feat: Update SECURE_ANALYZER_PREFIX in all Sec Section templates

BREAKING CHANGE: migrate from `SECURE_ANALYZER_PREFIX` to point to new container registries at top-level namespace Relates to gitlab.com/gitlab-org/gitlab/-/issues/334325 Changelog: deprecated

feat: Update SECURE_ANALYZER_PREFIX in all Sec Section templates
BREAKING CHANGE: migrate from `SECURE_ANALYZER_PREFIX` to point to new container registries at top-level namespace Relates to gitlab.com/gitlab-org/gitlab/-/issues/334325 Changelog: deprecated
382bd94d · Lucas Charles · c230f294 · 382bd94d · 382bd94d · 382bd94d
Commit 382bd94d authored Feb 09, 2022 by Lucas Charles
28 changed files
--- a/.gitlab/ci/review-apps/dast.gitlab-ci.yml
+++ b/.gitlab/ci/review-apps/dast.gitlab-ci.yml
@@ -5,7 +5,7 @@
  extends:
    - .reports:rules:schedule-dast
  image:
-    name: "registry.gitlab.com/gitlab-org/security-products/dast:$DAST_VERSION"
+    name: "registry.gitlab.com/security-products/dast:$DAST_VERSION"
  resource_group: dast_scan
  variables:
    DAST_USERNAME_FIELD: "user[login]"

--- a/app/validators/json_schemas/security_ci_configuration_schemas/sast_ui_schema.json
+++ b/app/validators/json_schemas/security_ci_configuration_schemas/sast_ui_schema.json
@@ -2,8 +2,8 @@
    "$schema": "http://json-schema.org/draft-07/schema#",
    "global": [
        {
-            "field" : "SECURE_ANALYZERS_PREFIX",
-            "label" : "Image prefix",
+            "field": "SECURE_ANALYZERS_PREFIX",
+            "label": "Image prefix",
            "type": "string",
            "default_value": "",
            "value": "",

--- a/doc/user/application_security/dependency_scanning/analyzers.md
+++ b/doc/user/application_security/dependency_scanning/analyzers.md
@@ -50,7 +50,7 @@ Any custom change to the official analyzers can be achieved by using a
 You can switch to a custom Docker registry that provides the official analyzer
 images under a different prefix. For instance, the following instructs Dependency
 Scanning to pull `my-docker-registry/gl-images/gemnasium`
-instead of `registry.gitlab.com/gitlab-org/security-products/analyzers/gemnasium`.
+instead of `registry.gitlab.com/security-products/gemnasium`.
 In `.gitlab-ci.yml` define:

 ```yaml

--- a/doc/user/application_security/dependency_scanning/index.md
+++ b/doc/user/application_security/dependency_scanning/index.md
@@ -892,11 +892,11 @@ import the following default dependency scanning analyzer images from `registry.
 your [local Docker container registry](../../packages/container_registry/index.md):

 ```plaintext
-registry.gitlab.com/gitlab-org/security-products/analyzers/gemnasium:2
-registry.gitlab.com/gitlab-org/security-products/analyzers/gemnasium-maven:2
-registry.gitlab.com/gitlab-org/security-products/analyzers/gemnasium-python:2
-registry.gitlab.com/gitlab-org/security-products/analyzers/retire.js:2
-registry.gitlab.com/gitlab-org/security-products/analyzers/bundler-audit:2
+registry.gitlab.com/security-products/gemnasium:2
+registry.gitlab.com/security-products/gemnasium-maven:2
+registry.gitlab.com/security-products/gemnasium-python:2
+registry.gitlab.com/security-products/retire.js:2
+registry.gitlab.com/security-products/bundler-audit:2
 ```

 The process for importing Docker images into a local offline Docker registry depends on

--- a/doc/user/application_security/index.md
+++ b/doc/user/application_security/index.md
@@ -110,11 +110,9 @@ For more details about each of the security scanning tools, see their respective

 ### Override the default registry base address

-By default, GitLab security scanners use `registry.gitlab.com/gitlab-org/security-products/analyzers` as the
+By default, GitLab security scanners use `registry.gitlab.com/security-products` as the
 base address for Docker images. You can override this globally by setting the CI/CD variable
-`SECURE_ANALYZERS_PREFIX` to another location. Note that this affects all scanners at once, except
-the container-scanning analyzer which uses
-`registry.gitlab.com/security-products/container-scanning` as its registry.
+`SECURE_ANALYZERS_PREFIX` to another location. Note that this affects all scanners at once.

 ### Use security scanning tools with merge request pipelines


--- a/doc/user/application_security/offline_deployments/index.md
+++ b/doc/user/application_security/offline_deployments/index.md
@@ -179,7 +179,7 @@ set -ux

 # Specify needed analyzer images
 analyzers=${SAST_ANALYZERS:-"bandit eslint gosec"}
-gitlab=registry.gitlab.com/gitlab-org/security-products/analyzers/
+gitlab=registry.gitlab.com/security-products/

 for i in "${analyzers[@]}"
 do

--- a/doc/user/compliance/license_compliance/index.md
+++ b/doc/user/compliance/license_compliance/index.md
@@ -650,7 +650,7 @@ import the following default License Compliance analyzer images from `registry.g
 offline [local Docker container registry](../../packages/container_registry/index.md):

