Branch scanning causes outages

[sgleske-ias]

What feature do you want to see added?

I would like to disable the ability to trigger "branch scanning" on a multibranch pipeline. i.e. revoke it from users; it's fine if admins can do it.

I can't disable branch scanning without revoking Item.Build permission.

Item.Build permission is desirable for children jobs like branches, pull requests, and tags for a multibranch pipeline job.

Users with Item.Build can start a branch scan which might have 10s of thousands of references scanning a single repo.

Maybe multibranch pipelines and organization job types need a separate Item.Build permission. Or maybe I can revoke user access HTTP access from /build on folder job types.

I'm not really sure of a good path forward for this.

Another idea would be a job configuration trait which propagates permissions to child jobs but does not apply to the parent job.

Upstream changes

No response

Are you interested in contributing this feature?

I'm not sure where to start for this kind of request.

[samrocketman]

In AWS, I worked around this with a web application firewall (WAF). Blocking a specific set of URL patterns based on how we manage jobs.

However, ideally this would be a builtin feature. Here's an example of the regex I am using in case it helps someone else in a similar situation.

^(/user/[^/]+/my-views)?(/view/[^/]+)?/job/[^/]+(/view/[^/]+)?/job/[^/]+/build$

In the Jenkins instance I manage, this expression specifically blocks build on multibranch pipelines (branch scanning) but does not block building child jobs (e.g. user "building" a tag to run a deploy).