Add latest changes from gitlab-org/gitlab@master

34 files changed, 374 insertions, 77 deletions

diff --git a/app/assets/stylesheets/pages/settings.scss b/app/assets/stylesheets/pages/settings.scss
index 57745ab06ed..37e272cfff7 100644
--- a/app/assets/stylesheets/pages/settings.scss
+++ b/app/assets/stylesheets/pages/settings.scss
@@ -192,19 +192,28 @@
   }
 }
 
-.initialize-with-readme-setting {
-  .form-check {
-    margin-bottom: 10px;
+.nested-settings {
+  padding-left: 20px;
+}
 
-    .option-title {
-      font-weight: $gl-font-weight-normal;
-      display: inline-block;
-      color: $gl-text-color;
-    }
+.input-btn-group {
+  display: flex;
 
-    .option-description {
-      color: $project-option-descr-color;
-    }
+  .input-large {
+    flex: 1;
+  }
+
+  .btn {
+    margin-left: 10px;
+  }
+}
+
+.content-list > .settings-flex-row {
+  display: flex;
+  align-items: center;
+
+  .float-right {
+    margin-left: auto;
   }
 }
 
diff --git a/app/controllers/projects_controller.rb b/app/controllers/projects_controller.rb
index 89767915d7f..a293bdac28c 100644
--- a/app/controllers/projects_controller.rb
+++ b/app/controllers/projects_controller.rb
@@ -73,6 +73,13 @@ class ProjectsController < Projects::ApplicationController
     @project = ::Projects::CreateService.new(current_user, project_params(attributes: project_params_create_attributes)).execute
 
     if @project.saved?
+      experiment(:new_project_sast_enabled, user: current_user).track(:created,
+        property: active_new_project_tab,
+        checked: Gitlab::Utils.to_boolean(project_params[:initialize_with_sast]),
+        project: @project,
+        namespace: @project.namespace
+      )
+
       redirect_to(
         project_path(@project, custom_import_params),
         notice: _("Project '%{project_name}' was successfully created.") % { project_name: @project.name }
@@ -436,6 +443,7 @@ class ProjectsController < Projects::ApplicationController
       :template_name,
       :template_project_id,
       :merge_method,
+      :initialize_with_sast,
       :initialize_with_readme,
       :autoclose_referenced_issues,
       :suggestion_commit_message,
diff --git a/app/experiments/new_project_sast_enabled_experiment.rb b/app/experiments/new_project_sast_enabled_experiment.rb
new file mode 100644
index 00000000000..1ab86d70134
--- /dev/null
+++ b/app/experiments/new_project_sast_enabled_experiment.rb
@@ -0,0 +1,15 @@
+# frozen_string_literal: true
+
+class NewProjectSastEnabledExperiment < ApplicationExperiment # rubocop:disable Gitlab/NamespacedClass
+  def publish(_result = nil)
+    super
+
+    publish_to_database
+  end
+
+  def candidate_behavior
+  end
+
+  def free_indicator_behavior
+  end
+end
diff --git a/app/services/projects/after_rename_service.rb b/app/services/projects/after_rename_service.rb
index 953b386b754..a3d54bc6b58 100644
--- a/app/services/projects/after_rename_service.rb
+++ b/app/services/projects/after_rename_service.rb
@@ -12,6 +12,8 @@ module Projects
   #
   #     Projects::AfterRenameService.new(project).execute
   class AfterRenameService
+    include BaseServiceUtility
+
     # @return [String] The Project being renamed.
     attr_reader :project
 
@@ -78,7 +80,7 @@ module Projects
 
     def execute_system_hooks
       project.old_path_with_namespace = full_path_before
-      SystemHooksService.new.execute_hooks_for(project, :rename)
+      system_hook_service.execute_hooks_for(project, :rename)
     end
 
     def update_repository_configuration
@@ -110,7 +112,7 @@ module Projects
     end
 
     def log_completion
-      Gitlab::AppLogger.info(
+      log_info(
         "Project #{project.id} has been renamed from " \
           "#{full_path_before} to #{full_path_after}"
       )
@@ -140,7 +142,7 @@ module Projects
     def rename_failed!
       error = "Repository #{full_path_before} could not be renamed to #{full_path_after}"
 
-      Gitlab::AppLogger.error(error)
+      log_error(error)
 
       raise RenameFailedError, error
     end
diff --git a/app/services/projects/create_service.rb b/app/services/projects/create_service.rb
index e717491b19d..1536f0a22b8 100644
--- a/app/services/projects/create_service.rb
+++ b/app/services/projects/create_service.rb
@@ -8,6 +8,7 @@ module Projects
       @current_user = user
       @params = params.dup
       @skip_wiki = @params.delete(:skip_wiki)
+      @initialize_with_sast = Gitlab::Utils.to_boolean(@params.delete(:initialize_with_sast))
       @initialize_with_readme = Gitlab::Utils.to_boolean(@params.delete(:initialize_with_readme))
       @import_data = @params.delete(:import_data)
       @relations_block = @params.delete(:relations_block)
@@ -118,6 +119,7 @@ module Projects
       Projects::PostCreationWorker.perform_async(@project.id)
 
       create_readme if @initialize_with_readme
+      create_sast_commit if @initialize_with_sast
     end
 
     # Add an authorization for the current user authorizations inline
@@ -160,6 +162,10 @@ module Projects
       Files::CreateService.new(@project, current_user, commit_attrs).execute
     end
 
