doc/user/application_security/policies/scan_execution_policies.md
{{< details >}}
{{< /details >}}
{{< history >}}
scan_execution_policy_pipelines. Feature flag scan_execution_policy_pipelines removed in GitLab 16.5.allow_restricted_variables_at_policy_level. Enabled by default. Feature flag allow_restricted_variables_at_policy_level removed in GitLab 17.5.{{< /history >}}
Scan execution policies enforce GitLab security scans based on the default or latest security CI/CD templates. You can deploy scan execution policies as part of the pipeline or on a specified schedule.
Scan execution policies enforce security scans across all projects that are linked to the security policy project. For projects without a
.gitlab-ci.yml file, or projects where AutoDevOps is disabled, security policies create the
.gitlab-ci.yml file implicitly. The .gitlab-ci.yml file ensures policies that run secret detection,
static analysis, or other scanners that do not require a build in the project can always
run and be enforced.
Both scan execution policies and pipeline execution policies can configure GitLab security scans across multiple projects to manage security and compliance. Scan execution policies are faster to configure, but are not customizable. If any of the following cases are true, use pipeline execution policies instead:
To create a scan execution policy, you can use any of the following resources:
type: schedule) execute according to their scheduled cadence only. Updating a policy does not trigger an immediate scan.DAST scans always run in the dast stage. If the dast stage does not
exist, then GitLab injects a dast stage at the end of the pipeline.
Policy jobs for all other scans, run in the test stage of the pipeline.
If you remove the test stage from the default pipeline, jobs run in the scan-policies stage
instead according to these rules:
scan-policies stage doesn't already exist, GitLab injects the stage into the CI/CD pipeline at evaluation time.build stage exists, GitLab injects scan-policies immediately after the build stage.build stage does not exist, GitLab injects scan-policies at
the beginning of the pipeline.To avoid job name conflicts, a hyphen and a number are appended to the job name. Each number is a unique
value for each policy action. For example, secret-detection becomes secret-detection-1.
{{< history >}}
Merge Request Security Template:
flexible_scan_execution. Disabled by default.flexible_scan_execution removed.{{< /history >}}
Use the scan execution policy editor to create or edit a scan execution policy.
Prerequisites:
When you create your first scan execution policies, choose from these templates for common use cases:
main or release branches.If the available template do not meet your needs, or you require more customized scan execution policies, you can:
Once your policy is complete, save the policy by selecting Configure with a merge request
at the bottom of the editor. You are redirected to the merge request on the project's
configured security policy project. If a security policy project is not linked to your project,
GitLab automatically creates one. You can remove existing policies from the
editor interface by selecting Delete policy
at the bottom of the editor. This action creates a merge request to remove the policy from your policy.yml file.
Most policy changes take effect as soon as the merge request is merged. Any changes committed directly to the default branch instead of a merge request require up to 10 minutes before the policy changes take effect.
[!note] For DAST execution policies, the way you apply site and scanner profiles in the rule mode editor depends on where the policy is defined:
- For policies in projects, in the rule mode editor, choose from a list of profiles that are already defined in the project.
- For policies in groups, you must type in the names of the profiles to use. To prevent pipeline errors, profiles with matching names must exist in all of the group's projects.
A YAML configuration with scan execution policies consists of an array of objects matching the scan execution
policy schema. Objects are nested under the scan_execution_policy key. You can configure a maximum of five
policies under the scan_execution_policy key. Any other policies configured after
the first five are not applied.
