Merge branch 'sec-sec-registry-prefix' into 'master'

feat: Update SECURE_ANALYZER_PREFIX in all Sec Section templates

See merge request gitlab-org/gitlab!79063

.gitlab/ci/review-apps/dast.gitlab-ci.yml

@@ -5,7 +5,7 @@
   extends:
     - .reports:rules:schedule-dast
   image:
-    name: "registry.gitlab.com/gitlab-org/security-products/dast:$DAST_VERSION"
+    name: "registry.gitlab.com/security-products/dast:$DAST_VERSION"
   resource_group: dast_scan
   variables:
     DAST_USERNAME_FIELD: "user[login]"

app/validators/json_schemas/security_ci_configuration_schemas/sast_ui_schema.json

@@ -2,8 +2,8 @@
     "$schema": "http://json-schema.org/draft-07/schema#",
     "global": [
         {
-            "field" : "SECURE_ANALYZERS_PREFIX",
-            "label" : "Image prefix",
+            "field": "SECURE_ANALYZERS_PREFIX",
+            "label": "Image prefix",
             "type": "string",
             "default_value": "",
             "value": "",

doc/user/application_security/api_fuzzing/index.md

@@ -1163,11 +1163,11 @@ Steps:
 
 The Docker image for API Fuzzing must be pulled (downloaded) from the public registry and then pushed (imported) into a local registry. The GitLab container registry can be used to locally host the Docker image. This process can be performed using a special template. See [loading Docker images onto your offline host](../offline_deployments/index.md#loading-docker-images-onto-your-offline-host) for instructions.
 
-Once the Docker image is hosted locally, the `SECURE_ANALYZERS_PREFIX` variable is set with the location of the local registry. The variable must be set such that concatenating `/api-fuzzing:1` results in a valid image location.
+Once the Docker image is hosted locally, the `SECURE_ANALYZERS_PREFIX` variable is set with the location of the local registry. The variable must be set such that concatenating `/api-security:1` results in a valid image location.
 
-For example, the below line sets a registry for the image `registry.gitlab.com/gitlab-org/security-products/analyzers/api-fuzzing:1`:
+For example, the below line sets a registry for the image `registry.gitlab.com/security-products/api-security:1`:
 
-`SECURE_ANALYZERS_PREFIX: "registry.gitlab.com/gitlab-org/security-products/analyzers"`
+`SECURE_ANALYZERS_PREFIX: "registry.gitlab.com/security-products"`
 
 NOTE:
 Setting `SECURE_ANALYZERS_PREFIX` changes the Docker image registry location for all GitLab Secure templates.

doc/user/application_security/dast_api/index.md

@@ -1125,9 +1125,9 @@ Once the Docker image is hosted locally, the `SECURE_ANALYZERS_PREFIX` variable
 NOTE:
 DAST API and API Fuzzing both use the same underlying Docker image `api-fuzzing:1`.
 
-For example, the below line sets a registry for the image `registry.gitlab.com/gitlab-org/security-products/analyzers/api-fuzzing:1`:
+For example, the below line sets a registry for the image `registry.gitlab.com/security-products/api-fuzzing:1`:
 
-`SECURE_ANALYZERS_PREFIX: "registry.gitlab.com/gitlab-org/security-products/analyzers"`
+`SECURE_ANALYZERS_PREFIX: "registry.gitlab.com/security-products"`
 
 NOTE:
 Setting `SECURE_ANALYZERS_PREFIX` changes the Docker image registry location for all GitLab Secure templates.

doc/user/application_security/dependency_scanning/analyzers.md

@@ -45,7 +45,7 @@ Any custom change to the official analyzers can be achieved by using a
 You can switch to a custom Docker registry that provides the official analyzer
 images under a different prefix. For instance, the following instructs Dependency
 Scanning to pull `my-docker-registry/gl-images/gemnasium`
-instead of `registry.gitlab.com/gitlab-org/security-products/analyzers/gemnasium`.
+instead of `registry.gitlab.com/security-products/dependency-scanning/gemnasium`.
 In `.gitlab-ci.yml` define:
 
 ```yaml

doc/user/application_security/dependency_scanning/index.md

@@ -779,11 +779,11 @@ import the following default dependency scanning analyzer images from `registry.
 your [local Docker container registry](../../packages/container_registry/index.md):
 
 ```plaintext
-registry.gitlab.com/gitlab-org/security-products/analyzers/gemnasium:2
-registry.gitlab.com/gitlab-org/security-products/analyzers/gemnasium-maven:2
-registry.gitlab.com/gitlab-org/security-products/analyzers/gemnasium-python:2
-registry.gitlab.com/gitlab-org/security-products/analyzers/retire.js:2
-registry.gitlab.com/gitlab-org/security-products/analyzers/bundler-audit:2
+registry.gitlab.com/security-products/dependency-scanning/gemnasium:2
+registry.gitlab.com/security-products/dependency-scanning/gemnasium-maven:2
+registry.gitlab.com/security-products/dependency-scanning/gemnasium-python:2
+registry.gitlab.com/security-products/dependency-scanning/retire.js:2
+registry.gitlab.com/security-products/dependency-scanning/bundler-audit:2
 ```
 
 The process for importing Docker images into a local offline Docker registry depends on
@@ -1082,4 +1082,4 @@ analyzers, edit your `gitlab-ci.yml` file and either:
 
   For example, currently the `gemnasium-maven-dependency_scanning` job pulls the latest
   `gemnasium-maven` Docker image because `DS_ANALYZER_IMAGE` is set to
-  `"$SECURE_ANALYZERS_PREFIX/gemnasium-maven:$DS_MAJOR_VERSION"`.
+  `"$SECURE_ANALYZERS_PREFIX/dependency-scanning/gemnasium-maven:$DS_MAJOR_VERSION"`.

doc/user/application_security/index.md

@@ -92,11 +92,9 @@ For more details about each of the security scanning tools, see their respective
 
 ### Override the default registry base address
 
-By default, GitLab security scanners use `registry.gitlab.com/gitlab-org/security-products/analyzers` as the
+By default, GitLab security scanners use `registry.gitlab.com/security-products` as the
 base address for Docker images. You can override this globally by setting the CI/CD variable
-`SECURE_ANALYZERS_PREFIX` to another location. Note that this affects all scanners at once, except
-the container-scanning analyzer which uses
-`registry.gitlab.com/security-products/container-scanning` as its registry.
+`SECURE_ANALYZERS_PREFIX` to another location. Note that this affects all scanners at once.
 
 ### Use security scanning tools with merge request pipelines
 

doc/user/application_security/offline_deployments/index.md

@@ -179,7 +179,7 @@ set -ux
 
 # Specify needed analyzer images
 analyzers=${SAST_ANALYZERS:-"bandit eslint gosec"}
-gitlab=registry.gitlab.com/gitlab-org/security-products/analyzers/
+gitlab=registry.gitlab.com/security-products/sast/
 
 for i in "${analyzers[@]}"
 do

doc/user/compliance/license_compliance/index.md

@@ -669,7 +669,7 @@ import the following default License Compliance analyzer images from `registry.g
 offline [local Docker container registry](../../packages/container_registry/index.md):
 
 ```plaintext
-registry.gitlab.com/gitlab-org/security-products/analyzers/license-finder:latest
+registry.gitlab.com/security-products/license-compliance/license-finder:latest
 ```
 
 The process for importing Docker images into a local offline Docker registry depends on
@@ -872,7 +872,7 @@ A full list of variables can be found in [CI/CD variables](#available-cicd-varia
 To find out what tools are pre-installed in the `license_scanning` Docker image use the following command:
 
 ```shell
-$ docker run --entrypoint='' registry.gitlab.com/gitlab-org/security-products/analyzers/license-finder:3 /bin/bash -lc 'asdf list'
+$ docker run --entrypoint='' registry.gitlab.com/security-products/license-compliance/license-finder:3 /bin/bash -lc 'asdf list'
 golang
   1.14
 gradle
@@ -899,7 +899,7 @@ sbt
 To interact with the `license_scanning` runtime environment use the following command:
 
 ```shell
-$ docker run -it --entrypoint='' registry.gitlab.com/gitlab-org/security-products/analyzers/license-finder:3 /bin/bash -l
+$ docker run -it --entrypoint='' registry.gitlab.com/security-products/license-compliance/license-finder:3 /bin/bash -l
 root@6abb70e9f193:~#
 ```
 