+    def create_sast_commit
+      ::Security::CiConfiguration::SastCreateService.new(@project, current_user, {}, commit_on_default: true).execute
+    end
+
     def readme_content
       @readme_template.presence || experiment(:new_project_readme_content, namespace: @project.namespace).run_with(@project)
     end
diff --git a/app/services/projects/transfer_service.rb b/app/services/projects/transfer_service.rb
index a2028cf8a19..bdfad770638 100644
--- a/app/services/projects/transfer_service.rb
+++ b/app/services/projects/transfer_service.rb
@@ -187,7 +187,7 @@ module Projects
     end
 
     def execute_system_hooks
-      SystemHooksService.new.execute_hooks_for(project, :transfer)
+      system_hook_service.execute_hooks_for(project, :transfer)
     end
 
     def move_project_folders(project)
diff --git a/app/services/security/ci_configuration/base_create_service.rb b/app/services/security/ci_configuration/base_create_service.rb
index adb45244adb..ea77cd98ba3 100644
--- a/app/services/security/ci_configuration/base_create_service.rb
+++ b/app/services/security/ci_configuration/base_create_service.rb
@@ -25,7 +25,7 @@ module Security
       rescue Gitlab::Git::PreReceiveError => e
         ServiceResponse.error(message: e.message)
       rescue StandardError
-        project.repository.rm_branch(current_user, branch_name) if project.repository.branch_exists?(branch_name)
+        remove_branch_on_exception
         raise
       end
 
@@ -50,6 +50,10 @@ module Security
         Gitlab::Routing.url_helpers.project_new_merge_request_url(project, merge_request: merge_request_params)
       end
 
+      def remove_branch_on_exception
+        project.repository.rm_branch(current_user, branch_name) if project.repository.branch_exists?(branch_name)
+      end
+
       def track_event(attributes_for_commit)
         action = attributes_for_commit[:actions].first
 
diff --git a/app/services/security/ci_configuration/sast_create_service.rb b/app/services/security/ci_configuration/sast_create_service.rb
index f495cac18f8..47e01847b17 100644
--- a/app/services/security/ci_configuration/sast_create_service.rb
+++ b/app/services/security/ci_configuration/sast_create_service.rb
@@ -5,15 +5,28 @@ module Security
     class SastCreateService < ::Security::CiConfiguration::BaseCreateService
       attr_reader :params
 
-      def initialize(project, current_user, params)
+      def initialize(project, current_user, params, commit_on_default: false)
         super(project, current_user)
         @params = params
+
+        @commit_on_default = commit_on_default
+        @branch_name = project.default_branch if @commit_on_default
       end
 
       private
 
+      def remove_branch_on_exception
+        super unless @commit_on_default
+      end
+
       def action
-        Security::CiConfiguration::SastBuildAction.new(project.auto_devops_enabled?, params, existing_gitlab_ci_content).generate
+        existing_content = begin
+          existing_gitlab_ci_content # this can fail on the very first commit
+        rescue StandardError
+          nil
+        end
+
+        Security::CiConfiguration::SastBuildAction.new(project.auto_devops_enabled?, params, existing_content).generate
       end
 
       def next_branch
diff --git a/app/views/projects/_new_project_fields.html.haml b/app/views/projects/_new_project_fields.html.haml
index b7859e27b31..256c3ebad0a 100644
--- a/app/views/projects/_new_project_fields.html.haml
+++ b/app/views/projects/_new_project_fields.html.haml
@@ -58,15 +58,36 @@
 = render 'shared/visibility_level', f: f, visibility_level: visibility_level.to_i, can_change_visibility_level: true, form_model: @project, with_label: false
 
 - if !hide_init_with_readme
-  .form-group.row.initialize-with-readme-setting
-    %div{ :class => "col-sm-12" }
-      .form-check
-        = check_box_tag 'project[initialize_with_readme]', '1', true, class: 'form-check-input', data: { qa_selector: "initialize_with_readme_checkbox", track_label: "#{track_label}", track_action: "activate_form_input", track_property: "init_with_readme", track_value: "" }
-        = label_tag 'project[initialize_with_readme]', class: 'form-check-label' do
-          .option-title
-            %strong= s_('ProjectsNew|Initialize repository with a README')
-          .option-description
-            = s_('ProjectsNew|Allows you to immediately clone this project’s repository. Skip this if you plan to push up an existing repository.')
+  = f.label :project_configuration, class: 'label-bold' do
+    = s_('ProjectsNew|Project Configuration')
+
+  .form-group
+    .form-check.gl-mb-3
+      = check_box_tag 'project[initialize_with_readme]', '1', true, class: 'form-check-input', data: { qa_selector: 'initialize_with_readme_checkbox', track_label: track_label, track_action: 'activate_form_input', track_property: 'init_with_readme' }
+      = label_tag 'project[initialize_with_readme]', s_('ProjectsNew|Initialize repository with a README'), class: 'form-check-label'
+      .form-text.text-muted
+        = s_('ProjectsNew|Allows you to immediately clone this project’s repository. Skip this if you plan to push up an existing repository.')
+
+  - experiment(:new_project_sast_enabled, user: current_user) do |e|
+    - e.try do
+      .form-group
+        .form-check.gl-mb-3
+          = check_box_tag 'project[initialize_with_sast]', '1', true, class: 'form-check-input', data: { track_experiment: e.name, track_label: track_label, track_action: 'activate_form_input', track_property: 'init_with_sast' }
+          = label_tag 'project[initialize_with_sast]', class: 'form-check-label' do
+            = s_('ProjectsNew|Enable Static Application Security Testing (SAST)')
+          .form-text.text-muted
+            = s_('ProjectsNew|Analyze your source code for known security vulnerabilities.')
+            = link_to _('Learn more.'), help_page_path('user/application_security/sast/index'), target: '_blank', rel: 'noopener noreferrer', data: { track_action: 'followed', track_experiment: e.name }
+    - e.try(:free_indicator) do
+      .form-group
+        .form-check.gl-mb-3
+          = check_box_tag 'project[initialize_with_sast]', '1', true, class: 'form-check-input', data: { track_experiment: e.name, track_label: track_label, track_action: 'activate_form_input', track_property: 'init_with_sast' }
+          = label_tag 'project[initialize_with_sast]', class: 'form-check-label' do
+            = s_('ProjectsNew|Enable Static Application Security Testing (SAST)')
+            %span.badge.badge-info.badge-pill.gl-badge.sm= _('Free')
+          .form-text.text-muted
+            = s_('ProjectsNew|Analyze your source code for known security vulnerabilities.')
+            = link_to _('Learn more.'), help_page_path('user/application_security/sast/index'), target: '_blank', rel: 'noopener noreferrer', data: { track_action: 'followed', track_experiment: e.name }
 
