Group/Project level security policy can be bypassed

I have configured a security policy which enforces running of an SAST scan for the master branch in a group.

The job gets added with the name of sast-0 and you can override/disable the job by configuring the same job on the project with the same name and adding a rule to only run on e.g. develop branch.

Is this the correct behaviour for this?

You can view the group security policy project here: https://gitlab.com/aelham/aelham-security-policy-project

Pipeline where the SAST job runs: https://gitlab.com/aelham/express-backend/-/pipelines/576561394

Pipeline where the SAST job is bypassed: https://gitlab.com/aelham/express-backend/-/pipelines/576562742

Implementation plan

• backend in ee/lib/gitlab/ci/config/security_orchestration_policies/processor.rb add ability to remove jobs from .gitlab-ci.yml file when they are generated from Security Policies (modify merge_on_demand_scan_template and prepare_pipeline_scans_template methods to get keys of generated config and remove them from the main config)