►
Description
DAST Project-level Scan Execution Policies (https://gitlab.com/groups/gitlab-org/-/epics/4598)
Spike: How to add a job that doesn't exist in .gitlab-ci.yml to a pipeline (https://gitlab.com/gitlab-org/gitlab/-/issues/280315)
Spike: How to run a scheduled pipeline with one security job (https://gitlab.com/gitlab-org/gitlab/-/issues/280314)
Spike: How can we fail a pipeline depending on conditions set in Scan Result Policy (https://gitlab.com/gitlab-org/gitlab/-/issues/280313)
Spike: How Gitlab configuration inheritance works (https://gitlab.com/gitlab-org/gitlab/-/issues/282420)
A
So
I'm
here
with
matiay
and
today
we're
going
to
talk
about
dust
project
level,
scan
execution
policies,
it's
a
big
epic
lots
of
stuff
that
doesn't
exist,
or
it's
not
very
there's
no
consistent
architecture
to
to
do
yet
so
we're
just
gonna,
walk
through
the
stuff
and
and
bring
up
any
problems,
areas
and,
most
importantly,
the
three
spikes
that
I
want
to
see.
If,
if
we've
got
the
right
questions
and
ask
them,
so
let
me
share
my
screen
cool.
Do
you
want
to
drive
but
yay.
B
A
A
B
A
A
Cool
then
the
list
that
we
get
there
will
have
another
column,
so
this
list
will
have
a
column
called
type
and
then
those
types
would
be
container
runtime
or
scan
schedule
again,
pretty
simple.
If
so,
the
container
runtime
is
the
existing
ones
right.
So
these
these
rules
here
they
are,
they
are
container
runtime
rules
cool,
so
they
already
exist.
A
We
need
to
create
another
type
of
of
rule
that
that's
the
scan
shadow
that
that
might
not
be
as
simple
as
it
sounds,
and
then
this
is
where
this
is
where
the
gravy
thickens
users
will
be
able
to
view
creator,
blah
blah
blah
as
described
in
the
prototype.
So
if
I
jump
over
to
the
prototype-
and
I
select
scan
execution
policy,
so
the
I
think
the
prototype
has
got
a
an
old
name,
it's
called
a
scan
schedule,
so
apologies!
A
A
I
don't
I
don't
know.
I
don't
see
someone
doing
this,
but
yeah
we'll
figure
out
so
that
that's
one
part
the
other
one
is
so
so
this
means
that
that
you're
gonna
run
a
scan
on
it
on
its
own.
That's
going
to
be,
you
know
a
job
running
if,
if
we
do
it
as
a
job,
it
means
we'll
need
a
pipeline,
and
maybe
the
pipeline
will
only
have
that
job
running
then
the
other
one
is
okay.
A
Given
somebody
triggered
a
pipeline
and
you
can
pick
the
branches
that
you
want
to
enforce
that
then
you're
gonna
enforce
that
the
scan
is
going
to
run
so
another
way
to
see
this,
is
you
forcing
the
dot
gitlab
ci
to
have
the
the
template
for
the
scanner
and
then
for
actions
require
scan
to
run
we're
beginning
with
dust?
So
that's
the
that's
the
scope
for
this
for
this
epic,
so
this
will
probably
be
hard
coded
and
then
these
things
already
exist,
but
I
think
this
is
called
a
profile.
A
A
B
So
good
so
far,
so
good
yeah,
the
one
question
may
be
we're
starting
with
tasks,
but
we
need
to
think
about
other
security
jobs
because
that's
rather,
I
believe
it
was
taken
on
purpose
as
the
first
one,
because
we
already
have
unmanaged
test
scans,
but
one
could
think
that,
oh
maybe
we
could
use
that,
but
then
what
we
should
do
with
sas
with
other
types
right.
So
I
believe
that
that's
the
one
concern
I
have
is
to
not
be
not
think
only
about
death,
but
about
the
whole
solution.
A
B
A
A
A
B
A
B
A
B
Yeah
yeah
definitely
I
was
thinking
the
main
thing.
What
we
need
to
do
is
to
be
able
to
replace
and
fly
the
file
that
is
used
to
schedule
pipeline
and
then
somehow
mark
it
as
a
special
pipeline,
so
it
is
not
being
taken
into
like
when
creating
vulnerabilities
or
it's
not
being
thinking
when
there
are
some
statistics
being
counted
and
so
on.
So
we
need
to
be
able
to
see
that
pipeline
in
the
ci
pipeline
view,
but
it
should
be
somehow
marked
out.
This
is
not
the
regular
pipeline.
A
Yeah
yeah,
so
detached
pipelines
use
that
that
ui,
I
don't
know
what
the
what
the
model
supports
in
the
in
the
in
the
back
end,
but
there's
probably
something
there
that
says:
hey
this
pipeline
is
detached,
so
maybe
we
can
have
that
model
supports
and
say:
hey.
This
pipeline
is
coming
from
a
policy.
B
A
A
B
A
A
B
Evaluate
I
I
believe
you
can
write
them
down
later
on,
because
it's
it
will
be
exactly
what
would
consider
taking
a
schedule
like
consider
doing
it
in
fly,
make
sure
that
it's
secured
from
the
api
and
draft
build
perspective,
and
so
on
so
on.
So
you
just
need
to
find
answers
for
these
questions.
I'll
update
it.
A
A
A
Editing
the
file
which
I
I
didn't
like,
because
there
are
too
many
ways
to
trick
the
paza
to
override
there's
too
many
ways
to
override
the
policy.
Basically
is
what
what
I'm
thinking
so
any
what
I
mean
by
that
is
any
anything
anything
that
depends
on
on
a
user-defined
gitlab
ci
could
be
tricked
into
not
running
right.