 = f.submit _('Create project'), class: "btn gl-button btn-confirm", data: { track_label: "#{track_label}", track_action: "click_button", track_property: "create_project", track_value: "" }
 = link_to _('Cancel'), dashboard_projects_path, class: 'btn gl-button btn-default btn-cancel', data: { track_label: "#{track_label}", track_action: "click_button", track_property: "cancel", track_value: "" }
diff --git a/config/feature_flags/experiment/new_project_sast_enabled.yml b/config/feature_flags/experiment/new_project_sast_enabled.yml
new file mode 100644
index 00000000000..f47c01d26aa
--- /dev/null
+++ b/config/feature_flags/experiment/new_project_sast_enabled.yml
@@ -0,0 +1,8 @@
+---
+name: new_project_sast_enabled
+introduced_by_url: https://gitlab.com/gitlab-org/gitlab/-/merge_requests/70548
+rollout_issue_url: https://gitlab.com/gitlab-org/gitlab/-/issues/340929
+milestone: '14.4'
+type: experiment
+group: group::adoption
+default_enabled: false
diff --git a/db/migrate/20211004062942_create_coverage_fuzzing_corpuses.rb b/db/migrate/20211004062942_create_coverage_fuzzing_corpuses.rb
new file mode 100644
index 00000000000..c24883b626d
--- /dev/null
+++ b/db/migrate/20211004062942_create_coverage_fuzzing_corpuses.rb
@@ -0,0 +1,18 @@
+# frozen_string_literal: true
+
+class CreateCoverageFuzzingCorpuses < Gitlab::Database::Migration[1.0]
+  def change
+    create_table :coverage_fuzzing_corpuses do |t|
+      t.bigint :project_id, null: false
+      t.bigint :user_id
+      t.bigint :package_id, null: false
+
+      t.datetime_with_timezone :file_updated_at, null: false, default: -> { 'NOW()' }
+      t.timestamps_with_timezone null: false
+
+      t.index :project_id
+      t.index :user_id
+      t.index :package_id
+    end
+  end
+end
diff --git a/db/migrate/20211005063519_add_foreign_key_to_corpuses_on_project.rb b/db/migrate/20211005063519_add_foreign_key_to_corpuses_on_project.rb
new file mode 100644
index 00000000000..ba1fb443343
--- /dev/null
+++ b/db/migrate/20211005063519_add_foreign_key_to_corpuses_on_project.rb
@@ -0,0 +1,15 @@
+# frozen_string_literal: true
+
+class AddForeignKeyToCorpusesOnProject < Gitlab::Database::Migration[1.0]
+  disable_ddl_transaction!
+
+  def up
+    add_concurrent_foreign_key :coverage_fuzzing_corpuses, :projects, column: :project_id, on_delete: :cascade
+  end
+
+  def down
+    with_lock_retries do
+      remove_foreign_key :coverage_fuzzing_corpuses, column: :project_id
+    end
+  end
+end
diff --git a/db/migrate/20211005063616_add_foreign_key_to_corpuses_on_user.rb b/db/migrate/20211005063616_add_foreign_key_to_corpuses_on_user.rb
new file mode 100644
index 00000000000..da08ab97acf
--- /dev/null
+++ b/db/migrate/20211005063616_add_foreign_key_to_corpuses_on_user.rb
@@ -0,0 +1,15 @@
+# frozen_string_literal: true
+
+class AddForeignKeyToCorpusesOnUser < Gitlab::Database::Migration[1.0]
+  disable_ddl_transaction!
+
+  def up
+    add_concurrent_foreign_key :coverage_fuzzing_corpuses, :users, column: :user_id, on_delete: :cascade
+  end
+
+  def down
+    with_lock_retries do
+      remove_foreign_key :coverage_fuzzing_corpuses, column: :user_id
+    end
+  end
+end
diff --git a/db/migrate/20211005063723_add_foreign_key_to_corpuses_on_package.rb b/db/migrate/20211005063723_add_foreign_key_to_corpuses_on_package.rb
new file mode 100644
index 00000000000..74ba7b070d0
--- /dev/null
+++ b/db/migrate/20211005063723_add_foreign_key_to_corpuses_on_package.rb
@@ -0,0 +1,15 @@
+# frozen_string_literal: true
+
+class AddForeignKeyToCorpusesOnPackage < Gitlab::Database::Migration[1.0]
+  disable_ddl_transaction!
+
+  def up
+    add_concurrent_foreign_key :coverage_fuzzing_corpuses, :packages_packages, column: :package_id, on_delete: :cascade
+  end
+
+  def down
+    with_lock_retries do
+      remove_foreign_key :coverage_fuzzing_corpuses, column: :package_id
+    end
+  end
+end
diff --git a/db/schema_migrations/20211004062942 b/db/schema_migrations/20211004062942
new file mode 100644
index 00000000000..6ad1af289f7
--- /dev/null
+++ b/db/schema_migrations/20211004062942
@@ -0,0 +1 @@
+95dcfdc6c03705b0db5e96d669051edf335b5d6501243f70588f9b73478116a6
\ No newline at end of file
diff --git a/db/schema_migrations/20211005063519 b/db/schema_migrations/20211005063519
new file mode 100644
index 00000000000..d3450d4282a
--- /dev/null
+++ b/db/schema_migrations/20211005063519
@@ -0,0 +1 @@
+e45163c2d0d691fb5deab86d024c4edb8e3cd350271418e1ff132c31e2ca90a3
\ No newline at end of file
diff --git a/db/schema_migrations/20211005063616 b/db/schema_migrations/20211005063616
new file mode 100644
index 00000000000..030dfc12a68
--- /dev/null
+++ b/db/schema_migrations/20211005063616
@@ -0,0 +1 @@
+20d35e9baae343bccbb67a25eacd7fdb4b32fd4cedd95e6f8f7a2933470350fb
\ No newline at end of file
diff --git a/db/schema_migrations/20211005063723 b/db/schema_migrations/20211005063723
new file mode 100644
index 00000000000..b4d8c7a3f6e
--- /dev/null
+++ b/db/schema_migrations/20211005063723
@@ -0,0 +1 @@
+4659ab6d971b03d9b44dda72fe1b571c5050fd6892cb4f16f2ca1ced0905c1ce
\ No newline at end of file
diff --git a/db/structure.sql b/db/structure.sql
index 189e4e8efaf..d49007990ee 100644
--- a/db/structure.sql
+++ b/db/structure.sql
@@ -12765,6 +12765,25 @@ CREATE SEQUENCE conversational_development_index_metrics_id_seq
 