 ```plaintext
-registry.gitlab.com/gitlab-org/security-products/analyzers/license-finder:latest
+registry.gitlab.com/security-products/license-finder:latest
 ```

 The process for importing Docker images into a local offline Docker registry depends on
@@ -853,7 +853,7 @@ A full list of variables can be found in [CI/CD variables](#available-cicd-varia
 To find out what tools are pre-installed in the `license_scanning` Docker image use the following command:

 ```shell
-$ docker run --entrypoint='' registry.gitlab.com/gitlab-org/security-products/analyzers/license-finder:3 /bin/bash -lc 'asdf list'
+$ docker run --entrypoint='' registry.gitlab.com/security-products/license-finder:3 /bin/bash -lc 'asdf list'
 golang
  1.14
 gradle
@@ -880,7 +880,7 @@ sbt
 To interact with the `license_scanning` runtime environment use the following command:

 ```shell
-$ docker run -it --entrypoint='' registry.gitlab.com/gitlab-org/security-products/analyzers/license-finder:3 /bin/bash -l
+$ docker run -it --entrypoint='' registry.gitlab.com/security-products/license-finder:3 /bin/bash -l
 root@6abb70e9f193:~#
 ```


--- a/ee/spec/lib/gitlab/ci/config/security_orchestration_policies/processor_spec.rb
+++ b/ee/spec/lib/gitlab/ci/config/security_orchestration_policies/processor_spec.rb
@@ -151,7 +151,7 @@ RSpec.describe Gitlab::Ci::Config::SecurityOrchestrationPolicies::Processor do
                },
                variables: {
                  GIT_DEPTH: '50',
-                  SECURE_ANALYZERS_PREFIX: 'registry.gitlab.com/gitlab-org/security-products/analyzers',
+                  SECURE_ANALYZERS_PREFIX: secure_analyzers_prefix,
                  SECRETS_ANALYZER_VERSION: '3',
                  SECRET_DETECTION_EXCLUDED_PATHS: '',
                  SECRET_DETECTION_HISTORIC_SCAN: 'false'

