### Problem to solve The Scan Execution policy UI does not make it clear that users can customize which CI variables are used. This leaves users feeling confused as to whether or not this is possible. CI variables can be modified today via YAML, but this is not exposed in the UI. ### Release Post Rule mode support for CI Variables extends our current UI support for defining rules for scan execution policies. CI variables defined in a policy will override any variables used in projects that are enforced by the policy. For each scan type, you can choose the default variables available and create a value. Or, you can create custom key-value pairs for custom CI variables. ### Intended users * [Cameron (Compliance Manager)](https://about.gitlab.com/handbook/marketing/product-marketing/roles-personas/#cameron-compliance-manager) * [Devon (DevOps Engineer)](https://about.gitlab.com/handbook/marketing/product-marketing/roles-personas/#devon-devops-engineer) * [Sidney (Systems Administrator)](https://about.gitlab.com/handbook/marketing/product-marketing/roles-personas/#sidney-systems-administrator) * [Alex (Security Operations Engineer)](https://about.gitlab.com/handbook/marketing/product-marketing/roles-personas/#alex-security-operations-engineer) ### Proposal 1. Users will be able to customize the various CI variables per scan type as part of the Action of their Scan Execution Policy. They will be able to view the default variable values and choose which variables to customize. 2. Default variables available in the dropdown will include all variables for supported analyzers in scan execution policies: - Dependency Scanning: https://docs.gitlab.com/ee/user/application_security/dependency_scanning/#configuring-dependency-scanning - SAST: https://docs.gitlab.com/ee/user/application_security/sast/#docker-images - Browser-based DAST: https://docs.gitlab.com/ee/user/application_security/dast/browser_based.html#available-cicd-variables - Proxy-based DAST: https://docs.gitlab.com/ee/user/application_security/dast/proxy-based.html - Secret Detection: https://docs.gitlab.com/ee/user/application_security/secret_detection/#available-cicd-variables - Container Scanning: https://docs.gitlab.com/ee/user/application_security/container_scanning/#available-cicd-variables - SAST IaC (lacks a clean variables table currently): https://docs.gitlab.com/ee/user/application_security/iac_scanning/ 3. Filter variables list based on the analyzer selected in the rule (e.g. only show DAST related variables when DAST is selected as the `Action` for the rule). Users can then create a new action, selecting another analyzer and being presented with the relevant set of variable options, if they want to execute multiple scanners in the same scan execution policy. ### Design Proposal **Scan execution policy** | Customized CI Variables | Interaction Gif | | ------ | ------ | |  |  | ### Permissions and Security ### Documentation ### Availability & Testing ### What does success look like, and how can we measure that? ### What is the type of buyer? ~"GitLab Ultimate" ### Is this a cross-stage feature? ### Links / references *This page may contain information related to upcoming products, features and functionality. It is important to note that the information presented is for informational purposes only, so please do not rely on the information for purchasing or planning purposes. Just like with all projects, the items mentioned on the page are subject to change or delay, and the development, release, and timing of any products, features, or functionality remain at the sole discretion of GitLab Inc.* <!-- triage-serverless v3 PLEASE DO NOT REMOVE THIS SECTION --> *This page may contain information related to upcoming products, features and functionality. It is important to note that the information presented is for informational purposes only, so please do not rely on the information for purchasing or planning purposes. Just like with all projects, the items mentioned on the page are subject to change or delay, and the development, release, and timing of any products, features, or functionality remain at the sole discretion of GitLab Inc.* <!-- triage-serverless v3 PLEASE DO NOT REMOVE THIS SECTION -->