 ALTER SEQUENCE conversational_development_index_metrics_id_seq OWNED BY conversational_development_index_metrics.id;
 
+CREATE TABLE coverage_fuzzing_corpuses (
+    id bigint NOT NULL,
+    project_id bigint NOT NULL,
+    user_id bigint,
+    package_id bigint NOT NULL,
+    file_updated_at timestamp with time zone DEFAULT now() NOT NULL,
+    created_at timestamp with time zone NOT NULL,
+    updated_at timestamp with time zone NOT NULL
+);
+
+CREATE SEQUENCE coverage_fuzzing_corpuses_id_seq
+    START WITH 1
+    INCREMENT BY 1
+    NO MINVALUE
+    NO MAXVALUE
+    CACHE 1;
+
+ALTER SEQUENCE coverage_fuzzing_corpuses_id_seq OWNED BY coverage_fuzzing_corpuses.id;
+
 CREATE TABLE csv_issue_imports (
     id bigint NOT NULL,
     project_id bigint NOT NULL,
@@ -21188,6 +21207,8 @@ ALTER TABLE ONLY container_repositories ALTER COLUMN id SET DEFAULT nextval('con
 
 ALTER TABLE ONLY conversational_development_index_metrics ALTER COLUMN id SET DEFAULT nextval('conversational_development_index_metrics_id_seq'::regclass);
 
+ALTER TABLE ONLY coverage_fuzzing_corpuses ALTER COLUMN id SET DEFAULT nextval('coverage_fuzzing_corpuses_id_seq'::regclass);
+
 ALTER TABLE ONLY csv_issue_imports ALTER COLUMN id SET DEFAULT nextval('csv_issue_imports_id_seq'::regclass);
 
 ALTER TABLE ONLY custom_emoji ALTER COLUMN id SET DEFAULT nextval('custom_emoji_id_seq'::regclass);
@@ -22704,6 +22725,9 @@ ALTER TABLE ONLY container_repositories
 ALTER TABLE ONLY conversational_development_index_metrics
     ADD CONSTRAINT conversational_development_index_metrics_pkey PRIMARY KEY (id);
 
+ALTER TABLE ONLY coverage_fuzzing_corpuses
+    ADD CONSTRAINT coverage_fuzzing_corpuses_pkey PRIMARY KEY (id);
+
 ALTER TABLE ONLY csv_issue_imports
     ADD CONSTRAINT csv_issue_imports_pkey PRIMARY KEY (id);
 
@@ -24856,6 +24880,12 @@ CREATE UNIQUE INDEX index_container_repositories_on_project_id_and_name ON conta
 
 CREATE INDEX index_container_repository_on_name_trigram ON container_repositories USING gin (name gin_trgm_ops);
 
+CREATE INDEX index_coverage_fuzzing_corpuses_on_package_id ON coverage_fuzzing_corpuses USING btree (package_id);
+
+CREATE INDEX index_coverage_fuzzing_corpuses_on_project_id ON coverage_fuzzing_corpuses USING btree (project_id);
+
+CREATE INDEX index_coverage_fuzzing_corpuses_on_user_id ON coverage_fuzzing_corpuses USING btree (user_id);
+
 CREATE INDEX index_created_at_on_codeowner_approval_merge_request_rules ON approval_merge_request_rules USING btree (created_at) WHERE ((rule_type = 2) AND (section <> 'codeowners'::text));
 
 CREATE INDEX index_csv_issue_imports_on_project_id ON csv_issue_imports USING btree (project_id);
@@ -27555,6 +27585,9 @@ ALTER TABLE ONLY boards
 ALTER TABLE ONLY epics
     ADD CONSTRAINT fk_1fbed67632 FOREIGN KEY (start_date_sourcing_milestone_id) REFERENCES milestones(id) ON DELETE SET NULL;
 
+ALTER TABLE ONLY coverage_fuzzing_corpuses
+    ADD CONSTRAINT fk_204d40056a FOREIGN KEY (project_id) REFERENCES projects(id) ON DELETE CASCADE;
+
 ALTER TABLE ONLY geo_container_repository_updated_events
     ADD CONSTRAINT fk_212c89c706 FOREIGN KEY (container_repository_id) REFERENCES container_repositories(id) ON DELETE CASCADE;
 
@@ -27594,6 +27627,9 @@ ALTER TABLE ONLY geo_event_log
 ALTER TABLE ONLY deployments
     ADD CONSTRAINT fk_289bba3222 FOREIGN KEY (cluster_id) REFERENCES clusters(id) ON DELETE SET NULL;
 
+ALTER TABLE ONLY coverage_fuzzing_corpuses
+    ADD CONSTRAINT fk_29f6f15f82 FOREIGN KEY (user_id) REFERENCES users(id) ON DELETE CASCADE;
+
 ALTER TABLE ONLY agent_group_authorizations
     ADD CONSTRAINT fk_2c9f941965 FOREIGN KEY (group_id) REFERENCES namespaces(id) ON DELETE CASCADE;
 