When you save a new policy, GitLab validates the policy's contents against this JSON schema. If you're not familiar with JSON schemas, the following sections and tables provide an alternative.
| Field | Type | Required | Possible values | Description |
|---|---|---|---|---|
scan_execution_policy | array of scan execution policy | true | List of scan execution policies (maximum 5) |
{{< history >}}
scan_execution_policy_action_limit (for projects) and scan_execution_policy_action_limit_group (for groups). Disabled by default.scan_execution_policy_action_limit (for projects) and scan_execution_policy_action_limit_group (for groups) removed.{{< /history >}}
| Field | Type | Required | Description |
|---|---|---|---|
name | string | true | Name of the policy. Maximum of 255 characters. |
description | string | false | Description of the policy. |
enabled | boolean | true | Flag to enable (true) or disable (false) the policy. |
rules | array of rules | true | List of rules that the policy applies. |
actions | array of actions | true | List of actions that the policy enforces. Limited to a maximum of 10 in GitLab 18.0 and later. |
policy_scope | object of policy_scope | false | Defines the scope of the policy based on the projects, groups, or compliance framework labels you specify. |
skip_ci | object of skip_ci | false | Defines whether users can apply the skip-ci directive. |
no_pipeline | object of no_pipeline | false | Defines whether users can apply the no_pipeline directive. |
skip_ci type{{< history >}}
{{< /history >}}
Scan execution policies offer control over who can use the [skip ci] directive. You can specify certain users or service accounts that are allowed to use [skip ci] while still ensuring critical security and compliance checks are performed.
Use the skip_ci keyword to specify whether users are allowed to apply the skip_ci directive to skip the pipelines.
When the keyword is not specified, the skip_ci directive is ignored, preventing all users
from bypassing the pipeline execution policies.
| Field | Type | Possible values | Description |
|---|---|---|---|
allowed | boolean | true, false | Flag to allow (true) or prevent (false) the use of the skip-ci directive for pipelines with enforced pipeline execution policies. |
allowlist | object | users | Specify users who are always allowed to use skip-ci directive, regardless of the allowed flag. Use users: followed by an array of objects with id keys representing user IDs. |
[!note] Scan execution policies that have the rule type
schedulealways ignore theskip_cioption. Scheduled scans run at their configured times regardless of whether[skip ci](or any of its variations) appear in the last commit message. This ensures that security scans occur on a predictable schedule even when CI/CD pipelines are otherwise skipped.
no_pipeline typeScan execution policies offer control over who can use the [no_pipeline] directive. You can specify certain users or service accounts that are allowed to use [no_pipeline] while still ensuring critical security and compliance checks are performed.
Use the no_pipeline keyword to specify whether users are allowed to apply the no_pipeline directive to not create pipeline on a push.
When the keyword is not specified, the no_pipeline directive is ignored, preventing all users
from bypassing the pipeline execution policies.
| Field | Type | Possible values | Description |
|---|---|---|---|
allowed | boolean | true, false | Flag to allow (true) or prevent (false) the use of the no_pipeline directive for pipelines with enforced pipeline execution policies. |
allowlist | object | users | Specify users who are always allowed to use no_pipeline directive, regardless of the allowed flag. Use users: followed by an array of objects with id keys representing user IDs. |
[!note] Scan execution policies that have the rule type
schedulealways ignore theno_pipelineoption. Scheduled scans run at their configured times regardless of whether[no_pipeline](or any of its variations) appear in the last commit message. This ensures that security scans occur on a predictable schedule even when CI/CD pipelines are not created.
pipeline rule type{{< history >}}
branch_type field:
security_policies_branch_type.security_policies_branch_type removed.branch_exceptions field:
security_policies_branch_exceptions.security_policies_branch_exceptions removed.pipeline_sources field and the branch_type options target_default and target_protected:
flexible_scan_execution.flexible_scan_execution removed.{{< /history >}}
This rule enforces the defined actions whenever the pipeline runs for a selected branch.
