ci: Move 'allow_failure' from rules to jobs

Signed-off-by: Rémy Coutable <remy@rymai.me>

.gitlab/ci/dast.gitlab-ci.yml

@@ -45,6 +45,7 @@
     reports:
       dast: gl-dast-report.json
     expire_in: 1 week  # GitLab-specific
+  allow_failure: true
 
 # DAST scan with a subset of Release scan rules.
 DAST-fullscan-ruleset1:

.gitlab/ci/reports.gitlab-ci.yml

@@ -13,6 +13,7 @@ code_quality:
     paths:
       - gl-code-quality-report.json  # GitLab-specific
   rules: !reference [".reports:rules:code_quality", rules]
+  allow_failure: true
 
 .sast-analyzer:
   # We need to re-`extends` from `sast` as the `extends` here overrides the one from the template.
@@ -31,12 +32,15 @@ code_quality:
 
 brakeman-sast:
   rules: !reference [".reports:rules:brakeman-sast", rules]
+  allow_failure: true
 
 nodejs-scan-sast:
   rules: !reference [".reports:rules:nodejs-scan-sast", rules]
+  allow_failure: true
 
 semgrep-sast:
   rules: !reference [".reports:rules:semgrep-sast", rules]
+  allow_failure: true
 
 gosec-sast:
   variables:
@@ -53,6 +57,7 @@ gosec-sast:
     paths:
       - vendor/go
   rules: !reference [".reports:rules:gosec-sast", rules]
+  allow_failure: true
 
 .secret-analyzer:
   extends: .default-retry
@@ -64,6 +69,7 @@ gosec-sast:
 
 secret_detection:
   rules: !reference [".reports:rules:secret_detection", rules]
+  allow_failure: true
 
 .ds-analyzer:
   # We need to re-`extends` from `dependency_scanning` as the `extends` here overrides the one from the template.
@@ -88,15 +94,19 @@ gemnasium-dependency_scanning:
     # Lower execa severity based on https://gitlab.com/gitlab-org/gitlab/-/issues/223859#note_452922390
     - jq '(.vulnerabilities[] | select (.cve == "yarn.lock:execa:gemnasium:05cfa2e8-2d0c-42c1-8894-638e2f12ff3d")).severity = "Medium"' gl-dependency-scanning-report.json > temp.json && mv temp.json gl-dependency-scanning-report.json
   rules: !reference [".reports:rules:gemnasium-dependency_scanning", rules]
+  allow_failure: true
 
 bundler-audit-dependency_scanning:
   rules: !reference [".reports:rules:bundler-audit-dependency_scanning", rules]
+  allow_failure: true
 
 retire-js-dependency_scanning:
   rules: !reference [".reports:rules:retire-js-dependency_scanning", rules]
+  allow_failure: true
 
 gemnasium-python-dependency_scanning:
   rules: !reference [".reports:rules:gemnasium-python-dependency_scanning", rules]
+  allow_failure: true
 
 # Analyze dependencies for malicious behavior
 # See https://gitlab.com/gitlab-com/gl-security/security-research/package-hunter
@@ -144,3 +154,4 @@ license_scanning:
   artifacts:
     expire_in: 1 week  # GitLab-specific
   rules: !reference [".reports:rules:license_scanning", rules]
+  allow_failure: true

.gitlab/ci/rules.gitlab-ci.yml

@@ -1192,7 +1192,6 @@
       when: never
     - <<: *if-default-refs
       changes: *code-backstage-patterns
-      allow_failure: true
 
 .reports:rules:brakeman-sast:
   rules:
@@ -1203,7 +1202,6 @@
     - changes:
         - '**/*.rb'
         - '**/Gemfile'
-      allow_failure: true
 
 .reports:rules:nodejs-scan-sast:
   rules:
@@ -1213,7 +1211,6 @@
       when: never
     - changes:
         - '**/package.json'
-      allow_failure: true
 
 .reports:rules:gosec-sast:
   rules:
@@ -1223,7 +1220,6 @@
       when: never
     - changes:
         - '**/*.go'
-      allow_failure: true
 
 .reports:rules:semgrep-sast:
   rules:
@@ -1239,61 +1235,42 @@
         - '**/*.tsx'
         - '**/*.c'
         - '**/*.go'
-      allow_failure: true
 
 .reports:rules:secret_detection:
   rules:
     - if: '$SECRET_DETECTION_DISABLED'
       when: never
     - changes: *code-backstage-qa-patterns
-      allow_failure: true
 
 .reports:rules:gemnasium-dependency_scanning:
   rules:
     - if: '$DEPENDENCY_SCANNING_DISABLED || $GITLAB_FEATURES !~ /\bdependency_scanning\b/ || $DS_EXCLUDED_ANALYZERS =~ /gemnasium([^-]|$)/ || $DS_DEFAULT_ANALYZERS !~ /gemnasium([^-]|$)/'
       when: never
     - changes: *dependency-patterns
-      allow_failure: true
 
 .reports:rules:bundler-audit-dependency_scanning:
   rules:
     - if: '$DEPENDENCY_SCANNING_DISABLED || $GITLAB_FEATURES !~ /\bdependency_scanning\b/ || $DS_EXCLUDED_ANALYZERS =~ /bundler-audit/ || $DS_DEFAULT_ANALYZERS !~ /bundler-audit/'
       when: never
     - changes: *bundler-patterns
-      allow_failure: true
 
 .reports:rules:retire-js-dependency_scanning:
   rules:
     - if: '$DEPENDENCY_SCANNING_DISABLED || $GITLAB_FEATURES !~ /\bdependency_scanning\b/ || $DS_EXCLUDED_ANALYZERS =~ /retire.js/ || $DS_DEFAULT_ANALYZERS !~ /retire.js/'
       when: never
     - changes: *nodejs-patterns
-      allow_failure: true
 
 .reports:rules:gemnasium-python-dependency_scanning:
   rules:
     - if: '$DEPENDENCY_SCANNING_DISABLED || $GITLAB_FEATURES !~ /\bdependency_scanning\b/ || $DS_EXCLUDED_ANALYZERS =~ /gemnasium-python/ || $DS_DEFAULT_ANALYZERS !~ /gemnasium-python/'
       when: never
     - changes: *python-patterns
-      allow_failure: true
-
-.reports:rules:dast:
-  rules:
-    - if: '$DAST_DISABLED || $GITLAB_FEATURES !~ /\bdast\b/'
-      when: never
-    - <<: *if-dot-com-gitlab-org-merge-request
-      changes: *frontend-patterns
-      allow_failure: true
-    - <<: *if-dot-com-gitlab-org-merge-request
-      changes: *code-qa-patterns
-      when: manual
-      allow_failure: true
 
 .reports:rules:schedule-dast:
   rules:
     - if: '$DAST_DISABLED || $GITLAB_FEATURES !~ /\bdast\b/'
       when: never
     - <<: *if-dot-com-ee-nightly-schedule
-      allow_failure: true
 
 .reports:rules:package_hunter-yarn:
   rules:
@@ -1316,7 +1293,6 @@
     - if: '$LICENSE_MANAGEMENT_DISABLED || $GITLAB_FEATURES !~ /\blicense_scanning\b/'
       when: never
     - changes: *code-backstage-qa-patterns
-      allow_failure: true
 
 ################
 # Review rules #