So
if
yeah
so
say
we
we
append
something
to
the
to
the
object.
A
B
A
B
B
B
A
Or
we'll
see,
yeah
exactly
that
I
mean
that's
the
spike,
let's
figure
out
some
some
ways
of
doing
that,
so
the
the
second
part
of
that
is,
if,
if
there
are
any
configurations
to
this
thing,
how
do
they
end
up
in
the
job?
Is
it
just
part
of
the
database
model?
Is
it
is
it
something
like
like
we
have
for
that?
We
just
looked
at
for
the
on-demand
scans.
B
A
B
Exactly
and
that's
the
native
way
and
you
can
you
can
store
it
somewhere,
you
can
automate
it
if
you
want,
because
that's
a
simple
git
repository,
so
you
can
modify
it
yeah
and
and
so
on,
and
there
are
so
many
things
that
are
good
in
that
solution.
The
the
only
thing
that
I'm
thinking
could
be
bad
is
that
we
need
to
parse
it
somehow.
A
Yeah
I
like
that,
because
part
part
of
what's
so
complicated
about
this
is
creating
a
a
flak,
not
painting
ourselves
in
the
corner,
with
with
a
model
for
this
framework
right
coming
up
with
the
and
and
it's
a
lot
of
work
to
do
everything.
We're
talking
database
migrations,
we're
talking
a
bunch
of
new
tables,
we're
talking
so
yeah.
I
quite
like
that
idea,
and-
and
it
doesn't
mean
that
we
can't
do
it
later
right
it.
It
can.
B
Just
be
the
mvc
yeah
for
and
the
other
thing
that
we
we
have
all
audit
options
by
default
because
we
already
have
all
comments.
You
know
who
did
what
you
have
whenever
you
would
like
to
do
a
change.
You
can
set
up
the
approval
process
and
you're
responsible
of
when
you're
responsible
for
a
repository
you
can
specify
who
can
merge
and
who
can
modify
and
who
can
create
a
mars
and
so
on.
A
I
really
like
that,
and
it's
slightly
different
to
the
idea
of
of
tweaking
the
gitlab
ci
from
the
project
that
is
being
scanned.
It's
like
it's
still
a
github,
ci
ammo
and
there's
still
a
policy
defined
and
still
be
pop,
but
it's
separate
right:
it's
not
yeah,
so
the
permissions
are
separate
yeah
I
like
that
cool.
So
that
could
be
an
option
there.
A
Any
anything
else
to
consider
here
around.
So
the
information
about
the
branches,
for
I
assume
there'll
be
there'll
need
to
be
some
glue
records
in
the
database
or
somewhere
right.
Some
metadata
saying:
hey,
go
look
for
for
the
stuff
in
here
and
by
the
way
you
only
need
to
do
that
if
it's
running
on
master
and
staging.
A
A
A
You
can
choose
to
fail
the
pipeline,
and
this
is
something
that's
been
discussed
in
other
groups.
As
you
know,
a
security
scan
is
a
job
that
runs
in
the
pipeline.
It
never
fails
it.
It
writes
the
report
and
the
report
gets
passed
and
and
regardless
of,
if
their
vulnerability
is
there
or
not
it
it,
it
succeeds
and
and
if
the
job
fails
for
any
reason,
it's
allowed
to
fail.
A
That's
the
default
yeah,
so
in
in
some
customers
and
some
engineers
and
and
even
even
myself
before
I
joined
gitlab,
I
had
a
different
view
of
this.
I
had
a
I
had.
Some
projects
approaches
errors
right
there.
That
said,
you
know
what
I
I
want.
I
want
the
bill
to
fail,
so
I
might
be
doing.
For
example,
my
pipeline
might
be
doing
a
push
to
production
and
if
there's
vulnerabilities,
I
don't,
I
don't
want
it
to
to
continue.
A
So
I
think
that's
the
idea
behind
that.
The
other
thing
that
this
gives
us
is
I've.
I've
seen
requests
from
customers
asking
for
a
notification
when
vulnerabilities
are
found.
This
would
be
a
sort
of
a
hacky
way,
but
it
would
give
you
a
notification
because
the
pipeline
will
fail.
You
get
an
email
saying,
hey,
failed
because
of
vulnerability,
and
then
you
feel
to
buy
that
and
that's
an
easy
mvc.
B
Yeah
yeah,
that
will
be
probably
the
last
spike.
We
can
work
right
now,
because
that
is
number
three
yeah.
We
need
to
first
find
the
way
to
modify
gitlab
ci
in
flight,
because
I
I'm
imagining
that
that
it's
being
part
of
the
security
jobs,
that's
the
last
security
job
and
it
will
check
the
results
of
the
previous
of
the
security
jobs
and
then
it
will
fail
or
allow
it
like
based
on
the
on
the
rule.
So
we
we
can.
A
B
A
So
this
would
actually
need
to
change
flip
a
pipeline
to
that
it's
under
success,
or
you
need
to
have
maybe
an
extra
job
there
that
holds
the
pipeline
open,
but
doesn't
block
the
reports
from
being
made.
It's
like
it's
like
a
I'm
done,
but
I'm
done
but
not
really
state
where
you
know
the
yeah
you're
following
this.
B
Yeah
yeah,
so
all
vulnerabilities,
all
artifacts
after
secured
after
pipeline
is
finished,
will
only
be
executed
if
it's
default
branch
and
the
pipeline
succeeds
like
it's.
If
it's
green,
I
was
thinking
about
the
the
second
idea
that
you
gave
so
being
able
to
have
a
separate
job.
That
is
a
part
of
the
pipeline,
and
it
will
either
fail
or
not
depending
on
on
the
results,
however,
that
if
the
pipeline
will
fail,
then
we'll
not
see
any
any
vulnerabilities
created.