ee/spec/lib/gitlab/ci/config/security_orchestration_policies/processor_spec.rb

@@ -139,9 +139,19 @@ RSpec.describe Gitlab::Ci::Config::SecurityOrchestrationPolicies::Processor do
           let(:expected_configuration) do
             {
               'secret-detection-0': hash_including(
-                rules: [{ if: '$SECRET_DETECTION_DISABLED', when: 'never' }, { if: '$CI_COMMIT_BRANCH' }],
+                rules: [
+                  { if: '$SECRET_DETECTION_DISABLED', when: 'never' },
+                  {
+                    if: '$CI_COMMIT_BRANCH && $SECURE_ANALYZERS_PREFIX == $DEFAULT_SECURE_ANALYZERS_PREFIX',
+                    variables: { SECURE_ANALYZERS_PREFIX: "$DEFAULT_SECURE_ANALYZERS_PREFIX" }
+                  },
+                  {
+                    if: "$CI_COMMIT_BRANCH",
+                    variables: { SECURE_ANALYZERS_PREFIX: "$DEPRECATED_SECURE_ANALYZERS_PREFIX" }
+                  }
+                ],
                 stage: 'test',
-                image: '$SECURE_ANALYZERS_PREFIX/secrets:$SECRETS_ANALYZER_VERSION',
+                image: '$SECURE_ANALYZERS_PREFIX/secret-detection:$SECRETS_ANALYZER_VERSION',
                 services: [],
                 allow_failure: true,
                 artifacts: {
@@ -151,7 +161,9 @@ RSpec.describe Gitlab::Ci::Config::SecurityOrchestrationPolicies::Processor do
                 },
                 variables: {
                   GIT_DEPTH: '50',
-                  SECURE_ANALYZERS_PREFIX: 'registry.gitlab.com/gitlab-org/security-products/analyzers',
+                  SECURE_ANALYZERS_PREFIX: secure_analyzers_prefix,
+                  DEFAULT_SECURE_ANALYZERS_PREFIX: secure_analyzers_prefix,
+                  DEPRECATED_SECURE_ANALYZERS_PREFIX: 'registry.gitlab.com/gitlab-org/security-products/analyzers',
                   SECRETS_ANALYZER_VERSION: '3',
                   SECRET_DETECTION_EXCLUDED_PATHS: '',
                   SECRET_DETECTION_HISTORIC_SCAN: 'false'

ee/spec/lib/gitlab/ci/templates/api_fuzzing_gitlab_ci_yaml_spec.rb

@@ -10,8 +10,8 @@ RSpec.describe 'API-Fuzzing.gitlab-ci.yml' do
   describe 'the template file' do
     let(:template_filename) { Rails.root.join("lib/gitlab/ci/templates/" + template.full_name) }
     let(:contents) { File.read(template_filename) }
-    let(:production_registry) { '${SECURE_ANALYZERS_PREFIX}/api-fuzzing:${FUZZAPI_VERSION}' }
-    let(:staging_registry) { '${SECURE_ANALYZERS_PREFIX}/api-fuzzing-src:${FUZZAPI_VERSION}' }
+    let(:production_registry) { '$SECURE_ANALYZERS_PREFIX/api-security:$FUZZAPI_VERSION' }
+    let(:staging_registry) { '$SECURE_ANALYZERS_PREFIX/api-security-src:$FUZZAPI_VERSION' }
 
     # Make sure future changes to the template use the production container registry.
     #

ee/spec/lib/gitlab/ci/templates/api_fuzzing_latest_gitlab_ci_yaml_spec.rb

@@ -10,8 +10,8 @@ RSpec.describe 'API-Fuzzing.latest.gitlab-ci.yml' do
   describe 'the template file' do
     let(:template_filename) { Rails.root.join("lib/gitlab/ci/templates/" + template.full_name) }
     let(:contents) { File.read(template_filename) }
-    let(:production_registry) { 'FUZZAPI_IMAGE: api-fuzzing' }
-    let(:staging_registry) { 'FUZZAPI_IMAGE: api-fuzzing-src' }
+    let(:production_registry) { 'FUZZAPI_IMAGE: "api-security"' }
+    let(:staging_registry) { 'FUZZAPI_IMAGE: api-security-src' }
 
     # Make sure future changes to the template use the production container registry.
     #

ee/spec/lib/gitlab/ci/templates/dast_api_gitlab_ci_yaml_spec.rb

@@ -10,8 +10,8 @@ RSpec.describe 'DAST-API.gitlab-ci.yml' do
   describe 'the template file' do
     let(:template_filename) { Rails.root.join("lib/gitlab/ci/templates/" + template.full_name) }
     let(:contents) { File.read(template_filename) }
-    let(:production_registry) { '$SECURE_ANALYZERS_PREFIX/api-fuzzing:$DAST_API_VERSION' }
-    let(:staging_registry) { '$SECURE_ANALYZERS_PREFIX/api-fuzzing-src:$DAST_API_VERSION' }
+    let(:production_registry) { 'DAST_API_IMAGE: "api-security"' }
+    let(:staging_registry) { 'DAST_API_IMAGE: "api-security-src"' }
 
     # Make sure future changes to the template use the production container registry.
     #

ee/spec/lib/gitlab/ci/templates/dast_api_latest_gitlab_ci_yaml_spec.rb

@@ -10,8 +10,8 @@ RSpec.describe 'DAST-API.latest.gitlab-ci.yml' do
   describe 'the template file' do
     let(:template_filename) { Rails.root.join("lib/gitlab/ci/templates/" + template.full_name) }
     let(:contents) { File.read(template_filename) }
-    let(:production_registry) { 'DAST_API_IMAGE: api-fuzzing' }
-    let(:staging_registry) { 'DAST_API_IMAGE: api-fuzzing-src' }
+    let(:production_registry) { 'DAST_API_IMAGE: api-security' }
+    let(:staging_registry) { 'DAST_API_IMAGE: api-security-src' }
 
     # Make sure future changes to the template use the production container registry.
     #

ee/spec/lib/gitlab/ci/templates/dependency_scanning_gitlab_ci_yaml_spec.rb

@@ -114,10 +114,9 @@ RSpec.describe 'Dependency-Scanning.gitlab-ci.yml' do
 
           with_them do
             let(:project) { create(:project, :custom_repo, files: files_at_depth_x) }
+            let(:files_at_depth_x) { files }
 
             context 'with file at root' do
-              let(:files_at_depth_x) { files }
-
               it 'creates a pipeline with the expected jobs' do
                 expect(build_names).to include(*include_build_names)
               end
@@ -148,6 +147,8 @@ RSpec.describe 'Dependency-Scanning.gitlab-ci.yml' do
                 expect { pipeline }.to raise_error(Ci::CreatePipelineService::CreateError)
               end
             end
+
+            it_behaves_like 'setting sec analyzer prefix dynamically', builds: params[:include_build_names], files: params[:files], namespace: 'dependency-scanning'
           end
         end
 

ee/spec/lib/gitlab/ci/templates/sast_gitlab_ci_yaml_spec.rb

@@ -98,6 +98,8 @@ RSpec.describe 'SAST.gitlab-ci.yml' do
             it 'creates a pipeline with the expected jobs' do
               expect(build_names).to include(*include_build_names)
             end
+
+            include_examples 'setting sec analyzer prefix dynamically', builds: params[:include_build_names], files: params[:files], namespace: 'sast'
           end
         end
       end

ee/spec/lib/gitlab/ci/templates/sast_iac_latest_gitlab_ci_yaml_spec.rb

+# frozen_string_literal: true
+
+require 'spec_helper'
+
+RSpec.describe 'SAST-IaC.latest.gitlab-ci.yml' do
+  subject(:template) { Gitlab::Template::GitlabCiYmlTemplate.find('SAST-IaC.latest') }
+
+  describe 'the created pipeline' do
+    let(:default_branch) { 'master' }
+    let(:files) { { 'README.md' => '' } }
+    let(:project) { create(:project, :custom_repo, files: files) }
+    let(:user) { project.first_owner }
+    let(:service) { Ci::CreatePipelineService.new(project, user, ref: 'master') }
+    let(:pipeline) { service.execute!(:push).payload }
+    let(:build_names) { pipeline.builds.pluck(:name) }
+
+    before do
+      stub_ci_pipeline_yaml_file(template.content)
+      allow_next_instance_of(Ci::BuildScheduleWorker) do |worker|
+        allow(worker).to receive(:perform).and_return(true)
+      end
+      allow(project).to receive(:default_branch).and_return(default_branch)
+    end
+
+    context 'when project has no license' do
+      context 'when SAST_DISABLED=1' do
+        before do
+          create(:ci_variable, project: project, key: 'SAST_DISABLED', value: '1')
+        end
+
+        it 'includes no jobs' do
+          expect { pipeline }.to raise_error(Ci::CreatePipelineService::CreateError)
+        end
+      end
+    end
+
+    context 'by default' do
+      it 'creates a pipeline with the expected jobs' do
+        expect(build_names).to match_array(%w(kics-iac-sast))
+      end
+    end
+
+    describe 'setting SECURE_ANALYZER_PREFIX' do
+      it_behaves_like 'setting sec analyzer prefix dynamically', builds: %w(kics-iac-sast), namespace: 'sast'
+    end
+  end
+end

ee/spec/lib/gitlab/ci/templates/secret_detection_gitlab_ci_yaml_spec.rb

+# frozen_string_literal: true
+
+require 'spec_helper'
+
+RSpec.describe 'Secret-Detection.gitlab-ci.yml' do
+  subject(:template) { Gitlab::Template::GitlabCiYmlTemplate.find('Secret-Detection') }
+
+  describe 'the created pipeline' do
+    let(:default_branch) { 'master' }
+    let(:files) { { 'README.md' => '' } }
+    let(:project) { create(:project, :custom_repo, files: files) }
+    let(:user) { project.first_owner }
+    let(:service) { Ci::CreatePipelineService.new(project, user, ref: 'master') }
+    let(:pipeline) { service.execute!(:push).payload }
+    let(:build_names) { pipeline.builds.pluck(:name) }
+
+    before do
+      stub_ci_pipeline_yaml_file(template.content)
+      allow_next_instance_of(Ci::BuildScheduleWorker) do |worker|
+        allow(worker).to receive(:perform).and_return(true)
+      end
+      allow(project).to receive(:default_branch).and_return(default_branch)
+    end
+
+    context 'when project has no license' do
+      context 'when SECRET_DETECTION_DISABLED=1' do
+        before do
+          create(:ci_variable, project: project, key: 'SECRET_DETECTION_DISABLED', value: '1')
+        end
+
+        it 'includes no jobs' do
+          expect { pipeline }.to raise_error(Ci::CreatePipelineService::CreateError)
+        end
+      end
+
+      context 'by default' do
+        it 'creates a pipeline with the expected jobs' do
+          expect(build_names).to match_array(%w(secret_detection))
+        end
+      end
+
+      describe 'setting SECURE_ANALYZER_PREFIX' do
+        it_behaves_like 'setting sec analyzer prefix dynamically', builds: %w(secret_detection)
+      end
+    end
+  end
+end

ee/spec/lib/gitlab/ci/templates/secure_binaries_ci_yaml_spec.rb

@@ -52,7 +52,7 @@ RSpec.describe 'Secure-Binaries.gitlab-ci.yml' do
 
       it_behaves_like 'an offline image download job' do
         it 'sets SECURE_BINARIES_IMAGE explicitly' do
-          image = 'registry.gitlab.com/security-products/${CI_JOB_NAME}:${SECURE_BINARIES_ANALYZER_VERSION}'
+          image = '${SECURE_ANALYZERS_PREFIX}/${CI_JOB_NAME}:${SECURE_BINARIES_ANALYZER_VERSION}'
 
           expect(build.variables.to_hash).to include('SECURE_BINARIES_IMAGE' => image)
         end

ee/spec/services/security/security_orchestration_policies/ci_configuration_service_spec.rb

