Why should the after_script not be used in the job definition for GitLab Security Scanner?

The after_script in a GitLab CI/CD job runs after the main job script has finished executing, regardless of whether the job is successful or fails. Using after_script can lead to unintended consequences in the context of a GitLab Security Scanner because the results of a security scan should be definitive and secure. If users can override or modify the job definitions, including the after_script, it might expose the pipeline to security risks or alter its behavior in a way that diminishes the integrity of the security scanning process. Allowing user modifications means that the critical security processes could potentially be bypassed or manipulated, leading to false confidence in the security results.

By relying on the after_script being fixed and unchangeable for sensitive jobs like the security scanner, you ensure that the intended security checks and processes are consistently enforced, preventing potential user intervention that could compromise security. It is essential for organizations to maintain strict control over their security scanning processes, which includes avoiding user overrides of critical configurations.