| Field | Type | Required | Possible values | Description |
|---|---|---|---|---|
type | string | true | pipeline | The rule's type. |
branches <sup>1</sup> | array of string | true if branch_type field does not exist | * or the branch's name | The branch the given policy applies to (supports wildcard). For compatibility with merge request approval policies, you should target all branches to include the scans in the feature branch and default branch |
branch_type <sup>1</sup> | string | true if branches field does not exist | default, protected, all, target_default <sup>2</sup>, or target_protected <sup>2</sup> | The types of branches the given policy applies to. |
branch_exceptions | array of string | false | Names of branches | Branches to exclude from this rule. |
pipeline_sources <sup>2</sup> | array of string | false | api, chat, external, external_pull_request_event, merge_request_event <sup>3</sup>, pipeline, push <sup>3</sup>, schedule, trigger, unknown, web | The pipeline source that determines when the scan execution job triggers. See the documentation for more information. |
branches or branch_type, but not both.flexible_scan_execution feature flag enabled. See the history for details.branch_type options target_default or target_protected are specified, the pipeline_sources field supports only the merge_request_event and push fields.schedule rule type{{< history >}}
branch_type field:
security_policies_branch_type.branch_exceptions field:
security_policies_branch_exceptions.scan_execution_pipeline_worker worker to scheduled scans to create pipelines:
scan_execution_pipeline_worker removed.security_policy_scheduled_scans_max_concurrency:
scan_execution_pipeline_worker and scan_execution_pipeline_concurrency_control are enabled.security_policy_scheduled_scans_max_concurrency in GitLab 17.11.scan_execution_pipeline_concurrency_control.scan_execution_pipeline_concurrency_control removed.{{< /history >}}
[!warning] In GitLab 16.1 and earlier, you should not use direct transfer with scheduled scan execution policies. If you must use direct transfer, first upgrade to GitLab 16.2 and ensure security policy bots are enabled in the projects you are enforcing.
Use the schedule rule type to run security scanners on a schedule.
A scheduled pipeline:
.gitlab-ci.yml file.cadence field.security_policy_bot user account in the project, with the Guest role and
permissions to create pipelines and read the repository's content from a CI/CD job. This account
is created when the policy is linked to a group or project.schedule rules in a scan execution policy are enforced. Rules
that exceed the limit have no effect.| Field | Type | Required | Possible values | Description |
|---|---|---|---|---|
type | string | true | schedule | The rule's type. |
branches <sup>1</sup> | array of string | true if either branch_type or agents fields does not exist | * or the branch's name | The branch the given policy applies to (supports wildcard). |
branch_type <sup>1</sup> | string | true if either branches or agents fields does not exist | default, protected or all | The types of branches the given policy applies to. |
branch_exceptions | array of string | false | Names of branches | Branches to exclude from this rule. |
cadence | string | true | Cron expression with limited options. For example, 0 0 * * * creates a schedule to run every day at midnight (12:00 AM). | A whitespace-separated string containing five fields that represents the scheduled time. |
timezone | string | false | Time zone identifier (for example, America/New_York) | Time zone to apply to the cadence. Value must be an IANA Time Zone Database identifier. |
time_window | object | false | Distribution and duration settings for scheduled security scans. | |
agents <sup>1</sup> | object | true if either branch_type or branches fields do not exists | The name of the GitLab agents for Kubernetes where Operational container scanning runs. The object key is the name of the Kubernetes agent configured for your project in GitLab. |
branches, branch_type, or agents.Use the cadence field to schedule when you want the policy's actions to run. The cadence field
uses cron syntax, but with some restrictions:
0 18 * * *0 13 * * 0Consider the following when choosing a value for the cadence field:
When using the schedule rule type with the agents field:
cadence.When using the schedule rule type with the branches field:
agent schemaUse this schema to define agents objects in the schedule rule type.
| Field | Type | Required | Description |
|---|---|---|---|
namespaces | array of string | true | The namespace that is scanned. If empty, all namespaces are scanned. |
agent example- name: Enforce container scanning in cluster connected through my-gitlab-agent for default and kube-system namespaces
enabled: true
rules:
- type: schedule
cadence: '0 10 * * *'
agents:
<agent-name>:
namespaces:
- 'default'
- 'kube-system'
actions:
- scan: container_scanning
The keys for a schedule rule are:
cadence (required): a Cron expression for when the scans are
run.agents:<agent-name> (required): The name of the agent to use for scanning.agents:<agent-name>:namespaces (optional): The Kubernetes namespaces to scan. If omitted, all namespaces are scanned.time_window schemaDefine how scheduled scans are distributed over time with the time_window object in the schedule rule type. You can configure time_window only in YAML mode of the policy editor.
