Global before script causes scan execution policy to fail
A customer enabled scan execution policies for a set of projects and encountered an interesting failure case in some projects. A global before_script
block was set in the .gitlab_ci.yml
file that caused the scan template to fail. In this particular case, the jobs defined in the project's pipeline all needed to run on a specific runner that had access to some internal resources, so the before_script
was authenticating to those resources. However, the scan jobs weren't running on the same runner (as there was no need for them to) and the before_script failed as it does not have access to the resources it is trying to authenticate to.
As customers try to make the policies broad to be used for a set of projects that have some compliance needs, it becomes problematic to have to be aware of every project’s specific details in order to enforce that a scan runs. E.g. if the runners are project specific, they would now need a separate policy for that project instead of having the policies based on the associated compliance framework. The security policies should clear out/override any global before_script
block so that it does not interfere with the scan job.