Add latest changes from gitlab-org/gitlab@master

author: GitLab Bot <gitlab-bot@gitlab.com> 2022-04-15 21:09:57 +0300
committer: GitLab Bot <gitlab-bot@gitlab.com> 2022-04-15 21:09:57 +0300
commit: 7fd0523d8274c9187cad5462eb7e3ce860fc6e70 (patch)
tree: 4ddd84ffc4d112c6b564fa1ca120300b07a97684 /lib/gitlab/ci/templates/Jobs
parent: 9bc993af35f718058a8367b869e003ec7124294e (diff)
4 files changed, 28 insertions, 33 deletions
diff --git a/lib/gitlab/ci/templates/Jobs/Dependency-Scanning.gitlab-ci.yml b/lib/gitlab/ci/templates/Jobs/Dependency-Scanning.gitlab-ci.yml
index 1a99db67441..d41182ec9be 100644
--- a/lib/gitlab/ci/templates/Jobs/Dependency-Scanning.gitlab-ci.yml
+++ b/lib/gitlab/ci/templates/Jobs/Dependency-Scanning.gitlab-ci.yml
@@ -32,6 +32,16 @@ dependency_scanning:
 .ds-analyzer:
   extends: dependency_scanning
   allow_failure: true
+  variables:
+    # DS_ANALYZER_IMAGE is an undocumented variable used internally to allow QA to
+    # override the analyzer image with a custom value. This may be subject to change or
+    # breakage across GitLab releases.
+    DS_ANALYZER_IMAGE: "$SECURE_ANALYZERS_PREFIX/$DS_ANALYZER_NAME:$DS_MAJOR_VERSION"
+    # DS_ANALYZER_NAME is an undocumented variable used in job definitions
+    # to inject the analyzer name in the image name.
+    DS_ANALYZER_NAME: ""
+  image:
+    name: "$DS_ANALYZER_IMAGE$DS_IMAGE_SUFFIX"
   # `rules` must be overridden explicitly by each child job
   # see https://gitlab.com/gitlab-org/gitlab/-/issues/218444
   script:
@@ -46,13 +56,8 @@ gemnasium-dependency_scanning:
   extends:
     - .ds-analyzer
     - .cyclone-dx-reports
-  image:
-    name: "$DS_ANALYZER_IMAGE"
   variables:
-    # DS_ANALYZER_IMAGE is an undocumented variable used internally to allow QA to
-    # override the analyzer image with a custom value. This may be subject to change or
-    # breakage across GitLab releases.
-    DS_ANALYZER_IMAGE: "$SECURE_ANALYZERS_PREFIX/gemnasium:$DS_MAJOR_VERSION"
+    DS_ANALYZER_NAME: "gemnasium"
     GEMNASIUM_LIBRARY_SCAN_ENABLED: "true"
   rules:
     - if: $DEPENDENCY_SCANNING_DISABLED
@@ -77,13 +82,8 @@ gemnasium-maven-dependency_scanning:
   extends:
     - .ds-analyzer
     - .cyclone-dx-reports
-  image:
-    name: "$DS_ANALYZER_IMAGE"
   variables:
-    # DS_ANALYZER_IMAGE is an undocumented variable used internally to allow QA to
-    # override the analyzer image with a custom value. This may be subject to change or
-    # breakage across GitLab releases.
-    DS_ANALYZER_IMAGE: "$SECURE_ANALYZERS_PREFIX/gemnasium-maven:$DS_MAJOR_VERSION"
+    DS_ANALYZER_NAME: "gemnasium-maven"
     # Stop reporting Gradle as "maven".
     # See https://gitlab.com/gitlab-org/gitlab/-/issues/338252
     DS_REPORT_PACKAGE_MANAGER_MAVEN_WHEN_JAVA: "false"
@@ -105,13 +105,8 @@ gemnasium-python-dependency_scanning:
   extends:
     - .ds-analyzer
     - .cyclone-dx-reports
-  image:
-    name: "$DS_ANALYZER_IMAGE"
   variables:
-    # DS_ANALYZER_IMAGE is an undocumented variable used internally to allow QA to
-    # override the analyzer image with a custom value. This may be subject to change or
-    # breakage across GitLab releases.
-    DS_ANALYZER_IMAGE: "$SECURE_ANALYZERS_PREFIX/gemnasium-python:$DS_MAJOR_VERSION"
+    DS_ANALYZER_NAME: "gemnasium-python"
     # Stop reporting Pipenv and Setuptools as "pip".
     # See https://gitlab.com/gitlab-org/gitlab/-/issues/338252
     DS_REPORT_PACKAGE_MANAGER_PIP_WHEN_PYTHON: "false"
@@ -138,13 +133,8 @@ gemnasium-python-dependency_scanning:
 
 bundler-audit-dependency_scanning:
   extends: .ds-analyzer
-  image:
-    name: "$DS_ANALYZER_IMAGE"
   variables:
-    # DS_ANALYZER_IMAGE is an undocumented variable used internally to allow QA to
-    # override the analyzer image with a custom value. This may be subject to change or
-    # breakage across GitLab releases.
-    DS_ANALYZER_IMAGE: "$SECURE_ANALYZERS_PREFIX/bundler-audit:$DS_MAJOR_VERSION"
+    DS_ANALYZER_NAME: "bundler-audit"
   rules:
     - if: $DEPENDENCY_SCANNING_DISABLED
       when: never
@@ -158,13 +148,8 @@ bundler-audit-dependency_scanning:
 