--- a/ee/spec/lib/gitlab/ci/templates/sast_iac_latest_gitlab_ci_yaml_spec.rb
+++ b/ee/spec/lib/gitlab/ci/templates/sast_iac_latest_gitlab_ci_yaml_spec.rb
+# frozen_string_literal: true
+
+require 'spec_helper'
+
+RSpec.describe 'SAST-IaC.latest.gitlab-ci.yml' do
+  subject(:template) { Gitlab::Template::GitlabCiYmlTemplate.find('SAST-IaC.latest') }
+
+  describe 'the created pipeline' do
+    let(:default_branch) { 'master' }
+    let(:files) { { 'README.md' => '' } }
+    let(:project) { create(:project, :custom_repo, files: files) }
+    let(:user) { project.first_owner }
+    let(:service) { Ci::CreatePipelineService.new(project, user, ref: 'master') }
+    let(:pipeline) { service.execute!(:push).payload }
+    let(:build_names) { pipeline.builds.pluck(:name) }
+
+    before do
+      stub_ci_pipeline_yaml_file(template.content)
+      allow_next_instance_of(Ci::BuildScheduleWorker) do |worker|
+        allow(worker).to receive(:perform).and_return(true)
+      end
+      allow(project).to receive(:default_branch).and_return(default_branch)
+    end
+
+    context 'when project has no license' do
+      context 'when SAST_DISABLED=1' do
+        before do
+          create(:ci_variable, project: project, key: 'SAST_DISABLED', value: '1')
+        end
+
+        it 'includes no jobs' do
+          expect { pipeline }.to raise_error(Ci::CreatePipelineService::CreateError)
+        end
+      end
+    end
+
+    context 'by default' do
+      it 'creates a pipeline with the expected jobs' do
+        expect(build_names).to match_array(%w(kics-iac-sast))
+      end
+    end
+  end
+end
--- a/ee/spec/lib/gitlab/ci/templates/secret_detection_gitlab_ci_yaml_spec.rb
+++ b/ee/spec/lib/gitlab/ci/templates/secret_detection_gitlab_ci_yaml_spec.rb
+# frozen_string_literal: true
+
+require 'spec_helper'
+
+RSpec.describe 'Secret-Detection.gitlab-ci.yml' do
+  subject(:template) { Gitlab::Template::GitlabCiYmlTemplate.find('Secret-Detection') }
+
+  describe 'the created pipeline' do
+    let(:default_branch) { 'master' }
+    let(:files) { { 'README.md' => '' } }
+    let(:project) { create(:project, :custom_repo, files: files) }
+    let(:user) { project.first_owner }
+    let(:service) { Ci::CreatePipelineService.new(project, user, ref: 'master') }
+    let(:pipeline) { service.execute!(:push).payload }
+    let(:build_names) { pipeline.builds.pluck(:name) }
+
+    before do
+      stub_ci_pipeline_yaml_file(template.content)
+      allow_next_instance_of(Ci::BuildScheduleWorker) do |worker|
+        allow(worker).to receive(:perform).and_return(true)
+      end
+      allow(project).to receive(:default_branch).and_return(default_branch)
+    end
+
+    context 'when project has no license' do
+      context 'when SECRET_DETECTION_DISABLED=1' do
+        before do
+          create(:ci_variable, project: project, key: 'SECRET_DETECTION_DISABLED', value: '1')
+        end
+
+        it 'includes no jobs' do
+          expect { pipeline }.to raise_error(Ci::CreatePipelineService::CreateError)
+        end
+      end
+
+      context 'by default' do
+        it 'creates a pipeline with the expected jobs' do
+          expect(build_names).to match_array(%w(secret_detection))
+        end
+      end
+    end
+  end
+end
--- a/ee/spec/services/security/security_orchestration_policies/ci_configuration_service_spec.rb
+++ b/ee/spec/services/security/security_orchestration_policies/ci_configuration_service_spec.rb
@@ -40,7 +40,7 @@ RSpec.describe Security::SecurityOrchestrationPolicies::CiConfigurationService d
            },
            variables: {
              GIT_DEPTH: '50',
-              SECURE_ANALYZERS_PREFIX: 'registry.gitlab.com/gitlab-org/security-products/analyzers',
+              SECURE_ANALYZERS_PREFIX: 'registry.gitlab.com/security-products',
              SECRETS_ANALYZER_VERSION: '3',
              SECRET_DETECTION_EXCLUDED_PATHS: '',
              SECRET_DETECTION_HISTORIC_SCAN: 'false'

--- a/lib/gitlab/ci/templates/Jobs/Dependency-Scanning.gitlab-ci.yml
+++ b/lib/gitlab/ci/templates/Jobs/Dependency-Scanning.gitlab-ci.yml
@@ -11,7 +11,7 @@
 variables:
  # Setting this variable will affect all Security templates
  # (SAST, Dependency Scanning, ...)
-  SECURE_ANALYZERS_PREFIX: "registry.gitlab.com/gitlab-org/security-products/analyzers"
+  SECURE_ANALYZERS_PREFIX: "registry.gitlab.com/security-products"
  DS_DEFAULT_ANALYZERS: "bundler-audit, retire.js, gemnasium, gemnasium-maven, gemnasium-python"
  DS_EXCLUDED_ANALYZERS: ""
  DS_EXCLUDED_PATHS: "spec, test, tests, tmp"

--- a/lib/gitlab/ci/templates/Jobs/License-Scanning.gitlab-ci.yml
+++ b/lib/gitlab/ci/templates/Jobs/License-Scanning.gitlab-ci.yml
@@ -11,7 +11,7 @@
 variables:
  # Setting this variable will affect all Security templates
  # (SAST, Dependency Scanning, ...)
-  SECURE_ANALYZERS_PREFIX: "registry.gitlab.com/gitlab-org/security-products/analyzers"
+  SECURE_ANALYZERS_PREFIX: "registry.gitlab.com/security-products"