@@ -28,9 +28,13 @@ RSpec.describe Security::SecurityOrchestrationPolicies::CiConfigurationService d
 
         it 'returns prepared CI configuration with Secret Detection scans' do
           expected_configuration = {
-            rules: [{ if: '$SECRET_DETECTION_DISABLED', when: 'never' }, { if: '$CI_COMMIT_BRANCH' }],
+            rules: [
+              { if: '$SECRET_DETECTION_DISABLED', when: 'never' },
+              { if: '$CI_COMMIT_BRANCH && $SECURE_ANALYZERS_PREFIX == $DEFAULT_SECURE_ANALYZERS_PREFIX', variables: { SECURE_ANALYZERS_PREFIX: "$DEFAULT_SECURE_ANALYZERS_PREFIX" } },
+              { if: '$CI_COMMIT_BRANCH', variables: { SECURE_ANALYZERS_PREFIX: "$DEPRECATED_SECURE_ANALYZERS_PREFIX" } }
+            ],
             stage: 'test',
-            image: '$SECURE_ANALYZERS_PREFIX/secrets:$SECRETS_ANALYZER_VERSION',
+            image: '$SECURE_ANALYZERS_PREFIX/secret-detection:$SECRETS_ANALYZER_VERSION',
             services: [],
             allow_failure: true,
             artifacts: {
@@ -40,7 +44,9 @@ RSpec.describe Security::SecurityOrchestrationPolicies::CiConfigurationService d
             },
             variables: {
               GIT_DEPTH: '50',
-              SECURE_ANALYZERS_PREFIX: 'registry.gitlab.com/gitlab-org/security-products/analyzers',
+              SECURE_ANALYZERS_PREFIX: 'registry.gitlab.com/security-products',
+              DEFAULT_SECURE_ANALYZERS_PREFIX: 'registry.gitlab.com/security-products',
+              DEPRECATED_SECURE_ANALYZERS_PREFIX: 'registry.gitlab.com/gitlab-org/security-products/analyzers',
               SECRETS_ANALYZER_VERSION: '3',
               SECRET_DETECTION_EXCLUDED_PATHS: '',
               SECRET_DETECTION_HISTORIC_SCAN: 'false'

lib/gitlab/ci/templates/Jobs/SAST-IaC.latest.gitlab-ci.yml

 variables:
   # Setting this variable will affect all Security templates
   # (SAST, Dependency Scanning, ...)
-  SECURE_ANALYZERS_PREFIX: "registry.gitlab.com/gitlab-org/security-products/analyzers"
+  SECURE_ANALYZERS_PREFIX: "registry.gitlab.com/security-products"
+  # These placeholders will be removed in %15.0 with deprecation of previous registry path, see https://gitlab.com/groups/gitlab-org/-/epics/6162
+  DEFAULT_SECURE_ANALYZERS_PREFIX: "registry.gitlab.com/security-products"
+  DEPRECATED_SECURE_ANALYZERS_PREFIX: "registry.gitlab.com/gitlab-org/security-products/analyzers"
+
   SAST_EXCLUDED_PATHS: "spec, test, tests, tmp"
 
 iac-sast:
@@ -31,4 +35,9 @@ kics-iac-sast:
       when: never
     - if: $SAST_EXCLUDED_ANALYZERS =~ /kics/
       when: never
+    - if: $CI_COMMIT_BRANCH && $SECURE_ANALYZERS_PREFIX == $DEFAULT_SECURE_ANALYZERS_PREFIX
+      variables:
+        SECURE_ANALYZERS_PREFIX: "$DEFAULT_SECURE_ANALYZERS_PREFIX/sast"
     - if: $CI_COMMIT_BRANCH
+      variables:
+        SECURE_ANALYZERS_PREFIX: "$DEPRECATED_SECURE_ANALYZERS_PREFIX"

lib/gitlab/ci/templates/Jobs/SAST.gitlab-ci.yml

@@ -6,7 +6,10 @@
 variables:
   # Setting this variable will affect all Security templates
   # (SAST, Dependency Scanning, ...)
-  SECURE_ANALYZERS_PREFIX: "registry.gitlab.com/gitlab-org/security-products/analyzers"
+  SECURE_ANALYZERS_PREFIX: "registry.gitlab.com/security-products"
+  # These placeholders will be removed in %15.0 with deprecation of previous registry path, see https://gitlab.com/groups/gitlab-org/-/epics/6162
+  DEFAULT_SECURE_ANALYZERS_PREFIX: "registry.gitlab.com/security-products"
+  DEPRECATED_SECURE_ANALYZERS_PREFIX: "registry.gitlab.com/gitlab-org/security-products/analyzers"
 
   SAST_EXCLUDED_ANALYZERS: ""
   SAST_EXCLUDED_PATHS: "spec, test, tests, tmp"
@@ -45,7 +48,14 @@ bandit-sast:
       when: never
     - if: $SAST_EXCLUDED_ANALYZERS =~ /bandit/
       when: never
+    - if: $CI_COMMIT_BRANCH && $SECURE_ANALYZERS_PREFIX == $DEFAULT_SECURE_ANALYZERS_PREFIX
+      variables:
+        SECURE_ANALYZERS_PREFIX: "$DEFAULT_SECURE_ANALYZERS_PREFIX/sast"
+      exists:
+        - '**/*.py'
     - if: $CI_COMMIT_BRANCH
+      variables:
+        SECURE_ANALYZERS_PREFIX: "$DEPRECATED_SECURE_ANALYZERS_PREFIX"
       exists:
         - '**/*.py'
 
@@ -61,7 +71,15 @@ brakeman-sast:
       when: never
     - if: $SAST_EXCLUDED_ANALYZERS =~ /brakeman/
       when: never
+    - if: $CI_COMMIT_BRANCH && $SECURE_ANALYZERS_PREFIX == $DEFAULT_SECURE_ANALYZERS_PREFIX
+      variables:
+        SECURE_ANALYZERS_PREFIX: "$DEFAULT_SECURE_ANALYZERS_PREFIX/sast"
+      exists:
+        - '**/*.rb'
+        - '**/Gemfile'
     - if: $CI_COMMIT_BRANCH
+      variables:
+        SECURE_ANALYZERS_PREFIX: "$DEPRECATED_SECURE_ANALYZERS_PREFIX"
       exists:
         - '**/*.rb'
         - '**/Gemfile'
@@ -78,7 +96,18 @@ eslint-sast:
       when: never
     - if: $SAST_EXCLUDED_ANALYZERS =~ /eslint/
       when: never
+    - if: $CI_COMMIT_BRANCH && $SECURE_ANALYZERS_PREFIX == $DEFAULT_SECURE_ANALYZERS_PREFIX
+      variables:
+        SECURE_ANALYZERS_PREFIX: "$DEFAULT_SECURE_ANALYZERS_PREFIX/sast"
+      exists:
+        - '**/*.html'
+        - '**/*.js'
+        - '**/*.jsx'
+        - '**/*.ts'
+        - '**/*.tsx'
     - if: $CI_COMMIT_BRANCH
+      variables:
+        SECURE_ANALYZERS_PREFIX: "$DEPRECATED_SECURE_ANALYZERS_PREFIX"
       exists:
         - '**/*.html'
         - '**/*.js'
@@ -98,7 +127,15 @@ flawfinder-sast:
       when: never
     - if: $SAST_EXCLUDED_ANALYZERS =~ /flawfinder/
       when: never
+    - if: $CI_COMMIT_BRANCH && $SECURE_ANALYZERS_PREFIX == $DEFAULT_SECURE_ANALYZERS_PREFIX
+      variables:
+        SECURE_ANALYZERS_PREFIX: "$DEFAULT_SECURE_ANALYZERS_PREFIX/sast"
+      exists:
+        - '**/*.c'
+        - '**/*.cpp'
     - if: $CI_COMMIT_BRANCH
+      variables:
+        SECURE_ANALYZERS_PREFIX: "$DEPRECATED_SECURE_ANALYZERS_PREFIX"
       exists:
         - '**/*.c'
         - '**/*.cpp'
@@ -115,8 +152,15 @@ kubesec-sast:
       when: never
     - if: $SAST_EXCLUDED_ANALYZERS =~ /kubesec/
       when: never
+    - if: $CI_COMMIT_BRANCH &&
+          $SCAN_KUBERNETES_MANIFESTS == 'true' &&
+          $SECURE_ANALYZERS_PREFIX == $DEFAULT_SECURE_ANALYZERS_PREFIX
+      variables:
+        SECURE_ANALYZERS_PREFIX: "$DEFAULT_SECURE_ANALYZERS_PREFIX/sast"
     - if: $CI_COMMIT_BRANCH &&
           $SCAN_KUBERNETES_MANIFESTS == 'true'
+      variables:
+        SECURE_ANALYZERS_PREFIX: "$DEPRECATED_SECURE_ANALYZERS_PREFIX"
 
