Skip to content

Mandatory GitLab CI/CD jobs

We use a pipeline execution policy within our DevOps-wide security policy project to inject jobs for the following tasks into all CI pipelines:

  • Dependency scanning with a job named gemnasium-dependency_scanning
  • Static security scanning with jobs named gitlab-advanced-sast and kics-iac-sast
  • Secret detection with a job named secret_detection

These jobs are injected into all pipelines and cannot be disabled via configuration in the project.

Per-project configuration

You can set the following CI/CD variables to configure the behaviour of mandatory jobs:

  • GITLAB_ADVANCED_SAST_ENABLED: set to false in order to disable advanced static scanning and revert to the "ordinary" security scanning. Only do this if the advanced SAST scanning generates an impractical level of false positive reports. In this situation, please feed back through the tech lead forum so that they are aware.
  • AST_ENABLE_MR_PIPELINES: set to true to enable security scanning on Merge Request pipelines if a Merge Request is open. Usually this is set by our boilerplates when needed. If you are seeing duplicate pipelines in Merge Requests you may need to set this manually.

The variables must be set in the GitLab project factory. Setting these variables in .gitlab-ci.yml has no effect.

For example, to enable Merge Request pipelines for mandatory jobs, set the variables field in the project configuration:

projects = {
  "project-a" = {
    # ...

    variables = {
      AST_ENABLE_MR_PIPELINES = {
        value       = "true"  # Note: this *must* be a string
        description = "Enable MR pipelines for mandatory CI jobs."
      }
    }
  }
}

Requesting an exemption

You may request an exemption for your project by raising an issue in the security policy project and explaining the need for the exemption. Please make either Developer Experience or Cloud Team aware of the request via their Teams channels.