.gitlab-ci.yml in gitlab-dangerfiles-2.0.0 vs .gitlab-ci.yml in gitlab-dangerfiles-2.1.0

@@ -9,11 +9,11 @@
     # For `master` branch, create a pipeline (this includes on schedules, pushes, merges, etc.).
     - if: '$CI_COMMIT_BRANCH == $CI_DEFAULT_BRANCH'
     # For tags, create a pipeline.
     - if: '$CI_COMMIT_TAG'
 
-default:
+.default:
   image: ruby:2.7
   tags:
     - gitlab-org
   before_script:
     - gem install bundler
@@ -27,17 +27,52 @@
       - vendor/ruby
       - Gemfile.lock
     policy: pull
 
 test:rspec:
+  extends: .default
   stage: test
   script:
     - bundle exec rspec
 
 test:rufo:
+  extends: .default
   stage: test
   script:
     - bundle exec rufo --check .
 
 include:
+  - template: Security/Dependency-Scanning.gitlab-ci.yml
+  - template: Security/License-Scanning.gitlab-ci.yml
+  - template: Security/SAST.gitlab-ci.yml
+  - template: Security/Secret-Detection.gitlab-ci.yml
   - project: 'gitlab-org/quality/pipeline-common'
     file: '/ci/gem-release.yml'
+
+# run security jobs on MRs
+# see: https://gitlab.com/gitlab-org/gitlab/-/issues/218444#note_478761991
+
+brakeman-sast:
+  rules:
+    - if: '$CI_MERGE_REQUEST_IID'
+    - if: '$CI_COMMIT_BRANCH == $CI_DEFAULT_BRANCH'
+
+gemnasium-dependency_scanning:
+  rules:
+    - if: '$CI_MERGE_REQUEST_IID'
+    - if: '$CI_COMMIT_BRANCH == $CI_DEFAULT_BRANCH'
+
+bundler-audit-dependency_scanning:
+  rules:
+    - if: '$CI_MERGE_REQUEST_IID'
+    - if: '$CI_COMMIT_BRANCH == $CI_DEFAULT_BRANCH'
+
+license_scanning:
+  rules:
+    - if: '$CI_MERGE_REQUEST_IID'
+    - if: '$CI_COMMIT_BRANCH == $CI_DEFAULT_BRANCH'
+
+secret_detection:
+  rules:
+    - if: '$CI_MERGE_REQUEST_IID'
+    - if: '$CI_COMMIT_BRANCH == $CI_DEFAULT_BRANCH'
+