 gosec-sast:
   extends: .sast-analyzer
@@ -130,7 +174,14 @@ gosec-sast:
       when: never
     - if: $SAST_EXCLUDED_ANALYZERS =~ /gosec/
       when: never
+    - if: $CI_COMMIT_BRANCH && $SECURE_ANALYZERS_PREFIX == $DEFAULT_SECURE_ANALYZERS_PREFIX
+      variables:
+        SECURE_ANALYZERS_PREFIX: "$DEFAULT_SECURE_ANALYZERS_PREFIX/sast"
+      exists:
+        - '**/*.go'
     - if: $CI_COMMIT_BRANCH
+      variables:
+        SECURE_ANALYZERS_PREFIX: "$DEPRECATED_SECURE_ANALYZERS_PREFIX"
       exists:
         - '**/*.go'
 
@@ -149,8 +200,18 @@ mobsf-android-sast:
       when: never
     - if: $SAST_EXCLUDED_ANALYZERS =~ /mobsf/
       when: never
+    - if: $CI_COMMIT_BRANCH &&
+          $SAST_EXPERIMENTAL_FEATURES == 'true' &&
+          $SECURE_ANALYZERS_PREFIX == $DEFAULT_SECURE_ANALYZERS_PREFIX
+      variables:
+        SECURE_ANALYZERS_PREFIX: "$DEFAULT_SECURE_ANALYZERS_PREFIX/sast"
+      exists:
+        - '**/*.apk'
+        - '**/AndroidManifest.xml'
     - if: $CI_COMMIT_BRANCH &&
           $SAST_EXPERIMENTAL_FEATURES == 'true'
+      variables:
+        SECURE_ANALYZERS_PREFIX: "$DEPRECATED_SECURE_ANALYZERS_PREFIX"
       exists:
         - '**/*.apk'
         - '**/AndroidManifest.xml'
@@ -162,8 +223,18 @@ mobsf-ios-sast:
       when: never
     - if: $SAST_EXCLUDED_ANALYZERS =~ /mobsf/
       when: never
+    - if: $CI_COMMIT_BRANCH &&
+          $SAST_EXPERIMENTAL_FEATURES == 'true' &&
+          $SECURE_ANALYZERS_PREFIX == $DEFAULT_SECURE_ANALYZERS_PREFIX
+      variables:
+        SECURE_ANALYZERS_PREFIX: "$DEFAULT_SECURE_ANALYZERS_PREFIX/sast"
+      exists:
+        - '**/*.ipa'
+        - '**/*.xcodeproj/*'
     - if: $CI_COMMIT_BRANCH &&
           $SAST_EXPERIMENTAL_FEATURES == 'true'
+      variables:
+        SECURE_ANALYZERS_PREFIX: "$DEPRECATED_SECURE_ANALYZERS_PREFIX"
       exists:
         - '**/*.ipa'
         - '**/*.xcodeproj/*'
@@ -180,7 +251,14 @@ nodejs-scan-sast:
       when: never
     - if: $SAST_EXCLUDED_ANALYZERS =~ /nodejs-scan/
       when: never
+    - if: $CI_COMMIT_BRANCH && $SECURE_ANALYZERS_PREFIX == $DEFAULT_SECURE_ANALYZERS_PREFIX
+      variables:
+        SECURE_ANALYZERS_PREFIX: "$DEFAULT_SECURE_ANALYZERS_PREFIX/sast"
+      exists:
+        - '**/package.json'
     - if: $CI_COMMIT_BRANCH
+      variables:
+        SECURE_ANALYZERS_PREFIX: "$DEPRECATED_SECURE_ANALYZERS_PREFIX"
       exists:
         - '**/package.json'
 
@@ -196,7 +274,14 @@ phpcs-security-audit-sast:
       when: never
     - if: $SAST_EXCLUDED_ANALYZERS =~ /phpcs-security-audit/
       when: never
+    - if: $CI_COMMIT_BRANCH && $SECURE_ANALYZERS_PREFIX == $DEFAULT_SECURE_ANALYZERS_PREFIX
+      variables:
+        SECURE_ANALYZERS_PREFIX: "$DEFAULT_SECURE_ANALYZERS_PREFIX/sast"
+      exists:
+        - '**/*.php'
     - if: $CI_COMMIT_BRANCH
+      variables:
+        SECURE_ANALYZERS_PREFIX: "$DEPRECATED_SECURE_ANALYZERS_PREFIX"
       exists:
         - '**/*.php'
 
@@ -212,7 +297,14 @@ pmd-apex-sast:
       when: never
     - if: $SAST_EXCLUDED_ANALYZERS =~ /pmd-apex/
       when: never
+    - if: $CI_COMMIT_BRANCH && $SECURE_ANALYZERS_PREFIX == $DEFAULT_SECURE_ANALYZERS_PREFIX
+      variables:
+        SECURE_ANALYZERS_PREFIX: "$DEFAULT_SECURE_ANALYZERS_PREFIX/sast"
+      exists:
+        - '**/*.cls'
     - if: $CI_COMMIT_BRANCH
+      variables:
+        SECURE_ANALYZERS_PREFIX: "$DEPRECATED_SECURE_ANALYZERS_PREFIX"
       exists:
         - '**/*.cls'
 
@@ -221,6 +313,7 @@ security-code-scan-sast:
   image:
     name: "$SAST_ANALYZER_IMAGE"
   variables:
+    SAST_ANALYZER_IMAGE_TAG: '3'
     SAST_ANALYZER_IMAGE: "$SECURE_ANALYZERS_PREFIX/security-code-scan:$SAST_ANALYZER_IMAGE_TAG"
   rules:
     - if: $SAST_DISABLED
@@ -229,15 +322,29 @@ security-code-scan-sast:
       when: never
     # This rule shim will be removed in %15.0,
     # See https://gitlab.com/gitlab-org/gitlab/-/issues/350935
+    - if: $CI_COMMIT_BRANCH && $CI_SERVER_VERSION_MAJOR == '14' && $SECURE_ANALYZERS_PREFIX == $DEFAULT_SECURE_ANALYZERS_PREFIX
+      variables:
+        SAST_ANALYZER_IMAGE_TAG: '2'
+        SECURE_ANALYZERS_PREFIX: "$DEFAULT_SECURE_ANALYZERS_PREFIX/sast"
+      exists:
+        - '**/*.csproj'
+        - '**/*.vbproj'
     - if: $CI_COMMIT_BRANCH && $CI_SERVER_VERSION_MAJOR == '14'
       variables:
         SAST_ANALYZER_IMAGE_TAG: '2'
+        SECURE_ANALYZERS_PREFIX: "$DEPRECATED_SECURE_ANALYZERS_PREFIX"
+      exists:
+        - '**/*.csproj'
+        - '**/*.vbproj'
+    - if: $CI_COMMIT_BRANCH && $SECURE_ANALYZERS_PREFIX == $DEFAULT_SECURE_ANALYZERS_PREFIX
+      variables:
+        SECURE_ANALYZERS_PREFIX: "$DEFAULT_SECURE_ANALYZERS_PREFIX/sast"
       exists:
         - '**/*.csproj'
         - '**/*.vbproj'
     - if: $CI_COMMIT_BRANCH
       variables:
-        SAST_ANALYZER_IMAGE_TAG: '3'
+        SECURE_ANALYZERS_PREFIX: "$DEPRECATED_SECURE_ANALYZERS_PREFIX"
       exists:
         - '**/*.csproj'
         - '**/*.vbproj'
@@ -254,7 +361,20 @@ semgrep-sast:
       when: never
     - if: $SAST_EXCLUDED_ANALYZERS =~ /semgrep/
       when: never
+    - if: $CI_COMMIT_BRANCH && $SECURE_ANALYZERS_PREFIX == $DEFAULT_SECURE_ANALYZERS_PREFIX
+      variables:
+        SECURE_ANALYZERS_PREFIX: "$DEFAULT_SECURE_ANALYZERS_PREFIX/sast"
+      exists:
+        - '**/*.py'
+        - '**/*.js'
+        - '**/*.jsx'
+        - '**/*.ts'
+        - '**/*.tsx'
+        - '**/*.c'
+        - '**/*.go'
     - if: $CI_COMMIT_BRANCH
+      variables:
+        SECURE_ANALYZERS_PREFIX: "$DEPRECATED_SECURE_ANALYZERS_PREFIX"
       exists:
         - '**/*.py'
         - '**/*.js'
@@ -276,7 +396,14 @@ sobelow-sast:
       when: never
     - if: $SAST_EXCLUDED_ANALYZERS =~ /sobelow/
       when: never
+    - if: $CI_COMMIT_BRANCH && $SECURE_ANALYZERS_PREFIX == $DEFAULT_SECURE_ANALYZERS_PREFIX
+      variables:
+        SECURE_ANALYZERS_PREFIX: "$DEFAULT_SECURE_ANALYZERS_PREFIX/sast"
+      exists:
+        - 'mix.exs'
     - if: $CI_COMMIT_BRANCH
+      variables:
+        SECURE_ANALYZERS_PREFIX: "$DEPRECATED_SECURE_ANALYZERS_PREFIX"
       exists:
         - 'mix.exs'
 
