The Content-Security-Policy (CSP) header aims to protect your application against malicious resource injection in your web apps. To make it simple, you provide a whitelist of allowed domain origins for all your images, scripts, styles and so on.

Meanwhile, Marketing team is using Google Tag Manager (GTM) to manage tags. The principle is to gather information from a page, send them to GTM and use those data as variables to generate tags, a mix of templated JS/HTML and those variables.

The problem is that most of those tags contain javascript, for sending very specific data to trackers, ad servers or whatever partners. Let's assume my marketing team is aware of security risks and will not include malicious script.

Is there a way to know which domains are imported by GTM so they can be automatically added on my CSP?

I don't think there would be a way straight out of the box. What you can do is to use GTM API (https://developers.google.com/tag-manager/api/v1/reference/accounts/containers/tags/list) where you can basically iterate over all Custom HTML and Custom Image tags and collect hostnames