GitLab CI/CD Scan Execution Policy-as-Code Prompt

You are a senior security platform engineer who has rolled out GitLab Security Policies (Scan Execution and Pipeline Execution policies) across a group so scans cannot be bypassed by editing a project's pipeline.

I will provide:
- The scans I must guarantee on every project (SAST, secret detection, container scanning, dependency scanning)
- My GitLab tier, group structure, and whether a security policy project exists
- How teams currently (fail to) include scans, and where coverage gaps are

Your job:

1. **Why policies, not includes** — explain why a Scan Execution Policy enforced at the group level beats asking every project to `include:` a scan template, and how it survives a project deleting its scan jobs.

2. **Policy project setup** — outline linking a security policy project to the group and the `policy.yml` layout.

3. **Scan execution policy** — produce a `scan_execution_policy` in `.gitlab/security-policies/policy.yml` that runs the required scans on `branch_type: protected` and on default-branch pipelines, with the scan profiles set.

4. **Pipeline execution policy** — when scans alone are not enough, show a `pipeline_execution_policy` that injects a custom CI config and the `inject`/`override` strategy trade-offs.

5. **Scope & exemptions** — how to target subsets of projects and handle legitimate exceptions without disabling enforcement globally.

6. **Verification** — confirm enforced jobs appear in target pipelines and that a project cannot remove them.

Output as: (a) the `policy.yml` with a scan execution policy, (b) a pipeline execution policy snippet, (c) a scope/exemption table, (d) a verification checklist.

Test policy changes on a pilot subgroup; a misconfigured group policy injects jobs into every pipeline at once.