@@ -296,7 +423,17 @@ spotbugs-sast:
       when: never
     - if: $SAST_DISABLED
       when: never
+    - if: $CI_COMMIT_BRANCH && $SECURE_ANALYZERS_PREFIX == $DEFAULT_SECURE_ANALYZERS_PREFIX
+      variables:
+        SECURE_ANALYZERS_PREFIX: "$DEFAULT_SECURE_ANALYZERS_PREFIX/sast"
+      exists:
+        - '**/*.groovy'
+        - '**/*.java'
+        - '**/*.scala'
+        - '**/*.kt'
     - if: $CI_COMMIT_BRANCH
+      variables:
+        SECURE_ANALYZERS_PREFIX: "$DEPRECATED_SECURE_ANALYZERS_PREFIX"
       exists:
         - '**/*.groovy'
         - '**/*.java'

lib/gitlab/ci/templates/Jobs/Secret-Detection.gitlab-ci.yml

@@ -5,13 +5,19 @@
 # How to set: https://docs.gitlab.com/ee/ci/yaml/#variables
 
 variables:
-  SECURE_ANALYZERS_PREFIX: "registry.gitlab.com/gitlab-org/security-products/analyzers"
+  # Setting this variable will affect all Security templates
+  # (SAST, Dependency Scanning, ...)
+  SECURE_ANALYZERS_PREFIX: "registry.gitlab.com/security-products"
+  # These placeholders will be removed in %15.0 with deprecation of previous registry path
+  DEFAULT_SECURE_ANALYZERS_PREFIX: "registry.gitlab.com/security-products"
+  DEPRECATED_SECURE_ANALYZERS_PREFIX: "registry.gitlab.com/gitlab-org/security-products/analyzers"
+
   SECRETS_ANALYZER_VERSION: "3"
   SECRET_DETECTION_EXCLUDED_PATHS: ""
 
 .secret-analyzer:
   stage: test
-  image: "$SECURE_ANALYZERS_PREFIX/secrets:$SECRETS_ANALYZER_VERSION"
+  image: "$SECURE_ANALYZERS_PREFIX/secret-detection:$SECRETS_ANALYZER_VERSION"
   services: []
   allow_failure: true
   variables:
@@ -27,7 +33,12 @@ secret_detection:
   rules:
     - if: $SECRET_DETECTION_DISABLED
       when: never
+    - if: $CI_COMMIT_BRANCH && $SECURE_ANALYZERS_PREFIX == $DEFAULT_SECURE_ANALYZERS_PREFIX
+      variables:
+        SECURE_ANALYZERS_PREFIX: "$DEFAULT_SECURE_ANALYZERS_PREFIX"
     - if: $CI_COMMIT_BRANCH
+      variables:
+        SECURE_ANALYZERS_PREFIX: "$DEPRECATED_SECURE_ANALYZERS_PREFIX"
   script:
     - if [ -n "$CI_COMMIT_TAG" ]; then echo "Skipping Secret Detection for tags. No code changes have occurred."; exit 0; fi
     - if [ "$CI_COMMIT_BRANCH" = "$CI_DEFAULT_BRANCH" ]; then echo "Running Secret Detection on default branch."; /analyzer run; exit 0; fi

lib/gitlab/ci/templates/Security/API-Fuzzing.gitlab-ci.yml

@@ -10,8 +10,8 @@
 
 variables:
     FUZZAPI_VERSION: "1"
-    SECURE_ANALYZERS_PREFIX: "registry.gitlab.com/gitlab-org/security-products/analyzers"
-    FUZZAPI_IMAGE: ${SECURE_ANALYZERS_PREFIX}/api-fuzzing:${FUZZAPI_VERSION}
+    SECURE_ANALYZERS_PREFIX: "registry.gitlab.com/security-products"
+    FUZZAPI_IMAGE: "$SECURE_ANALYZERS_PREFIX/api-security:$FUZZAPI_VERSION"
 
 apifuzzer_fuzz:
     stage: fuzz

lib/gitlab/ci/templates/Security/API-Fuzzing.latest.gitlab-ci.yml

@@ -10,8 +10,8 @@
 
 variables:
     FUZZAPI_VERSION: "1"
-    SECURE_ANALYZERS_PREFIX: "registry.gitlab.com/gitlab-org/security-products/analyzers"
-    FUZZAPI_IMAGE: api-fuzzing
+    SECURE_ANALYZERS_PREFIX: "registry.gitlab.com/security-products"
+    FUZZAPI_IMAGE: "api-security"
 
 apifuzzer_fuzz:
     stage: fuzz

lib/gitlab/ci/templates/Security/DAST-API.gitlab-ci.yml

@@ -24,14 +24,14 @@
 variables:
   # Setting this variable affects all Security templates
   # (SAST, Dependency Scanning, ...)
-  SECURE_ANALYZERS_PREFIX: "registry.gitlab.com/gitlab-org/security-products/analyzers"
+  SECURE_ANALYZERS_PREFIX: "registry.gitlab.com/security-products"
   #
   DAST_API_VERSION: "1"
-  DAST_API_IMAGE: $SECURE_ANALYZERS_PREFIX/api-fuzzing:$DAST_API_VERSION
+  DAST_API_IMAGE: "api-security"
 
 dast_api:
   stage: dast
-  image: $DAST_API_IMAGE
+  image: $SECURE_ANALYZERS_PREFIX/$DAST_API_IMAGE:$DAST_API_VERSION
   allow_failure: true
   rules:
     - if: $DAST_API_DISABLED

lib/gitlab/ci/templates/Security/DAST-API.latest.gitlab-ci.yml

@@ -24,10 +24,10 @@
 variables:
   # Setting this variable affects all Security templates
   # (SAST, Dependency Scanning, ...)
-  SECURE_ANALYZERS_PREFIX: "registry.gitlab.com/gitlab-org/security-products/analyzers"
+  SECURE_ANALYZERS_PREFIX: "registry.gitlab.com/security-products"
   #
   DAST_API_VERSION: "1"
-  DAST_API_IMAGE: api-fuzzing
+  DAST_API_IMAGE: api-security
 
 dast_api:
   stage: dast

lib/gitlab/ci/templates/Security/DAST-On-Demand-API-Scan.gitlab-ci.yml

@@ -5,9 +5,9 @@ stages:
   - dast
 
 variables:
-  SECURE_ANALYZERS_PREFIX: "registry.gitlab.com/gitlab-org/security-products/analyzers"
+  SECURE_ANALYZERS_PREFIX: "registry.gitlab.com/security-products"
   DAST_API_VERSION: "1"
-  DAST_API_IMAGE: $SECURE_ANALYZERS_PREFIX/api-fuzzing:$DAST_API_VERSION
+  DAST_API_IMAGE: $SECURE_ANALYZERS_PREFIX/api-security:$DAST_API_VERSION
 
 dast:
   stage: dast

lib/gitlab/ci/templates/Security/DAST-On-Demand-Scan.gitlab-ci.yml

@@ -11,9 +11,7 @@ stages:
 
 variables:
   DAST_VERSION: 2
-  # Setting this variable will affect all Security templates
-  # (SAST, Dependency Scanning, ...)
-  SECURE_ANALYZERS_PREFIX: "registry.gitlab.com/gitlab-org/security-products/analyzers"
+  SECURE_ANALYZERS_PREFIX: "registry.gitlab.com/security-products"
 
 dast:
   stage: dast

lib/gitlab/ci/templates/Security/DAST.gitlab-ci.yml

@@ -25,7 +25,7 @@ variables:
   DAST_VERSION: 2
   # Setting this variable will affect all Security templates
   # (SAST, Dependency Scanning, ...)
-  SECURE_ANALYZERS_PREFIX: "registry.gitlab.com/gitlab-org/security-products/analyzers"
+  SECURE_ANALYZERS_PREFIX: "registry.gitlab.com/security-products"
 
 dast:
   stage: dast

lib/gitlab/ci/templates/Security/DAST.latest.gitlab-ci.yml

@@ -25,7 +25,7 @@ variables:
   DAST_VERSION: 2
   # Setting this variable will affect all Security templates
   # (SAST, Dependency Scanning, ...)
-  SECURE_ANALYZERS_PREFIX: "registry.gitlab.com/gitlab-org/security-products/analyzers"
+  SECURE_ANALYZERS_PREFIX: "registry.gitlab.com/security-products"
 