@@ -28236,6 +28272,9 @@ ALTER TABLE ONLY application_settings
 ALTER TABLE ONLY events
     ADD CONSTRAINT fk_edfd187b6f FOREIGN KEY (author_id) REFERENCES users(id) ON DELETE CASCADE;
 
+ALTER TABLE ONLY coverage_fuzzing_corpuses
+    ADD CONSTRAINT fk_ef5ebf339f FOREIGN KEY (package_id) REFERENCES packages_packages(id) ON DELETE CASCADE;
+
 ALTER TABLE ONLY vulnerabilities
     ADD CONSTRAINT fk_efb96ab1e2 FOREIGN KEY (project_id) REFERENCES projects(id) ON DELETE CASCADE;
 
diff --git a/doc/administration/pages/index.md b/doc/administration/pages/index.md
index 66c291549a3..8a0d3f552bf 100644
--- a/doc/administration/pages/index.md
+++ b/doc/administration/pages/index.md
@@ -7,12 +7,6 @@ description: 'Learn how to administer GitLab Pages.'
 
 # GitLab Pages administration **(FREE SELF)**
 
-> - [Introduced](https://gitlab.com/gitlab-org/gitlab/-/merge_requests/80) in GitLab EE 8.3.
-> - Custom CNAMEs with TLS support were [introduced](https://gitlab.com/gitlab-org/gitlab/-/merge_requests/173) in GitLab EE 8.5.
-> - GitLab Pages [was ported](https://gitlab.com/gitlab-org/gitlab-foss/-/issues/14605) to Community Edition in GitLab 8.17.
-> - Support for subgroup project's websites was
->   [introduced](https://gitlab.com/gitlab-org/gitlab-foss/-/issues/30548) in GitLab 11.8.
-
 GitLab Pages allows for hosting of static sites. It must be configured by an
 administrator. Separate [user documentation](../../user/project/pages/index.md) is available.
 
@@ -382,8 +376,6 @@ To enable it:
 
 ### Access control
 
-> [Introduced](https://gitlab.com/gitlab-org/gitlab-foss/-/issues/33422) in GitLab 11.5.
-
 GitLab Pages access control can be configured per-project, and allows access to a Pages
 site to be controlled based on a user's membership to that project.
 
@@ -524,9 +516,6 @@ After an archive reaches `zip_cache_expiration`, it's marked as expired and remo
 
 ## Activate verbose logging for daemon
 
-Verbose logging was [introduced](https://gitlab.com/gitlab-org/omnibus-gitlab/-/merge_requests/2533) in
-Omnibus GitLab 11.1.
-
 Follow the steps below to configure verbose logging of GitLab Pages daemon.
 
 1. By default the daemon only logs with `INFO` level.
@@ -603,8 +592,6 @@ the below steps to do a no downtime transfer to a new storage location.
 
 ## Configure listener for reverse proxy requests
 
-> [Introduced](https://gitlab.com/gitlab-org/omnibus-gitlab/-/merge_requests/2533) in Omnibus GitLab 11.1.
-
 Follow the steps below to configure the proxy listener of GitLab Pages.
 
 1. By default the listener is configured to listen for requests on `localhost:8090`.
diff --git a/doc/integration/elasticsearch.md b/doc/integration/elasticsearch.md
index 9d231664d76..67a11ca2810 100644
--- a/doc/integration/elasticsearch.md
+++ b/doc/integration/elasticsearch.md
@@ -461,6 +461,8 @@ The following are some available Rake tasks:
 | Task                                                                                                                                                    | Description                                                                                                                                                                               |
 |:--------------------------------------------------------------------------------------------------------------------------------------------------------|:------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
 | [`sudo gitlab-rake gitlab:elastic:index`](https://gitlab.com/gitlab-org/gitlab/-/blob/master/ee/lib/tasks/gitlab/elastic.rake)                            | Enables Elasticsearch indexing and run `gitlab:elastic:create_empty_index`, `gitlab:elastic:clear_index_status`, `gitlab:elastic:index_projects`, and `gitlab:elastic:index_snippets`.                          |
+| [`sudo gitlab-rake gitlab:elastic:pause_indexing`](https://gitlab.com/gitlab-org/gitlab/-/blob/master/ee/lib/tasks/gitlab/elastic.rake)                            | Pauses Elasticsearch indexing. Changes are still tracked. Useful for cluster/index migrations. |
+| [`sudo gitlab-rake gitlab:elastic:resume_indexing`](https://gitlab.com/gitlab-org/gitlab/-/blob/master/ee/lib/tasks/gitlab/elastic.rake)                            | Resumes Elasticsearch indexing. |
 | [`sudo gitlab-rake gitlab:elastic:index_projects`](https://gitlab.com/gitlab-org/gitlab/-/blob/master/ee/lib/tasks/gitlab/elastic.rake)                   | Iterates over all projects and queues Sidekiq jobs to index them in the background.                                                                                                       |
 | [`sudo gitlab-rake gitlab:elastic:index_projects_status`](https://gitlab.com/gitlab-org/gitlab/-/blob/master/ee/lib/tasks/gitlab/elastic.rake)            | Determines the overall status of the indexing. It is done by counting the total number of indexed projects, dividing by a count of the total number of projects, then multiplying by 100. |
 | [`sudo gitlab-rake gitlab:elastic:clear_index_status`](https://gitlab.com/gitlab-org/gitlab/-/blob/master/ee/lib/tasks/gitlab/elastic.rake)               | Deletes all instances of IndexStatus for all projects. Note that this command will result in a complete wipe of the index, and it should be used with caution.                                                                                              |
diff --git a/doc/integration/vault.md b/doc/integration/vault.md
index 5d2813a9f01..3bca3767785 100644
--- a/doc/integration/vault.md
+++ b/doc/integration/vault.md
@@ -2,13 +2,10 @@
 stage: Release
 group: Release
 info: To determine the technical writer assigned to the Stage/Group associated with this page, see https://about.gitlab.com/handbook/engineering/ux/technical-writing/#assignments
-type: reference, howto
 ---
 
