Mandatory GitLab CI/CD jobs¶
We use a pipeline execution policy within our DevOps-wide security policy project to inject jobs for the following tasks into all CI pipelines:
- Dependency scanning with a job named
gemnasium-dependency_scanning - Static security scanning with jobs named
gitlab-advanced-sastandkics-iac-sast - Secret detection with a job named
secret_detection
These jobs are injected into all pipelines and cannot be disabled via configuration in the project.
Per-project configuration¶
You can set the following CI/CD variables to configure the behaviour of mandatory jobs:
GITLAB_ADVANCED_SAST_ENABLED: set tofalsein order to disable advanced static scanning and revert to the "ordinary" security scanning. Only do this if the advanced SAST scanning generates an impractical level of false positive reports. In this situation, please feed back through the tech lead forum so that they are aware.SECURE_ENABLE_LOCAL_CONFIGURATION: set totrueto enable local configuration of SAST jobs via files in.gitlabas per GitLab's documentation.AST_ENABLE_MR_PIPELINES: set totrueto enable security scanning on Merge Request pipelines if a Merge Request is open. Usually this is set by our boilerplates when needed. If you are seeing duplicate pipelines in Merge Requests you may need to set this manually.
The variables must be set in the GitLab project factory. Setting these variables in
.gitlab-ci.yml has no effect.
For example, to enable Merge Request pipelines for mandatory jobs, set the variables field in the
project configuration:
projects = {
"project-a" = {
# ...
variables = {
AST_ENABLE_MR_PIPELINES = {
value = "true" # Note: this *must* be a string
description = "Enable MR pipelines for mandatory CI jobs."
}
}
}
}
Requesting an exemption¶
You may request an exemption for your project by raising an issue in the security policy project and explaining the need for the exemption. Please make either Developer Experience or Cloud Team aware of the request via their Teams channels.