 dast:
   stage: dast

lib/gitlab/ci/templates/Security/Dependency-Scanning.gitlab-ci.yml

@@ -11,7 +11,11 @@
 variables:
   # Setting this variable will affect all Security templates
   # (SAST, Dependency Scanning, ...)
-  SECURE_ANALYZERS_PREFIX: "registry.gitlab.com/gitlab-org/security-products/analyzers"
+  SECURE_ANALYZERS_PREFIX: "registry.gitlab.com/security-products"
+  # These placeholders will be removed in %15.0 with deprecation of previous registry path, see https://gitlab.com/groups/gitlab-org/-/epics/6162
+  DEFAULT_SECURE_ANALYZERS_PREFIX: "registry.gitlab.com/security-products"
+  DEPRECATED_SECURE_ANALYZERS_PREFIX: "registry.gitlab.com/gitlab-org/security-products/analyzers"
+
   DS_DEFAULT_ANALYZERS: "bundler-audit, retire.js, gemnasium, gemnasium-maven, gemnasium-python"
   DS_EXCLUDED_ANALYZERS: ""
   DS_EXCLUDED_PATHS: "spec, test, tests, tmp"
@@ -51,9 +55,27 @@ gemnasium-dependency_scanning:
       when: never
     - if: $DS_EXCLUDED_ANALYZERS =~ /gemnasium([^-]|$)/
       when: never
+    - if: $CI_COMMIT_BRANCH &&
+          $GITLAB_FEATURES =~ /\bdependency_scanning\b/ &&
+          $DS_DEFAULT_ANALYZERS =~ /gemnasium([^-]|$)/ &&
+          $SECURE_ANALYZERS_PREFIX == $DEFAULT_SECURE_ANALYZERS_PREFIX
+      variables:
+        SECURE_ANALYZERS_PREFIX: "$DEFAULT_SECURE_ANALYZERS_PREFIX/dependency-scanning"
+      exists:
+        - '{Gemfile.lock,*/Gemfile.lock,*/*/Gemfile.lock}'
+        - '{composer.lock,*/composer.lock,*/*/composer.lock}'
+        - '{gems.locked,*/gems.locked,*/*/gems.locked}'
+        - '{go.sum,*/go.sum,*/*/go.sum}'
+        - '{npm-shrinkwrap.json,*/npm-shrinkwrap.json,*/*/npm-shrinkwrap.json}'
+        - '{package-lock.json,*/package-lock.json,*/*/package-lock.json}'
+        - '{yarn.lock,*/yarn.lock,*/*/yarn.lock}'
+        - '{packages.lock.json,*/packages.lock.json,*/*/packages.lock.json}'
+        - '{conan.lock,*/conan.lock,*/*/conan.lock}'
     - if: $CI_COMMIT_BRANCH &&
           $GITLAB_FEATURES =~ /\bdependency_scanning\b/ &&
           $DS_DEFAULT_ANALYZERS =~ /gemnasium([^-]|$)/
+      variables:
+        SECURE_ANALYZERS_PREFIX: "$DEPRECATED_SECURE_ANALYZERS_PREFIX"
       exists:
         - '{Gemfile.lock,*/Gemfile.lock,*/*/Gemfile.lock}'
         - '{composer.lock,*/composer.lock,*/*/composer.lock}'
@@ -82,9 +104,22 @@ gemnasium-maven-dependency_scanning:
       when: never
     - if: $DS_EXCLUDED_ANALYZERS =~ /gemnasium-maven/
       when: never
+    - if: $CI_COMMIT_BRANCH &&
+          $GITLAB_FEATURES =~ /\bdependency_scanning\b/ &&
+          $DS_DEFAULT_ANALYZERS =~ /gemnasium-maven/ &&
+          $SECURE_ANALYZERS_PREFIX == $DEFAULT_SECURE_ANALYZERS_PREFIX
+      variables:
+        SECURE_ANALYZERS_PREFIX: "$DEFAULT_SECURE_ANALYZERS_PREFIX/dependency-scanning"
+      exists:
+        - '{build.gradle,*/build.gradle,*/*/build.gradle}'
+        - '{build.gradle.kts,*/build.gradle.kts,*/*/build.gradle.kts}'
+        - '{build.sbt,*/build.sbt,*/*/build.sbt}'
+        - '{pom.xml,*/pom.xml,*/*/pom.xml}'
     - if: $CI_COMMIT_BRANCH &&
           $GITLAB_FEATURES =~ /\bdependency_scanning\b/ &&
           $DS_DEFAULT_ANALYZERS =~ /gemnasium-maven/
+      variables:
+        SECURE_ANALYZERS_PREFIX: "$DEPRECATED_SECURE_ANALYZERS_PREFIX"
       exists:
         - '{build.gradle,*/build.gradle,*/*/build.gradle}'
         - '{build.gradle.kts,*/build.gradle.kts,*/*/build.gradle.kts}'
@@ -108,9 +143,23 @@ gemnasium-python-dependency_scanning:
       when: never
     - if: $DS_EXCLUDED_ANALYZERS =~ /gemnasium-python/
       when: never
+    - if: $CI_COMMIT_BRANCH &&
+          $GITLAB_FEATURES =~ /\bdependency_scanning\b/ &&
+          $DS_DEFAULT_ANALYZERS =~ /gemnasium-python/ &&
+          $SECURE_ANALYZERS_PREFIX == $DEFAULT_SECURE_ANALYZERS_PREFIX
+      variables:
+        SECURE_ANALYZERS_PREFIX: "$DEFAULT_SECURE_ANALYZERS_PREFIX/dependency-scanning"
+      exists:
+        - '{requirements.txt,*/requirements.txt,*/*/requirements.txt}'
+        - '{requirements.pip,*/requirements.pip,*/*/requirements.pip}'
+        - '{Pipfile,*/Pipfile,*/*/Pipfile}'
+        - '{requires.txt,*/requires.txt,*/*/requires.txt}'
+        - '{setup.py,*/setup.py,*/*/setup.py}'
     - if: $CI_COMMIT_BRANCH &&
           $GITLAB_FEATURES =~ /\bdependency_scanning\b/ &&
           $DS_DEFAULT_ANALYZERS =~ /gemnasium-python/
+      variables:
+        SECURE_ANALYZERS_PREFIX: "$DEPRECATED_SECURE_ANALYZERS_PREFIX"
       exists:
         - '{requirements.txt,*/requirements.txt,*/*/requirements.txt}'
         - '{requirements.pip,*/requirements.pip,*/*/requirements.pip}'
@@ -119,10 +168,19 @@ gemnasium-python-dependency_scanning:
         - '{setup.py,*/setup.py,*/*/setup.py}'
         # Support passing of $PIP_REQUIREMENTS_FILE
         # See https://docs.gitlab.com/ee/user/application_security/dependency_scanning/#configuring-specific-analyzers-used-by-dependency-scanning
+    - if: $CI_COMMIT_BRANCH &&
+          $GITLAB_FEATURES =~ /\bdependency_scanning\b/ &&
+          $DS_DEFAULT_ANALYZERS =~ /gemnasium-python/ &&
+          $PIP_REQUIREMENTS_FILE &&
+          $SECURE_ANALYZERS_PREFIX == $DEFAULT_SECURE_ANALYZERS_PREFIX
+      variables:
+        SECURE_ANALYZERS_PREFIX: "$DEFAULT_SECURE_ANALYZERS_PREFIX/dependency-scanning"
     - if: $CI_COMMIT_BRANCH &&
           $GITLAB_FEATURES =~ /\bdependency_scanning\b/ &&
           $DS_DEFAULT_ANALYZERS =~ /gemnasium-python/ &&
           $PIP_REQUIREMENTS_FILE
+      variables:
+        SECURE_ANALYZERS_PREFIX: "$DEPRECATED_SECURE_ANALYZERS_PREFIX"
 
 bundler-audit-dependency_scanning:
   extends: .ds-analyzer
@@ -138,9 +196,19 @@ bundler-audit-dependency_scanning:
       when: never
     - if: $DS_EXCLUDED_ANALYZERS =~ /bundler-audit/
       when: never
+    - if: $CI_COMMIT_BRANCH &&
+          $GITLAB_FEATURES =~ /\bdependency_scanning\b/ &&
+          $DS_DEFAULT_ANALYZERS =~ /bundler-audit/ &&
+          $SECURE_ANALYZERS_PREFIX == $DEFAULT_SECURE_ANALYZERS_PREFIX
+      variables:
+        SECURE_ANALYZERS_PREFIX: "$DEFAULT_SECURE_ANALYZERS_PREFIX/dependency-scanning"
+      exists:
+        - '{Gemfile.lock,*/Gemfile.lock,*/*/Gemfile.lock}'
     - if: $CI_COMMIT_BRANCH &&
           $GITLAB_FEATURES =~ /\bdependency_scanning\b/ &&
           $DS_DEFAULT_ANALYZERS =~ /bundler-audit/
+      variables:
+        SECURE_ANALYZERS_PREFIX: "$DEPRECATED_SECURE_ANALYZERS_PREFIX"
       exists:
         - '{Gemfile.lock,*/Gemfile.lock,*/*/Gemfile.lock}'
 
@@ -158,8 +226,18 @@ retire-js-dependency_scanning:
       when: never
     - if: $DS_EXCLUDED_ANALYZERS =~ /retire.js/
       when: never
+    - if: $CI_COMMIT_BRANCH &&
+          $GITLAB_FEATURES =~ /\bdependency_scanning\b/ &&
+          $DS_DEFAULT_ANALYZERS =~ /retire.js/ &&
+          $SECURE_ANALYZERS_PREFIX == $DEFAULT_SECURE_ANALYZERS_PREFIX
+      variables:
+        SECURE_ANALYZERS_PREFIX: "$DEFAULT_SECURE_ANALYZERS_PREFIX/dependency-scanning"
+      exists:
+        - '{package.json,*/package.json,*/*/package.json}'
     - if: $CI_COMMIT_BRANCH &&
           $GITLAB_FEATURES =~ /\bdependency_scanning\b/ &&
           $DS_DEFAULT_ANALYZERS =~ /retire.js/
       exists:
         - '{package.json,*/package.json,*/*/package.json}'
+      variables:
+        SECURE_ANALYZERS_PREFIX: "$DEPRECATED_SECURE_ANALYZERS_PREFIX"

lib/gitlab/ci/templates/Security/License-Scanning.gitlab-ci.yml

@@ -11,7 +11,7 @@
 variables:
   # Setting this variable will affect all Security templates
   # (SAST, Dependency Scanning, ...)
-  SECURE_ANALYZERS_PREFIX: "registry.gitlab.com/gitlab-org/security-products/analyzers"
+  SECURE_ANALYZERS_PREFIX: "registry.gitlab.com/security-products"
 