| Field | Type | Required | Description |
|---|---|---|---|
distribution | string | true | Distribution pattern for schedule scans. Supports only random, where scans are distributed randomly in the interval defined by the value key of the time_window. |
value | integer | true | The time window in seconds the schedule scans should run. Enter a value between 3600 (1 hour) and 2629746 (approximately 30 days). |
time_window example- name: Enforce container scanning with a time window of 1 hour
enabled: true
rules:
- type: schedule
cadence: '0 10 * * *'
time_window:
value: 3600
distribution: random
actions:
- scan: container_scanning
When a policy enforces scheduled pipelines across multiple projects and branches, the pipelines run simultaneously. The first execution of a scheduled pipeline in each project creates a security bot user responsible for executing the schedules for that project.
To optimize performance for projects at scale:
tag. Consider setting up a dedicated runner in each project to handle schedules enforced from a policy to reduce impact to other runners.Scheduled scan execution policies support monthly scheduling using the cadence field with cron expressions. You can configure the time_window up to 2629746 seconds (approximately 30 days) to randomly distribute scans within that period.
For example, to schedule scans monthly with a 30-day distribution window:
rules:
- type: schedule
cadence: '0 0 1 * *' # Run on the first day of each month
time_window:
value: 2592000 # 30 days in seconds
distribution: random
Scheduled scans keep track of their next execution time. After a successful scan, the system updates when the next scan should run. If the GitLab instance is unavailable during a scheduled scan time (due to maintenance, outage, or restart), the system identifies scans that should have already executed but haven't, and creates pipelines when the instance becomes available.
When you delete a project, all associated scheduled scans are also deleted. No pipelines run for deleted projects.
To cancel a scheduled scan, you have two options:
enabled: false in the policy editor to disable the scan execution policy. Scans that are already running or scheduled to run within the next 15 minutes (approximately) might still execute.When you deploy scheduled scan execution policies across many projects, consider the following recommendations:
time_window: Always set the time_window parameter in your scheduled policies. Without it, all pipelines are scheduled for the same time, which can cause performance issues and resource contention.For more information on optimizing scheduled scans, see optimize scheduled pipelines for projects at scale.
GitLab applies concurrency control when you set the time_window property.
The concurrency control distributes the scheduled pipelines according to the time_window settings defined in the policy.
scan action type{{< history >}}
security_policies_variables_precedence. Enabled by default.security_policies_variables_precedence removed.scan_execution_policies_with_latest_templates. Disabled by default.scan_execution_policies_with_latest_templates_group. Disabled by default.scan_execution_policies_with_latest_templates and scan_execution_policies_with_latest_templates_group removed.{{< /history >}}
This action executes the selected scan with additional parameters when conditions for at least one
rule in the defined policy are met.
| Field | Type | Possible values | Description |
|---|---|---|---|
scan | string | sast, sast_iac, dast, secret_detection, container_scanning, dependency_scanning | The action's type. |
site_profile | string | Name of the selected DAST site profile. | The DAST site profile to execute the DAST scan. This field should only be set if scan type is dast. |
scanner_profile | string or null | Name of the selected DAST scanner profile. | The DAST scanner profile to execute the DAST scan. This field should only be set if scan type is dast. |
variables | object | A set of CI/CD variables, supplied as an array of key: value pairs, to apply and enforce for the selected scan. The key is the variable name, with its value provided as a string. This parameter supports any variable that the GitLab CI/CD job supports for the specified scan. | |
tags | array of string | A list of runner tags for the policy. The policy jobs are run by runner with the specified tags. | |
template | string | default or latest | CI/CD template version to enforce. The latest version might introduce breaking changes and supports only pipeline_sources related to merge requests. For details, see customize security scanning. |
scan_settings | object | A set of scan settings, supplied as an array of key: value pairs, to apply and enforce for the selected scan. The key is the setting name, with its value provided as a boolean or string. This parameter supports the settings defined in scan settings. |
[!note] If you have merge request pipelines enabled for your project, you must set the
AST_ENABLE_MR_PIPELINESCI/CD variable to"true"in your policy for each enforced scan. For more information on using security scanning tools with merge request pipelines, refer to the security scanning documentation.