 # Vault Authentication with GitLab OpenID Connect **(FREE)**
 
-> [Introduced](https://gitlab.com/gitlab-org/gitlab-foss/-/issues/22323) in GitLab 9.0
-
 [Vault](https://www.vaultproject.io/) is a secrets management application offered by HashiCorp.
 It allows you to store and manage sensitive information such as secret environment variables, encryption keys, and authentication tokens.
 Vault offers Identity-based Access, which means Vault users can authenticate through several of their preferred cloud providers.
diff --git a/doc/subscriptions/bronze_starter.md b/doc/subscriptions/bronze_starter.md
index 5b98a55cec4..b311653eef7 100644
--- a/doc/subscriptions/bronze_starter.md
+++ b/doc/subscriptions/bronze_starter.md
@@ -68,7 +68,7 @@ the tiers are no longer mentioned in GitLab documentation:
   - [Full code quality reports in the code quality tab](../user/project/merge_requests/code_quality.md#code-quality-reports)
   - [Merge request approvals](../user/project/merge_requests/approvals/index.md)
   - [Multiple assignees](../user/project/merge_requests/getting_started.md#multiple-assignees)
-  - [Approval Rule information for Reviewers](../user/project/merge_requests/reviews/index.md#approval-rule-information-for-reviewers) **(PREMIUM)**
+  - [Approval Rule information for Reviewers](../user/project/merge_requests/reviews/index.md#approval-rule-information-for-reviewers)
   - [Required Approvals](../user/project/merge_requests/approvals/index.md#required-approvals)
   - [Code Owners as eligible approvers](../user/project/merge_requests/approvals/rules.md#code-owners-as-eligible-approvers)
   - [Approval rules](../user/project/merge_requests/approvals/rules.md) features
diff --git a/doc/subscriptions/quarterly_reconciliation.md b/doc/subscriptions/quarterly_reconciliation.md
index f9cca079e76..252326ab265 100644
--- a/doc/subscriptions/quarterly_reconciliation.md
+++ b/doc/subscriptions/quarterly_reconciliation.md
@@ -4,7 +4,7 @@ group: Purchase
 info: To determine the technical writer assigned to the Stage/Group associated with this page, see https://about.gitlab.com/handbook/engineering/ux/technical-writing/#assignments
 ---
 
-# The quarterly subscription reconciliation process
+# The quarterly subscription reconciliation process **(PREMIUM)**
 
 GitLab reviews your seat usage every quarter and sends you an invoice for
 any overages.
diff --git a/doc/subscriptions/self_managed/index.md b/doc/subscriptions/self_managed/index.md
index 72bd1c2b4f7..7d63f7ce4bc 100644
--- a/doc/subscriptions/self_managed/index.md
+++ b/doc/subscriptions/self_managed/index.md
@@ -25,8 +25,8 @@ changes to their subscription.
 
 The cost of a GitLab self-managed subscription is determined by the following:
 
-- GitLab tier
-- Subscription seats
+- [GitLab tier](https://about.gitlab.com/pricing/)
+- [Subscription seats](#subscription-seats)
 
 ## Choose a GitLab tier
 
diff --git a/doc/topics/application_development_platform/index.md b/doc/topics/application_development_platform/index.md
index f9baa8916df..1560ceeed26 100644
--- a/doc/topics/application_development_platform/index.md
+++ b/doc/topics/application_development_platform/index.md
@@ -4,7 +4,7 @@ group: unassigned
 info: To determine the technical writer assigned to the Stage/Group associated with this page, see https://about.gitlab.com/handbook/engineering/ux/technical-writing/#assignments
 ---
 
-# Application Development Platform
+# Application Development Platform **(FREE)**
 
 The GitLab Application Development Platform refers to the set of GitLab features used to create, configure, and manage
 a complete software development environment. It provides development, operations, and security teams with a robust feature set aimed at supporting best practices out of the box.
diff --git a/doc/user/project/deploy_tokens/index.md b/doc/user/project/deploy_tokens/index.md
index 1798aa0c1c6..29005b49dc2 100644
--- a/doc/user/project/deploy_tokens/index.md
+++ b/doc/user/project/deploy_tokens/index.md
@@ -2,12 +2,10 @@
 stage: Release
 group: Release
 info: To determine the technical writer assigned to the Stage/Group associated with this page, see https://about.gitlab.com/handbook/engineering/ux/technical-writing/#assignments
-type: howto
 ---
 
 # Deploy tokens
 
-> - [Introduced](https://gitlab.com/gitlab-org/gitlab-foss/-/merge_requests/17894) in GitLab 10.7.
 > - [Moved](https://gitlab.com/gitlab-org/gitlab/-/issues/199370) from **Settings > Repository** in GitLab 12.9.
 > - [Added `write_registry` scope](https://gitlab.com/gitlab-org/gitlab/-/issues/22743) in GitLab 12.10.
 > - [Moved](https://gitlab.com/gitlab-org/gitlab/-/merge_requests/29280) from **Settings > CI/CD** in GitLab 12.10.1.
@@ -59,8 +57,8 @@ following table along with GitLab version it was introduced in:
 
 | Scope                    | Description | Introduced in GitLab Version |
 |--------------------------|-------------|------------------------------|
-| `read_repository`        | Allows read-access to the repository through `git clone` | 10.7 |
-| `read_registry`          | Allows read-access to [container registry](../../packages/container_registry/index.md) images if a project is private and authorization is required. | 10.7 |
+| `read_repository`        | Allows read-access to the repository through `git clone` | -- |
+| `read_registry`          | Allows read-access to [container registry](../../packages/container_registry/index.md) images if a project is private and authorization is required. | -- |
 | `write_registry`         | Allows write-access (push) to [container registry](../../packages/container_registry/index.md). | 12.10 |
 | `read_package_registry`  | Allows read access to the package registry. | 13.0 |
 | `write_package_registry` | Allows write access to the package registry. | 13.0 |
@@ -185,8 +183,6 @@ To pull images from the Dependency Proxy, you must:
 
