What is this?
This adds the GitLab Ultimate scanning tools to this project -- SAST and Dependency Scanner. I added them here directly, rather than including from gitlab-ultimate.yml because the pipeline is already fairly customized and not utilizing the standard CI includes.
Do we need it?
I'm not sure. It was requested by the InfoSec team, and @Yauhen_Shaliou asked me to look into it. This repository isn't a Data Platform service, but it does have some python scripts that could theoretically be scanned for vulnerable dependencies. It may add value, and probably doesn't hurt much.
This is one way to add the scanners.
You could move everything into a separate
.yml file, and include it locally from the main CI config.
If you feel that's cleaner / better, feel free -- I have no opinions on where or how it should be set up.
I also added a stage,
scan, to host these scanners.
That can be renamed, or the jobs moved into an existing stage, if desired.