Enforce SEP variables with the highest precedence
Release notes
CI/CD Variable precedence has been changed to first prioritize variables defined in scan execution policies. As security and compliance teams work to meet compliance requirements, a common need is to ensure that security scanners are enabled in business critical applications. Scan execution policies allow teams to enforce scanners and to define default and custom CI variables. With this improvement in CI/CD Variable precedence, teams can be confident that regardless of how pipelines are triggered, the variables defined with compliance in mind remain intact.
Problem to solve
Currently users can override variables defined as part of a scan execution policy (SEP) by setting an equivalent variable in any of the following methods:
- Trigger variables.
- Scheduled pipeline variables.
- Manual pipeline run variables.
- Variables added when creating a pipeline with the API.
- Project variables.
- Group variables. If the same variable name exists in a
group and its subgroups, the job uses the value from the closest subgroup. For example, if
you have
Group > Subgroup 1 > Subgroup 2 > Project
, the variable defined inSubgroup 2
takes precedence. - Instance variables.
-
Variables from
dotenv
reports.
Intended users
User experience goal
Proposal
- The order of variable precedence will be modified so that variables defined as part of a SEP are enforced with the highest possible precedence for the SEP job only (not globally).
Further details
Permissions and Security
Documentation
Availability & Testing
Available Tier
Feature Usage Metrics
What does success look like, and how can we measure that?
What is the type of buyer?
Is this a cross-stage feature?
What is the competitive advantage or differentiation for this feature?
Links / references
This page may contain information related to upcoming products, features and functionality. It is important to note that the information presented is for informational purposes only, so please do not rely on the information for purchasing or planning purposes. Just like with all projects, the items mentioned on the page are subject to change or delay, and the development, release, and timing of any products, features, or functionality remain at the sole discretion of GitLab Inc.