Some scanners behave differently in a scan action than they do in a regular CI/CD pipeline scan:
SECRET_DETECTION_RULESET_GIT_REFERENCE CI/CD variable. By default, this points to a remote configuration file that only overrides or disables rules from the default ruleset. Using only this variable does not support extending or replacing the default set of rules.SECRET_DETECTION_RULESET_GIT_REFERENCE CI/CD variable and a remote configuration file that uses a Git passthrough to extend or replace the default ruleset. For a detailed guide, see How to set up a centrally managed pipeline secret detection configuration.scheduled scan execution policies, secret detection by default runs first in historic
mode (SECRET_DETECTION_HISTORIC_SCAN = true). All subsequent scheduled scans run in default
mode with SECRET_DETECTION_LOG_OPTIONS set to the commit range between last run and current
SHA. You can override this behavior by specifying CI/CD variables in the scan
execution policy. For more information, see
Full history pipeline secret detection.triggered scan execution policies, secret detection works just like regular scan
configured manually in the .gitlab-ci.yml.pipeline rule type ignores the agent
defined in the agents object. The agents object is only considered for schedule rule types.
An agent with a name provided in the agents object must be created and configured for the
project.The following requirements apply when enforcing dynamic application security testing (DAST):
enabled: false in the YAML mode.The following settings are supported by the scan_settings parameter:
| Setting | Type | Required | Possible values | Default | Description |
|---|---|---|---|---|---|
ignore_default_before_after_script | boolean | false | true, false | false | Specifies whether to exclude any default before_script and after_script definitions in the pipeline configuration from the scan job. |
[!warning] Don't store sensitive information or credentials in variables because they are stored as part of the plaintext policy configuration in a Git repository.
Variables defined in a scan execution policy follow the standard CI/CD variable precedence.
Preconfigured values are used for the following CI/CD variables in any project on which a scan execution policy is enforced. Only policies can override these values. Group or project CI/CD variables cannot override these variables:
DS_EXCLUDED_PATHS: spec, test, tests, tmp
SAST_EXCLUDED_PATHS: spec, test, tests, tmp
SECRET_DETECTION_EXCLUDED_PATHS: ''
SECRET_DETECTION_HISTORIC_SCAN: false
SAST_EXCLUDED_ANALYZERS: ''
DEFAULT_SAST_EXCLUDED_PATHS: spec, test, tests, tmp
DS_EXCLUDED_ANALYZERS: ''
SECURE_ENABLE_LOCAL_CONFIGURATION: true
In GitLab 16.9 and earlier:
_EXCLUDED_PATHS were declared in a policy, their values could
be overridden by a group or project's CI/CD variables._EXCLUDED_ANALYZERS were declared in a policy, their values were
ignored, regardless of where they were defined: policy, group, or project.To customize policy enforcement, you can define a policy's scope to either include, or exclude, specified projects, groups, or compliance framework labels. For more details, see Scope.
[!note] Setting a
policy_scopefield to an empty collection (for example,including: []) is treated the same as omitting the field, so the policy applies to all projects for that scope dimension. To disable a policy entirely, useenabled: false. For more details, see Empty collections inpolicy_scope.
When you update a policy, the changes propagate differently depending on how you update the policy:
.gitlab/security-policies/policy.yml: Changes can take up to 10 minutes to take effect.Updates to pipeline-based policies (type: pipeline) do not trigger immediate pipelines or affect pipelines already in progress. The policy changes apply to future pipeline runs.
You cannot manually trigger the rules in a scheduled policy outside their scheduled cadence.