 ### GitLab deploy token
 
-> [Introduced](https://gitlab.com/gitlab-org/gitlab-foss/-/merge_requests/18414) in GitLab 10.8.
-
 There's a special case when it comes to deploy tokens. If a user creates one
 named `gitlab-deploy-token`, the username and token of the deploy token is
 automatically exposed to the CI/CD jobs as CI/CD variables: `CI_DEPLOY_USER`
diff --git a/doc/user/project/pages/custom_domains_ssl_tls_certification/index.md b/doc/user/project/pages/custom_domains_ssl_tls_certification/index.md
index f701b8fc870..27487003697 100644
--- a/doc/user/project/pages/custom_domains_ssl_tls_certification/index.md
+++ b/doc/user/project/pages/custom_domains_ssl_tls_certification/index.md
@@ -290,8 +290,6 @@ Sublime Text, Atom, Dreamweaver, Brackets, etc).
 
 ## Force HTTPS for GitLab Pages websites
 
-> [Introduced](https://gitlab.com/gitlab-org/gitlab-foss/-/issues/28857) in GitLab 10.7.
-
 To make your website's visitors even more secure, you can choose to
 force HTTPS for GitLab Pages. By doing so, all attempts to visit your
 website through HTTP are automatically redirected to HTTPS through 301.
diff --git a/locale/gitlab.pot b/locale/gitlab.pot
index 8087f8563c8..1603365d0af 100644
--- a/locale/gitlab.pot
+++ b/locale/gitlab.pot
@@ -14860,6 +14860,9 @@ msgstr ""
 msgid "Framework successfully deleted"
 msgstr ""
 
+msgid "Free"
+msgstr ""
+
 msgid "Free Trial of GitLab.com Ultimate"
 msgstr ""
 
@@ -19192,6 +19195,9 @@ msgstr ""
 msgid "Iterations|The duration for each iteration (in weeks)"
 msgstr ""
 
+msgid "Iterations|The iteration has been deleted."
+msgstr ""
+
 msgid "Iterations|The start date of your first iteration"
 msgstr ""
 
@@ -23684,6 +23690,9 @@ msgstr ""
 msgid "OnDemandScans|My daily scan"
 msgstr ""
 
+msgid "OnDemandScans|New DAST scan"
+msgstr ""
+
 msgid "OnDemandScans|New on-demand DAST scan"
 msgstr ""
 
@@ -23696,6 +23705,12 @@ msgstr ""
 msgid "OnDemandScans|On-demand Scans"
 msgstr ""
 
+msgid "OnDemandScans|On-demand scans"
+msgstr ""
+
+msgid "OnDemandScans|On-demand scans run outside of DevOps cycle and find vulnerabilities in your projects. %{learnMoreLinkStart}Lean more%{learnMoreLinkEnd}."
+msgstr ""
+
 msgid "OnDemandScans|On-demand scans run outside the DevOps cycle and find vulnerabilities in your projects. %{learnMoreLinkStart}Learn more%{learnMoreLinkEnd}"
 msgstr ""
 
@@ -27049,6 +27064,9 @@ msgstr ""
 msgid "ProjectsNew|Allows you to immediately clone this project’s repository. Skip this if you plan to push up an existing repository."
 msgstr ""
 
+msgid "ProjectsNew|Analyze your source code for known security vulnerabilities."
+msgstr ""
+
 msgid "ProjectsNew|Connect your external repository to GitLab CI/CD."
 msgstr ""
 
@@ -27076,6 +27094,9 @@ msgstr ""
 msgid "ProjectsNew|Description format"
 msgstr ""
 
+msgid "ProjectsNew|Enable Static Application Security Testing (SAST)"
+msgstr ""
+
 msgid "ProjectsNew|Import"
 msgstr ""
 
@@ -27091,6 +27112,9 @@ msgstr ""
 msgid "ProjectsNew|No import options available"
 msgstr ""
 
+msgid "ProjectsNew|Project Configuration"
+msgstr ""
+
 msgid "ProjectsNew|Project description %{tag_start}(optional)%{tag_end}"
 msgstr ""
 
diff --git a/spec/controllers/projects_controller_spec.rb b/spec/controllers/projects_controller_spec.rb
index d502670d276..3d966848c5b 100644
--- a/spec/controllers/projects_controller_spec.rb
+++ b/spec/controllers/projects_controller_spec.rb
@@ -420,42 +420,66 @@ RSpec.describe ProjectsController do
   end
 
   describe 'POST create' do
-    let!(:params) do
-      {
-        path: 'foo',
-        description: 'bar',
-        import_url: project.http_url_to_repo,
-        namespace_id: user.namespace.id
-      }
-    end
-
     subject { post :create, params: { project: params } }
 
     before do
       sign_in(user)
     end
 
-    context 'when import by url is disabled' do
-      before do
-        stub_application_setting(import_sources: [])
+    context 'on import' do
+      let(:params) do
+        {
+          path: 'foo',
+          description: 'bar',
+          namespace_id: user.namespace.id,
+          import_url: project.http_url_to_repo
+        }
       end
 
-      it 'does not create project and reports an error' do
-        expect { subject }.not_to change { Project.count }
+      context 'when import by url is disabled' do
+        before do
+          stub_application_setting(import_sources: [])
+        end
 