  LICENSE_MANAGEMENT_SETUP_CMD: ''  # If needed, specify a command to setup your environment with a custom package manager.
  LICENSE_MANAGEMENT_VERSION: 3

--- a/lib/gitlab/ci/templates/Jobs/SAST-IaC.latest.gitlab-ci.yml
+++ b/lib/gitlab/ci/templates/Jobs/SAST-IaC.latest.gitlab-ci.yml
 variables:
  # Setting this variable will affect all Security templates
  # (SAST, Dependency Scanning, ...)
-  SECURE_ANALYZERS_PREFIX: "registry.gitlab.com/gitlab-org/security-products/analyzers"
+  SECURE_ANALYZERS_PREFIX: "registry.gitlab.com/security-products"
  SAST_EXCLUDED_PATHS: "spec, test, tests, tmp"

 iac-sast:

--- a/lib/gitlab/ci/templates/Jobs/SAST.gitlab-ci.yml
+++ b/lib/gitlab/ci/templates/Jobs/SAST.gitlab-ci.yml
@@ -6,7 +6,7 @@
 variables:
  # Setting this variable will affect all Security templates
  # (SAST, Dependency Scanning, ...)
-  SECURE_ANALYZERS_PREFIX: "registry.gitlab.com/gitlab-org/security-products/analyzers"
+  SECURE_ANALYZERS_PREFIX: "registry.gitlab.com/security-products"

  SAST_EXCLUDED_ANALYZERS: ""
  SAST_EXCLUDED_PATHS: "spec, test, tests, tmp"

--- a/lib/gitlab/ci/templates/Jobs/Secret-Detection.gitlab-ci.yml
+++ b/lib/gitlab/ci/templates/Jobs/Secret-Detection.gitlab-ci.yml
@@ -5,7 +5,7 @@
 # How to set: https://docs.gitlab.com/ee/ci/yaml/#variables

 variables:
-  SECURE_ANALYZERS_PREFIX: "registry.gitlab.com/gitlab-org/security-products/analyzers"
+  SECURE_ANALYZERS_PREFIX: "registry.gitlab.com/security-products"
  SECRETS_ANALYZER_VERSION: "3"
  SECRET_DETECTION_EXCLUDED_PATHS: ""


--- a/lib/gitlab/ci/templates/Security/API-Fuzzing.gitlab-ci.yml
+++ b/lib/gitlab/ci/templates/Security/API-Fuzzing.gitlab-ci.yml
@@ -10,7 +10,7 @@

 variables:
    FUZZAPI_VERSION: "1"
-    SECURE_ANALYZERS_PREFIX: "registry.gitlab.com/gitlab-org/security-products/analyzers"
+    SECURE_ANALYZERS_PREFIX: "registry.gitlab.com/security-products"
    FUZZAPI_IMAGE: ${SECURE_ANALYZERS_PREFIX}/api-fuzzing:${FUZZAPI_VERSION}

 apifuzzer_fuzz:

--- a/lib/gitlab/ci/templates/Security/API-Fuzzing.latest.gitlab-ci.yml
+++ b/lib/gitlab/ci/templates/Security/API-Fuzzing.latest.gitlab-ci.yml
@@ -10,7 +10,7 @@

 variables:
    FUZZAPI_VERSION: "1"
-    SECURE_ANALYZERS_PREFIX: "registry.gitlab.com/gitlab-org/security-products/analyzers"
+    SECURE_ANALYZERS_PREFIX: "registry.gitlab.com/security-products"
    FUZZAPI_IMAGE: api-fuzzing

 apifuzzer_fuzz:

--- a/lib/gitlab/ci/templates/Security/DAST-API.gitlab-ci.yml
+++ b/lib/gitlab/ci/templates/Security/DAST-API.gitlab-ci.yml
@@ -24,7 +24,7 @@
 variables:
  # Setting this variable affects all Security templates
  # (SAST, Dependency Scanning, ...)
-  SECURE_ANALYZERS_PREFIX: "registry.gitlab.com/gitlab-org/security-products/analyzers"
+  SECURE_ANALYZERS_PREFIX: "registry.gitlab.com/security-products"
  #
  DAST_API_VERSION: "1"
  DAST_API_IMAGE: $SECURE_ANALYZERS_PREFIX/api-fuzzing:$DAST_API_VERSION

