Mandatory security scanning jobs should set dependencies: [].

Currently the secret detection jobs included in the mandatory CI template specify no needs: configuration. This means that, due to the default behaviour of GitLab, build artefacts will be scanned.

Ideally all the repos would have a .gitleaksignore analogous to .gitignore to catch things in, e.g., node_modules but in the meantime setting dependencies: [] on the jobs will stop them downloading artefacts from the build jobs.

UPDATE

From a comment below:

The issue is not just restricted to secret detection. https://gitlab.developers.cam.ac.uk/uis/devops/infra/gitlab-bots-deployment/-/security/vulnerabilities/103884 is an example of a SAST vulnerability detected because the public directory created by the mkdocs:publish job is scanned by SAST.

Unfortunately, GitLab advanced SAST does not respect .semgrepignore: https://gitlab.com/gitlab-org/gitlab/-/issues/499666#note_2579522068.

I think the only sensible default behaviour is to explicitly configure dependencies: [] for the Security scanning jobs and to allow downstream projects to add duplicate security scanning jobs if then need to SAST-scan artefacts.

That or we expect downstream projects to triage SAST reports from build artefacts.