   LICENSE_MANAGEMENT_SETUP_CMD: ''  # If needed, specify a command to setup your environment with a custom package manager.
   LICENSE_MANAGEMENT_VERSION: 3
@@ -19,7 +19,7 @@ variables:
 license_scanning:
   stage: test
   image:
-    name: "$SECURE_ANALYZERS_PREFIX/license-finder:$LICENSE_MANAGEMENT_VERSION"
+    name: "$SECURE_ANALYZERS_PREFIX/license-compliance/license-finder:$LICENSE_MANAGEMENT_VERSION"
     entrypoint: [""]
   variables:
     LM_REPORT_VERSION: '2.1'

lib/gitlab/ci/templates/Security/Secure-Binaries.gitlab-ci.yml

@@ -14,11 +14,14 @@
 # Docs: https://docs.gitlab.com/ee/topics/airgap/
 
 variables:
+  # Setting this variable will affect all Security templates
+  # (SAST, Dependency Scanning, ...)
+  SECURE_ANALYZERS_PREFIX: "registry.gitlab.com/security-products"
   SECURE_BINARIES_ANALYZERS: >-
-    bandit, brakeman, gosec, spotbugs, flawfinder, phpcs-security-audit, security-code-scan, nodejs-scan, eslint, secrets, sobelow, pmd-apex, kubesec, semgrep,
+    bandit, brakeman, gosec, spotbugs, flawfinder, phpcs-security-audit, security-code-scan, nodejs-scan, eslint, secrets, sobelow, pmd-apex, kics, kubesec, semgrep,
     bundler-audit, retire.js, gemnasium, gemnasium-maven, gemnasium-python,
     license-finder,
-    dast, dast-runner-validation, api-fuzzing
+    dast, dast-runner-validation, api-security
 
   SECURE_BINARIES_DOWNLOAD_IMAGES: "true"
   SECURE_BINARIES_PUSH_IMAGES: "true"
@@ -40,7 +43,7 @@ variables:
   script:
     - docker info
     - env
-    - if [ -z "$SECURE_BINARIES_IMAGE" ]; then export SECURE_BINARIES_IMAGE=${SECURE_BINARIES_IMAGE:-"registry.gitlab.com/gitlab-org/security-products/analyzers/${CI_JOB_NAME}:${SECURE_BINARIES_ANALYZER_VERSION}"}; fi
+    - if [ -z "$SECURE_BINARIES_IMAGE" ]; then export SECURE_BINARIES_IMAGE=${SECURE_BINARIES_IMAGE:-"registry.gitlab.com/security-products/${CI_JOB_NAME}:${SECURE_BINARIES_ANALYZER_VERSION}"}; fi
     - docker pull --quiet ${SECURE_BINARIES_IMAGE}
     - mkdir -p output/$(dirname ${CI_JOB_NAME})
     - |
@@ -63,22 +66,27 @@ variables:
 # SAST jobs
 #
 
-bandit:
+.download_sast_images:
   extends: .download_images
+  variables:
+    SECURE_BINARIES_IMAGE: "${SECURE_ANALYZERS_PREFIX}/sast/${CI_JOB_NAME}:${SECURE_BINARIES_ANALYZER_VERSION}"
+
+bandit:
+  extends: .download_sast_images
   only:
     variables:
       - $SECURE_BINARIES_DOWNLOAD_IMAGES == "true" &&
           $SECURE_BINARIES_ANALYZERS =~ /\bbandit\b/
 
 brakeman:
-  extends: .download_images
+  extends: .download_sast_images
   only:
     variables:
       - $SECURE_BINARIES_DOWNLOAD_IMAGES == "true" &&
           $SECURE_BINARIES_ANALYZERS =~ /\bbrakeman\b/
 
 gosec:
-  extends: .download_images
+  extends: .download_sast_images
   variables:
     SECURE_BINARIES_ANALYZER_VERSION: "3"
   only:
@@ -87,28 +95,28 @@ gosec:
           $SECURE_BINARIES_ANALYZERS =~ /\bgosec\b/
 
 spotbugs:
-  extends: .download_images
+  extends: .download_sast_images
   only:
     variables:
       - $SECURE_BINARIES_DOWNLOAD_IMAGES == "true" &&
           $SECURE_BINARIES_ANALYZERS =~ /\bspotbugs\b/
 
 flawfinder:
-  extends: .download_images
+  extends: .download_sast_images
   only:
     variables:
       - $SECURE_BINARIES_DOWNLOAD_IMAGES == "true" &&
           $SECURE_BINARIES_ANALYZERS =~ /\bflawfinder\b/
 
 phpcs-security-audit:
-  extends: .download_images
+  extends: .download_sast_images
   only:
     variables:
       - $SECURE_BINARIES_DOWNLOAD_IMAGES == "true" &&
           $SECURE_BINARIES_ANALYZERS =~ /\bphpcs-security-audit\b/
 
 security-code-scan:
-  extends: .download_images
+  extends: .download_sast_images
   variables:
     SECURE_BINARIES_ANALYZER_VERSION: "3"
   only:
@@ -117,21 +125,21 @@ security-code-scan:
           $SECURE_BINARIES_ANALYZERS =~ /\bsecurity-code-scan\b/
 
 nodejs-scan:
-  extends: .download_images
+  extends: .download_sast_images
   only:
     variables:
       - $SECURE_BINARIES_DOWNLOAD_IMAGES == "true" &&
           $SECURE_BINARIES_ANALYZERS =~ /\bnodejs-scan\b/
 
 eslint:
-  extends: .download_images
+  extends: .download_sast_images
   only:
     variables:
       - $SECURE_BINARIES_DOWNLOAD_IMAGES == "true" &&
           $SECURE_BINARIES_ANALYZERS =~ /\beslint\b/
 
 secrets:
-  extends: .download_images
+  extends: .download_sast_images
   only:
     variables:
       - $SECURE_BINARIES_DOWNLOAD_IMAGES == "true" &&
@@ -140,28 +148,28 @@ secrets:
     SECURE_BINARIES_ANALYZER_VERSION: "3"
 
 semgrep:
-  extends: .download_images
+  extends: .download_sast_images
   only:
     variables:
       - $SECURE_BINARIES_DOWNLOAD_IMAGES == "true" &&
           $SECURE_BINARIES_ANALYZERS =~ /\bsemgrep\b/
 
 sobelow:
-  extends: .download_images
+  extends: .download_sast_images
   only:
     variables:
       - $SECURE_BINARIES_DOWNLOAD_IMAGES == "true" &&
           $SECURE_BINARIES_ANALYZERS =~ /\bsobelow\b/
 
 pmd-apex:
-  extends: .download_images
+  extends: .download_sast_images
   only:
     variables:
       - $SECURE_BINARIES_DOWNLOAD_IMAGES == "true" &&
           $SECURE_BINARIES_ANALYZERS =~ /\bsecrets\b/
 
 kubesec:
-  extends: .download_images
+  extends: .download_sast_images
   only:
     variables:
       - $SECURE_BINARIES_DOWNLOAD_IMAGES == "true" &&
@@ -171,36 +179,41 @@ kubesec:
 # Dependency Scanning jobs
 #
 
-bundler-audit:
+.download_ds_images:
   extends: .download_images
+  variables:
+    SECURE_BINARIES_IMAGE: "${SECURE_ANALYZERS_PREFIX}/dependency-scanning/${CI_JOB_NAME}:${SECURE_BINARIES_ANALYZER_VERSION}"
+
+bundler-audit:
+  extends: .download_ds_images
   only:
     variables:
       - $SECURE_BINARIES_DOWNLOAD_IMAGES == "true" &&
           $SECURE_BINARIES_ANALYZERS =~ /\bbundler-audit\b/
 
 retire.js:
-  extends: .download_images
+  extends: .download_ds_images
   only:
     variables:
       - $SECURE_BINARIES_DOWNLOAD_IMAGES == "true" &&
           $SECURE_BINARIES_ANALYZERS =~ /\bretire\.js\b/
 
 gemnasium:
-  extends: .download_images
+  extends: .download_ds_images
   only:
     variables:
       - $SECURE_BINARIES_DOWNLOAD_IMAGES == "true" &&
           $SECURE_BINARIES_ANALYZERS =~ /\bgemnasium\b/
 
 gemnasium-maven:
-  extends: .download_images
+  extends: .download_ds_images
   only:
     variables:
       - $SECURE_BINARIES_DOWNLOAD_IMAGES == "true" &&
           $SECURE_BINARIES_ANALYZERS =~ /\bgemnasium-maven\b/
 
 gemnasium-python:
-  extends: .download_images
+  extends: .download_ds_images
   only:
     variables:
       - $SECURE_BINARIES_DOWNLOAD_IMAGES == "true" &&
@@ -213,6 +226,7 @@ gemnasium-python:
 license-finder:
   extends: .download_images
   variables:
+    SECURE_BINARIES_IMAGE: "${SECURE_ANALYZERS_PREFIX}/license-compliance/${CI_JOB_NAME}:${SECURE_BINARIES_ANALYZER_VERSION}"
     SECURE_BINARIES_ANALYZER_VERSION: "3"
   only:
     variables:
@@ -223,8 +237,13 @@ license-finder:
 # DAST
 #
 