 retire-js-dependency_scanning:
   extends: .ds-analyzer
-  image:
-    name: "$DS_ANALYZER_IMAGE"
   variables:
-    # DS_ANALYZER_IMAGE is an undocumented variable used internally to allow QA to
-    # override the analyzer image with a custom value. This may be subject to change or
-    # breakage across GitLab releases.
-    DS_ANALYZER_IMAGE: "$SECURE_ANALYZERS_PREFIX/retire.js:$DS_MAJOR_VERSION"
+    DS_ANALYZER_NAME: "retire.js"
   rules:
     - if: $DEPENDENCY_SCANNING_DISABLED
       when: never
diff --git a/lib/gitlab/ci/templates/Jobs/SAST-IaC.latest.gitlab-ci.yml b/lib/gitlab/ci/templates/Jobs/SAST-IaC.latest.gitlab-ci.yml
index 5ddfb2a54be..488e7ec72fd 100644
--- a/lib/gitlab/ci/templates/Jobs/SAST-IaC.latest.gitlab-ci.yml
+++ b/lib/gitlab/ci/templates/Jobs/SAST-IaC.latest.gitlab-ci.yml
@@ -1,7 +1,14 @@
+# Read more about this feature here: https://docs.gitlab.com/ee/user/application_security/iac_scanning/
+#
+# Configure SAST with CI/CD variables (https://docs.gitlab.com/ee/ci/variables/index.html).
+# List of available variables: https://docs.gitlab.com/ee/user/application_security/iac_scanning/index.html
+
 variables:
   # Setting this variable will affect all Security templates
   # (SAST, Dependency Scanning, ...)
   SECURE_ANALYZERS_PREFIX: "registry.gitlab.com/security-products"
+  SAST_IMAGE_SUFFIX: ""
+
   SAST_EXCLUDED_PATHS: "spec, test, tests, tmp"
 
 iac-sast:
@@ -25,7 +32,7 @@ kics-iac-sast:
     name: "$SAST_ANALYZER_IMAGE"
   variables:
     SAST_ANALYZER_IMAGE_TAG: 1
-    SAST_ANALYZER_IMAGE: "$SECURE_ANALYZERS_PREFIX/kics:$SAST_ANALYZER_IMAGE_TAG"
+    SAST_ANALYZER_IMAGE: "$SECURE_ANALYZERS_PREFIX/kics:$SAST_ANALYZER_IMAGE_TAG$SAST_IMAGE_SUFFIX"
   rules:
     - if: $SAST_DISABLED
       when: never
diff --git a/lib/gitlab/ci/templates/Jobs/SAST.gitlab-ci.yml b/lib/gitlab/ci/templates/Jobs/SAST.gitlab-ci.yml
index 241eae89dd3..91b403d7006 100644
--- a/lib/gitlab/ci/templates/Jobs/SAST.gitlab-ci.yml
+++ b/lib/gitlab/ci/templates/Jobs/SAST.gitlab-ci.yml
@@ -7,6 +7,7 @@ variables:
   # Setting this variable will affect all Security templates
   # (SAST, Dependency Scanning, ...)
   SECURE_ANALYZERS_PREFIX: "registry.gitlab.com/security-products"
+  SAST_IMAGE_SUFFIX: ""
 
   SAST_EXCLUDED_ANALYZERS: ""
   SAST_EXCLUDED_PATHS: "spec, test, tests, tmp"
@@ -251,7 +252,7 @@ semgrep-sast:
     name: "$SAST_ANALYZER_IMAGE"
   variables:
     SAST_ANALYZER_IMAGE_TAG: 2
-    SAST_ANALYZER_IMAGE: "$SECURE_ANALYZERS_PREFIX/semgrep:$SAST_ANALYZER_IMAGE_TAG"
+    SAST_ANALYZER_IMAGE: "$SECURE_ANALYZERS_PREFIX/semgrep:$SAST_ANALYZER_IMAGE_TAG$SAST_IMAGE_SUFFIX"
   rules:
     - if: $SAST_DISABLED
       when: never
diff --git a/lib/gitlab/ci/templates/Jobs/Secret-Detection.gitlab-ci.yml b/lib/gitlab/ci/templates/Jobs/Secret-Detection.gitlab-ci.yml
index a3620cc9733..6aacd082fd7 100644
--- a/lib/gitlab/ci/templates/Jobs/Secret-Detection.gitlab-ci.yml
+++ b/lib/gitlab/ci/templates/Jobs/Secret-Detection.gitlab-ci.yml
@@ -6,12 +6,14 @@
 
 variables:
   SECURE_ANALYZERS_PREFIX: "registry.gitlab.com/security-products"
+  SECRET_DETECTION_IMAGE_SUFFIX: ""
+
   SECRETS_ANALYZER_VERSION: "3"
   SECRET_DETECTION_EXCLUDED_PATHS: ""
 
 .secret-analyzer:
   stage: test
-  image: "$SECURE_ANALYZERS_PREFIX/secrets:$SECRETS_ANALYZER_VERSION"
+  image: "$SECURE_ANALYZERS_PREFIX/secrets:$SECRETS_ANALYZER_VERSION$SECRET_DETECTION_IMAGE_SUFFIX"
   services: []
   allow_failure: true
   variables:
author	GitLab Bot <gitlab-bot@gitlab.com>	2022-04-15 21:09:57 +0300
committer	GitLab Bot <gitlab-bot@gitlab.com>	2022-04-15 21:09:57 +0300
commit	7fd0523d8274c9187cad5462eb7e3ce860fc6e70 (patch)
tree	4ddd84ffc4d112c6b564fa1ca120300b07a97684 /lib/gitlab/ci/templates/Jobs
parent	9bc993af35f718058a8367b869e003ec7124294e (diff)