--- a/lib/gitlab/ci/templates/Security/DAST-API.latest.gitlab-ci.yml
+++ b/lib/gitlab/ci/templates/Security/DAST-API.latest.gitlab-ci.yml
@@ -24,7 +24,7 @@
 variables:
  # Setting this variable affects all Security templates
  # (SAST, Dependency Scanning, ...)
-  SECURE_ANALYZERS_PREFIX: "registry.gitlab.com/gitlab-org/security-products/analyzers"
+  SECURE_ANALYZERS_PREFIX: "registry.gitlab.com/security-products"
  #
  DAST_API_VERSION: "1"
  DAST_API_IMAGE: api-fuzzing

--- a/lib/gitlab/ci/templates/Security/DAST-On-Demand-API-Scan.gitlab-ci.yml
+++ b/lib/gitlab/ci/templates/Security/DAST-On-Demand-API-Scan.gitlab-ci.yml
@@ -5,7 +5,7 @@ stages:
  - dast

 variables:
-  SECURE_ANALYZERS_PREFIX: "registry.gitlab.com/gitlab-org/security-products/analyzers"
+  SECURE_ANALYZERS_PREFIX: "registry.gitlab.com/security-products"
  DAST_API_VERSION: "1"
  DAST_API_IMAGE: $SECURE_ANALYZERS_PREFIX/api-fuzzing:$DAST_API_VERSION


--- a/lib/gitlab/ci/templates/Security/DAST-On-Demand-Scan.gitlab-ci.yml
+++ b/lib/gitlab/ci/templates/Security/DAST-On-Demand-Scan.gitlab-ci.yml
@@ -13,7 +13,7 @@ variables:
  DAST_VERSION: 2
  # Setting this variable will affect all Security templates
  # (SAST, Dependency Scanning, ...)
-  SECURE_ANALYZERS_PREFIX: "registry.gitlab.com/gitlab-org/security-products/analyzers"
+  SECURE_ANALYZERS_PREFIX: "registry.gitlab.com/security-products"

 dast:
  stage: dast

--- a/lib/gitlab/ci/templates/Security/DAST.gitlab-ci.yml
+++ b/lib/gitlab/ci/templates/Security/DAST.gitlab-ci.yml
@@ -25,7 +25,7 @@ variables:
  DAST_VERSION: 2
  # Setting this variable will affect all Security templates
  # (SAST, Dependency Scanning, ...)
-  SECURE_ANALYZERS_PREFIX: "registry.gitlab.com/gitlab-org/security-products/analyzers"
+  SECURE_ANALYZERS_PREFIX: "registry.gitlab.com/security-products"

 dast:
  stage: dast

--- a/lib/gitlab/ci/templates/Security/DAST.latest.gitlab-ci.yml
+++ b/lib/gitlab/ci/templates/Security/DAST.latest.gitlab-ci.yml
@@ -25,7 +25,7 @@ variables:
  DAST_VERSION: 2
  # Setting this variable will affect all Security templates
  # (SAST, Dependency Scanning, ...)
-  SECURE_ANALYZERS_PREFIX: "registry.gitlab.com/gitlab-org/security-products/analyzers"
+  SECURE_ANALYZERS_PREFIX: "registry.gitlab.com/security-products"

 dast:
  stage: dast

--- a/lib/gitlab/ci/templates/Security/Secure-Binaries.gitlab-ci.yml
+++ b/lib/gitlab/ci/templates/Security/Secure-Binaries.gitlab-ci.yml
@@ -14,8 +14,11 @@
 # Docs: https://docs.gitlab.com/ee/topics/airgap/

