### Documentation Documentation will be updated on the following pages: 1. https://docs.gitlab.com/ee/api/jobs.html 2. https://docs.gitlab.com/ee/ci/secrets/id_token_authentication.html ### Availability & Testing <!--This section needs to be retained and filled in during the workflow planning breakdown phase of this feature proposal, if not earlier. What risks does this change pose to our availability? How might it affect the quality of the product? What additional test coverage or changes to tests will be needed? Will it require cross-browser testing? Please list the test areas (unit, integration and end-to-end) that needs to be added or updated to ensure that this feature will work as intended. Please use the list below as guidance. \\\* Unit test changes \\\* Integration test changes \\\* End-to-end test change See the test engineering planning process and reach out to your counterpart Software Engineer in Test for assistance: https://about.gitlab.com/handbook/engineering/quality/test-engineering/#test-planning--> ### What does success look like, and how can we measure that? <!--Define both the success metrics and acceptance criteria. Note that success metrics indicate the desired business outcomes, while acceptance criteria indicate when the solution is working correctly. If there is no way to measure success, link to an issue that will implement a way to measure this.--> ### What is the type of buyer? <!--What is the buyer persona for this feature? See https://about.gitlab.com/handbook/marketing/product-marketing/roles-personas/buyer-persona/ In which enterprise tier should this feature go? See https://about.gitlab.com/handbook/product/pricing/#four-tiers--> ~"GitLab Free" ### Is this a cross-stage feature? <!--Communicate if this change will affect multiple Stage Groups or product areas. We recommend always start with the assumption that a feature request will have an impact into another Group. Loop in the most relevant PM and Product Designer from that Group to provide strategic support to help align the Group's broader plan and vision, as well as to avoid UX and technical debt. https://about.gitlab.com/handbook/product/#cross-stage-features--> Yes, this feature overlaps with ~"group::pipeline authoring" ### Links / references <!--Label reminders - you should have one of each of the following labels if you can figure out the correct ones--> <!--triage-serverless v3 PLEASE DO NOT REMOVE THIS SECTION--> _This page may contain information related to upcoming products, features and functionality. It is important to note that the information presented is for informational purposes only, so please do not rely on the information for purchasing or planning purposes. Just like with all projects, the items mentioned on the page are subject to change or delay, and the development, release, and timing of any products, features, or functionality remain at the sole discretion of GitLab Inc._ <!--triage-serverless v3 PLEASE DO NOT REMOVE THIS SECTION--> <!-- triage-serverless v3 PLEASE DO NOT REMOVE THIS SECTION --> > [!important] > This page may contain information related to upcoming products, features and functionality. > It is important to note that the information presented is for informational purposes only, so please do not rely on the information for purchasing or planning purposes. > Just like with all projects, the items mentioned on the page are subject to change or delay, and the development, release, and timing of any products, features, or functionality remain at the sole discretion of GitLab Inc. <!-- triage-serverless v3 PLEASE DO NOT REMOVE THIS SECTION -->