You can use this example in a .gitlab/security-policies/policy.yml file stored in a
security policy project:
---
scan_execution_policy:
- name: Enforce DAST in every release pipeline
description: This policy enforces pipeline configuration to have a job with DAST scan for release branches
enabled: true
rules:
- type: pipeline
branches:
- release/*
actions:
- scan: dast
scanner_profile: Scanner Profile A
site_profile: Site Profile B
- name: Enforce DAST and secret detection scans every 10 minutes
description: This policy enforces DAST and secret detection scans to run every 10 minutes
enabled: true
rules:
- type: schedule
branches:
- main
cadence: "*/10 * * * *"
actions:
- scan: dast
scanner_profile: Scanner Profile C
site_profile: Site Profile D
- scan: secret_detection
scan_settings:
ignore_default_before_after_script: true
- name: Enforce secret detection and container scanning in every default branch pipeline
description: This policy enforces pipeline configuration to have a job with secret detection and container scanning scans for the default branch
enabled: true
rules:
- type: pipeline
branches:
- main
actions:
- scan: secret_detection
- scan: sast
variables:
SAST_EXCLUDED_ANALYZERS: brakeman
- scan: container_scanning
In this example:
release/* wildcard (for example, branch
release/v1.2.1)
Scanner Profile A and Site Profile B.Scanner Profile C
and Site Profile D.main
branch. The SAST scan runs with the SAST_EXCLUDED_ANALYZER variable set to "brakeman".You can use this example in the YAML mode of the scan execution policy editor. It corresponds to a single object from the previous example.
name: Enforce secret detection and container scanning in every default branch pipeline
description: This policy enforces pipeline configuration to have a job with secret detection and container scanning scans for the default branch
enabled: true
rules:
- type: pipeline
branches:
- main
actions:
- scan: secret_detection
- scan: container_scanning
Scan execution policies can cause the same type of scanner to run more than once
if you include scan jobs in your project's .gitlab-ci.yml file.
The duplicate scans run intentionally because scanners can run more than once with different variables and settings. For example, you might run a SAST scan with different variables than the ones enforced through your policies. In this scenario, two SAST jobs run in the pipeline:
To prevent duplicate scans, you can either remove one of the scans from the project's .gitlab-ci.yml file or skip
local jobs with variables. Skipping jobs does not prevent any security jobs defined by scan execution
policies from running.
To skip scan jobs with variables, you can use:
SAST_DISABLED: "true" to skip SAST jobs.DAST_DISABLED: "true" to skip DAST jobs.CONTAINER_SCANNING_DISABLED: "true" to skip container scanning jobs.SECRET_DETECTION_DISABLED: "true" to skip secret detection jobs.DEPENDENCY_SCANNING_DISABLED: "true" to skip dependency scanning jobs.For an overview of all variables that can skip jobs, see CI/CD variables documentation
When working with scan execution policies, you might encounter the following issues.
If a scan execution policy does not create a pipeline defined in type: pipeline as expected, you might have workflow:rules in the project's .gitlab-ci.yml file that prevent the policy from creating the pipeline.
Scan execution policies with type: pipeline rules rely on the merged CI/CD configuration to create pipelines. If the project's workflow:rules filter out the pipeline entirely, the scan execution policy cannot create pipelines.
For example, the following workflow:rules configuration prevents all pipelines from being created:
# .gitlab-ci.yml
workflow:
rules:
- if: $CI_PIPELINE_SOURCE == "push"
when: never
Resolution:
To resolve this issue, you can use any of these options:
Modify the workflow:rules in your project's .gitlab-ci.yml file to allow scan execution policies to create pipelines. You can use the $CI_PIPELINE_SOURCE variable to identify pipelines that are triggered by policies:
workflow:
rules:
- if: $CI_PIPELINE_SOURCE == "security_orchestration_policy"
- if: $CI_PIPELINE_SOURCE == "push"
when: never
Use type: schedule rules instead of type: pipeline rules. Scheduled scan execution policies are not affected by workflow:rules and create pipelines according to their defined schedule.
Use pipeline execution policies for more control over when and how security scans are executed in your CI/CD pipelines.