[go: up one dir, main page]
Skip to content

Predefine ADVANCED_SAST_PARTIAL_SCAN=false for scan execution policies

Summary

Read this note for the full context and considerations.

TLDR

Since GLAS diff-based scans could contain false negatives(more context here). For existing projects that are configured with Merge Request Approvals and Scan Execution Policies we should preemptively set the ADVANCED_SAST_PARTIAL_SCAN CI variable that controls GLAS diff-based scanning to false as a way to guard against project users enabling this feature without approval from the policy owners.

References

Main diff-based scanning epic: Faster Advanced SAST: Diff-based scanning in MRs (&16790 - closed)

MVC implementation epic: MVC: Enable Diff-Based Scanning in MRs for Fast... (&17758 - closed)

Implementation Plan

Check out this draft MR that @alan prepared for this feature.

  1. Update the sast hash to include ADVANCED_SAST_PARTIAL_SCAN => false for ScanPipelineService
  2. Depending on whether we end up using CI variables or CI inputs based on this discussion, update CiAction::Template to set the CI inputs instead of CI variables
  3. Ping groupsecurity policies for review
Edited by Shao Ming Tan