-        expect(response).to have_gitlab_http_status(:not_found)
+        it 'does not create project and reports an error' do
+          expect { subject }.not_to change { Project.count }
+
+          expect(response).to have_gitlab_http_status(:not_found)
+        end
+      end
+
+      context 'when import by url is enabled' do
+        before do
+          stub_application_setting(import_sources: ['git'])
+        end
+
+        it 'creates project' do
+          expect { subject }.to change { Project.count }
+
+          expect(response).to have_gitlab_http_status(:redirect)
+        end
       end
     end
 
-    context 'when import by url is enabled' do
-      before do
-        stub_application_setting(import_sources: ['git'])
+    context 'with new_project_sast_enabled', :experiment do
+      let(:params) do
+        {
+          path: 'foo',
+          description: 'bar',
+          namespace_id: user.namespace.id,
+          initialize_with_sast: '1'
+        }
       end
 
-      it 'creates project' do
-        expect { subject }.to change { Project.count }
+      it 'tracks an event on project creation' do
+        expect(experiment(:new_project_sast_enabled)).to track(:created,
+          property: 'blank',
+          checked: true,
+          project: an_instance_of(Project),
+          namespace: user.namespace
+        ).on_next_instance.with_context(user: user)
 
-        expect(response).to have_gitlab_http_status(:redirect)
+        post :create, params: { project: params }
       end
     end
   end
diff --git a/spec/experiments/new_project_sast_enabled_experiment_spec.rb b/spec/experiments/new_project_sast_enabled_experiment_spec.rb
new file mode 100644
index 00000000000..dcf71bfffd7
--- /dev/null
+++ b/spec/experiments/new_project_sast_enabled_experiment_spec.rb
@@ -0,0 +1,15 @@
+# frozen_string_literal: true
+
+require 'spec_helper'
+
+RSpec.describe NewProjectSastEnabledExperiment do
+  it "defines the expected behaviors and variants" do
+    expect(subject.behaviors.keys).to match_array(%w[control candidate free_indicator])
+  end
+
+  it "publishes to the database" do
+    expect(subject).to receive(:publish_to_database)
+
+    subject.publish
+  end
+end
diff --git a/spec/features/projects/user_creates_project_spec.rb b/spec/features/projects/user_creates_project_spec.rb
index 9f08759603e..5d482f9fbd0 100644
--- a/spec/features/projects/user_creates_project_spec.rb
+++ b/spec/features/projects/user_creates_project_spec.rb
@@ -33,6 +33,29 @@ RSpec.describe 'User creates a project', :js do
     expect(page).to have_content(project.url_to_repo)
   end
 
+  it 'creates a new project that is not blank' do
+    stub_experiments(new_project_sast_enabled: 'candidate')
+
+    visit(new_project_path)
+
+    find('[data-qa-panel-name="blank_project"]').click # rubocop:disable QA/SelectorUsage
+    fill_in(:project_name, with: 'With initial commits')
+
+    expect(page).to have_checked_field 'Initialize repository with a README'
+    expect(page).to have_checked_field 'Enable Static Application Security Testing (SAST)'
+
+    page.within('#content-body') do
+      click_button('Create project')
+    end
+
+    project = Project.last
+
+    expect(current_path).to eq(project_path(project))
+    expect(page).to have_content('With initial commits')
+    expect(page).to have_content('Configure SAST in `.gitlab-ci.yml`, creating this file if it does not already exist')
+    expect(page).to have_content('README.md Initial commit')
+  end
+
   context 'in a subgroup they do not own' do
     let(:parent) { create(:group) }
     let!(:subgroup) { create(:group, parent: parent) }
diff --git a/spec/services/projects/create_service_spec.rb b/spec/services/projects/create_service_spec.rb
index e15d9341fd1..3b0c9e3d11e 100644
--- a/spec/services/projects/create_service_spec.rb
+++ b/spec/services/projects/create_service_spec.rb
@@ -622,6 +622,22 @@ RSpec.describe Projects::CreateService, '#execute' do
     end
   end
 
+  context 'when SAST initialization is requested' do
+    let(:project) { create_project(user, opts) }
+
+    before do
+      opts[:initialize_with_sast] = '1'
+      allow(Gitlab::CurrentSettings).to receive(:default_branch_name).and_return('main')
+    end
+
+    it 'creates a commit for SAST', :aggregate_failures do
+      expect(project.repository.commit_count).to be(1)
+      expect(project.repository.commit.message).to eq(
+        'Configure SAST in `.gitlab-ci.yml`, creating this file if it does not already exist'
+      )
+    end
+  end
+
   describe 'create integration for the project' do
     subject(:project) { create_project(user, opts) }
 
diff --git a/spec/services/security/ci_configuration/sast_create_service_spec.rb b/spec/services/security/ci_configuration/sast_create_service_spec.rb
index 44f8f07a5be..c7e732dc79a 100644
--- a/spec/services/security/ci_configuration/sast_create_service_spec.rb
+++ b/spec/services/security/ci_configuration/sast_create_service_spec.rb
@@ -23,4 +23,27 @@ RSpec.describe Security::CiConfiguration::SastCreateService, :snowplow do
   end
 
   include_examples 'services security ci configuration create service'
+
+  context "when committing to the default branch", :aggregate_failures do
+    subject(:result) { described_class.new(project, user, params, commit_on_default: true).execute }
+
+    let(:params) { {} }
+
+    before do
+      project.add_developer(user)
+    end
+
+    it "doesn't try to remove that branch on raised exceptions" do
+      expect(Files::MultiService).to receive(:new).and_raise(StandardError, '_exception_')
+      expect(project.repository).not_to receive(:rm_branch)
+
+      expect { result }.to raise_error(StandardError, '_exception_')
+    end
+
+    it "commits directly to the default branch" do
+      expect(result.status).to eq(:success)
+      expect(result.payload[:success_path]).to match(/#{Gitlab::Routing.url_helpers.project_new_merge_request_url(project, {})}(.*)description(.*)source_branch/)
+      expect(result.payload[:branch]).to eq('master')
+    end
+  end
 end