 variables:
+  # Setting this variable will affect all Security templates
+  # (SAST, Dependency Scanning, ...)
+  SECURE_ANALYZERS_PREFIX: "registry.gitlab.com/security-products"
  SECURE_BINARIES_ANALYZERS: >-
-    bandit, brakeman, gosec, spotbugs, flawfinder, phpcs-security-audit, security-code-scan, nodejs-scan, eslint, secrets, sobelow, pmd-apex, kubesec, semgrep,
+    bandit, brakeman, gosec, spotbugs, flawfinder, phpcs-security-audit, security-code-scan, nodejs-scan, eslint, secrets, sobelow, pmd-apex, kics, kubesec, semgrep,
    bundler-audit, retire.js, gemnasium, gemnasium-maven, gemnasium-python,
    license-finder,
    dast, dast-runner-validation, api-fuzzing
@@ -40,7 +43,7 @@ variables:
  script:
    - docker info
    - env
-    - if [ -z "$SECURE_BINARIES_IMAGE" ]; then export SECURE_BINARIES_IMAGE=${SECURE_BINARIES_IMAGE:-"registry.gitlab.com/gitlab-org/security-products/analyzers/${CI_JOB_NAME}:${SECURE_BINARIES_ANALYZER_VERSION}"}; fi
+    - if [ -z "$SECURE_BINARIES_IMAGE" ]; then export SECURE_BINARIES_IMAGE=${SECURE_BINARIES_IMAGE:-"${SECURE_ANALYZERS_PREFIX}/${CI_JOB_NAME}:${SECURE_BINARIES_ANALYZER_VERSION}"}; fi
    - docker pull --quiet ${SECURE_BINARIES_IMAGE}
    - mkdir -p output/$(dirname ${CI_JOB_NAME})
    - |

--- a/spec/lib/security/ci_configuration/sast_build_action_spec.rb
+++ b/spec/lib/security/ci_configuration/sast_build_action_spec.rb
@@ -6,7 +6,7 @@ RSpec.describe Security::CiConfiguration::SastBuildAction do
  let(:default_sast_values) do
    { 'global' =>
      [
-        { 'field' => 'SECURE_ANALYZERS_PREFIX', 'defaultValue' => 'registry.gitlab.com/gitlab-org/security-products/analyzers', 'value' => 'registry.gitlab.com/gitlab-org/security-products/analyzers' }
+        { 'field' => 'SECURE_ANALYZERS_PREFIX', 'defaultValue' => 'registry.gitlab.com/security-products', 'value' => 'registry.gitlab.com/security-products' }
      ],
      'pipeline' =>
      [
@@ -19,7 +19,7 @@ RSpec.describe Security::CiConfiguration::SastBuildAction do
  let(:params) do
    { 'global' =>
      [
-        { 'field' => 'SECURE_ANALYZERS_PREFIX', 'defaultValue' => 'registry.gitlab.com/gitlab-org/security-products/analyzers', 'value' => 'new_registry' }
+        { 'field' => 'SECURE_ANALYZERS_PREFIX', 'defaultValue' => 'registry.gitlab.com/security-products', 'value' => 'new_registry' }
      ],
      'pipeline' =>
      [
@@ -164,7 +164,7 @@ RSpec.describe Security::CiConfiguration::SastBuildAction do
      let(:params) do
        { 'global' =>
          [
-            { 'field' => 'SECURE_ANALYZERS_PREFIX', 'defaultValue' => 'registry.gitlab.com/gitlab-org/security-products/analyzers', 'value' => 'registry.gitlab.com/gitlab-org/security-products/analyzers' }
+            { 'field' => 'SECURE_ANALYZERS_PREFIX', 'defaultValue' => 'registry.gitlab.com/security-products', 'value' => 'registry.gitlab.com/security-products' }
          ],
          'pipeline' =>
          [
@@ -275,7 +275,7 @@ RSpec.describe Security::CiConfiguration::SastBuildAction do
        let(:params) do
          { 'global' =>
            [
-              { 'field' => 'SECURE_ANALYZERS_PREFIX', 'defaultValue' => 'registry.gitlab.com/gitlab-org/security-products/analyzers', 'value' => '' }
+              { 'field' => 'SECURE_ANALYZERS_PREFIX', 'defaultValue' => 'registry.gitlab.com/security-products', 'value' => '' }
            ] }
        end


--- a/spec/services/ci/create_pipeline_service/parameter_content_spec.rb
+++ b/spec/services/ci/create_pipeline_service/parameter_content_spec.rb
@@ -15,7 +15,7 @@ RSpec.describe Ci::CreatePipelineService do

      variables:
        DAST_VERSION: 1
-        SECURE_ANALYZERS_PREFIX: "registry.gitlab.com/gitlab-org/security-products/analyzers"
+        SECURE_ANALYZERS_PREFIX: "registry.gitlab.com/security-products"

      dast:
        stage: dast

--- a/spec/support/helpers/ci/template_helpers.rb
+++ b/spec/support/helpers/ci/template_helpers.rb
@@ -3,7 +3,7 @@
 module Ci
  module TemplateHelpers
    def secure_analyzers_prefix
-      'registry.gitlab.com/gitlab-org/security-products/analyzers'
+      'registry.gitlab.com/security-products'
    end
  end
 end