-dast:
+.download_dast_images:
   extends: .download_images
+  variables:
+    SECURE_BINARIES_IMAGE: "${SECURE_ANALYZERS_PREFIX}/${CI_JOB_NAME}:${SECURE_BINARIES_ANALYZER_VERSION}"
+
+dast:
+  extends: .download_dast_images
   variables:
     SECURE_BINARIES_ANALYZER_VERSION: "2"
   only:
@@ -233,20 +252,19 @@ dast:
           $SECURE_BINARIES_ANALYZERS =~ /\bdast\b/
 
 dast-runner-validation:
-  extends: .download_images
+  extends: .download_dast_images
   variables:
     SECURE_BINARIES_ANALYZER_VERSION: "1"
-    SECURE_BINARIES_IMAGE: "registry.gitlab.com/security-products/${CI_JOB_NAME}:${SECURE_BINARIES_ANALYZER_VERSION}"
   only:
     variables:
       - $SECURE_BINARIES_DOWNLOAD_IMAGES == "true" &&
           $SECURE_BINARIES_ANALYZERS =~ /\bdast-runner-validation\b/
 
-api-fuzzing:
-  extends: .download_images
+api-security:
+  extends: .download_dast_images
   variables:
     SECURE_BINARIES_ANALYZER_VERSION: "1"
   only:
     variables:
       - $SECURE_BINARIES_DOWNLOAD_IMAGES == "true" &&
-          $SECURE_BINARIES_ANALYZERS =~ /\bapi-fuzzing\b/
+          $SECURE_BINARIES_ANALYZERS =~ /\bapi-security\b/

spec/lib/security/ci_configuration/sast_build_action_spec.rb

@@ -6,7 +6,7 @@ RSpec.describe Security::CiConfiguration::SastBuildAction do
   let(:default_sast_values) do
     { 'global' =>
       [
-        { 'field' => 'SECURE_ANALYZERS_PREFIX', 'defaultValue' => 'registry.gitlab.com/gitlab-org/security-products/analyzers', 'value' => 'registry.gitlab.com/gitlab-org/security-products/analyzers' }
+        { 'field' => 'SECURE_ANALYZERS_PREFIX', 'defaultValue' => 'registry.gitlab.com/security-products', 'value' => 'registry.gitlab.com/security-products' }
       ],
       'pipeline' =>
       [
@@ -19,7 +19,7 @@ RSpec.describe Security::CiConfiguration::SastBuildAction do
   let(:params) do
     { 'global' =>
       [
-        { 'field' => 'SECURE_ANALYZERS_PREFIX', 'defaultValue' => 'registry.gitlab.com/gitlab-org/security-products/analyzers', 'value' => 'new_registry' }
+        { 'field' => 'SECURE_ANALYZERS_PREFIX', 'defaultValue' => 'registry.gitlab.com/security-products', 'value' => 'new_registry' }
       ],
       'pipeline' =>
       [
@@ -164,7 +164,7 @@ RSpec.describe Security::CiConfiguration::SastBuildAction do
       let(:params) do
         { 'global' =>
           [
-            { 'field' => 'SECURE_ANALYZERS_PREFIX', 'defaultValue' => 'registry.gitlab.com/gitlab-org/security-products/analyzers', 'value' => 'registry.gitlab.com/gitlab-org/security-products/analyzers' }
+            { 'field' => 'SECURE_ANALYZERS_PREFIX', 'defaultValue' => 'registry.gitlab.com/security-products', 'value' => 'registry.gitlab.com/security-products' }
           ],
           'pipeline' =>
           [
@@ -219,21 +219,21 @@ RSpec.describe Security::CiConfiguration::SastBuildAction do
 
     def existing_gitlab_ci_and_template_array_without_sast
       { "stages" => %w(test security),
-       "variables" => { "RANDOM" => "make sure this persists", "SECURE_ANALYZERS_PREFIX" => "localhost:5000/analyzers" },
+       "variables" => { "RANDOM" => "make sure this persists", "SECURE_ANALYZERS_PREFIX" => "localhost:5000" },
        "sast" => { "variables" => { "SEARCH_MAX_DEPTH" => 1 }, "stage" => "security" },
        "include" => [{ "template" => "existing.yml" }] }
     end
 
     def existing_gitlab_ci_and_single_template_with_sast_and_default_stage
       { "stages" => %w(test),
-       "variables" => { "SECURE_ANALYZERS_PREFIX" => "localhost:5000/analyzers" },
+       "variables" => { "SECURE_ANALYZERS_PREFIX" => "localhost:5000" },
        "sast" => { "variables" => { "SEARCH_MAX_DEPTH" => 1 }, "stage" => "test" },
        "include" => { "template" => "Security/SAST.gitlab-ci.yml" } }
     end
 
     def existing_gitlab_ci_and_single_template_without_sast
       { "stages" => %w(test security),
-       "variables" => { "RANDOM" => "make sure this persists", "SECURE_ANALYZERS_PREFIX" => "localhost:5000/analyzers" },
+       "variables" => { "RANDOM" => "make sure this persists", "SECURE_ANALYZERS_PREFIX" => "localhost:5000" },
        "sast" => { "variables" => { "SEARCH_MAX_DEPTH" => 1 }, "stage" => "security" },
        "include" => { "template" => "existing.yml" } }
     end
@@ -246,13 +246,13 @@ RSpec.describe Security::CiConfiguration::SastBuildAction do
 
     def existing_gitlab_ci_with_no_sast_section
       { "stages" => %w(test security),
-       "variables" => { "RANDOM" => "make sure this persists", "SECURE_ANALYZERS_PREFIX" => "localhost:5000/analyzers" },
+       "variables" => { "RANDOM" => "make sure this persists", "SECURE_ANALYZERS_PREFIX" => "localhost:5000" },
        "include" => [{ "template" => "Security/SAST.gitlab-ci.yml" }] }
     end
 
     def existing_gitlab_ci_with_no_sast_variables
       { "stages" => %w(test security),
-       "variables" => { "RANDOM" => "make sure this persists", "SECURE_ANALYZERS_PREFIX" => "localhost:5000/analyzers" },
+       "variables" => { "RANDOM" => "make sure this persists", "SECURE_ANALYZERS_PREFIX" => "localhost:5000" },
        "sast" => { "stage" => "security" },
        "include" => [{ "template" => "Security/SAST.gitlab-ci.yml" }] }
     end
@@ -275,7 +275,7 @@ RSpec.describe Security::CiConfiguration::SastBuildAction do
         let(:params) do
           { 'global' =>
             [
-              { 'field' => 'SECURE_ANALYZERS_PREFIX', 'defaultValue' => 'registry.gitlab.com/gitlab-org/security-products/analyzers', 'value' => '' }
+              { 'field' => 'SECURE_ANALYZERS_PREFIX', 'defaultValue' => 'registry.gitlab.com/security-products', 'value' => '' }
             ] }
         end
 

spec/services/ci/create_pipeline_service/parameter_content_spec.rb

@@ -15,7 +15,7 @@ RSpec.describe Ci::CreatePipelineService do
 
       variables:
         DAST_VERSION: 1
-        SECURE_ANALYZERS_PREFIX: "registry.gitlab.com/gitlab-org/security-products/analyzers"
+        SECURE_ANALYZERS_PREFIX: "registry.gitlab.com/security-products"
 
       dast:
         stage: dast

spec/support/helpers/ci/template_helpers.rb

@@ -3,7 +3,7 @@
 module Ci
   module TemplateHelpers
     def secure_analyzers_prefix
-      'registry.gitlab.com/gitlab-org/security-products/analyzers'
+      'registry.gitlab.com/security-products'
     end
   end
 end

spec/support/shared_examples/lib/gitlab/ci/templates/security_templates_shared_examples.rb

+# frozen_string_literal: true
+
+require 'spec_helper'
+
+RSpec.shared_examples 'setting sec analyzer prefix dynamically' do |builds: [], files: { 'README.md' => '' }, variables: {}, namespace: ''|
+  using RSpec::Parameterized::TableSyntax
+
+  let(:default_analyzer_prefix) { 'registry.gitlab.com/security-products' }
+
+  where(:builds, :files, :analyzer_prefix, :expected_prefix) do
+    builds | files | nil                     | "$DEFAULT_SECURE_ANALYZERS_PREFIX#{namespace.present? ? "/#{namespace}" : nil}"
+    builds | files | 'registry.example.com'  | 'registry.example.com'
+  end
+
+  with_them do
+    before do
+      if analyzer_prefix
+        if analyzer_prefix != default_analyzer_prefix
+          create(:ci_variable, project: project, key: 'SECURE_ANALYZERS_PREFIX', value: analyzer_prefix)
+        end
+      end
+
+      variables.each do |(key, value)|
+        create(:ci_variable, project: project, key: key, value: value)
+      end
+    end
+
+    it 'creates a build with the expected tag' do
+      expect(build_names).to include(*builds)
+
+      prefixes = pipeline.builds.map { |build| build.variables["SECURE_ANALYZERS_PREFIX"].value }
+      expect(prefixes.uniq).to match_array(expected_prefix)
+    end
+  end
+end