Add jobs template for Dependency Scanning and License Scanning

Point Security/Dependency-Scanning.gitlab-ci.yml to newly added Jobs/Dependency-Scanning.gitlab-ci.yml Point Security/License-Scanning.gitlab-ci.yml to newly added Jobs/License-Scanning.gitlab-ci.yml Changelog: changed

Add jobs template for Dependency Scanning and License Scanning
Point Security/Dependency-Scanning.gitlab-ci.yml to newly added Jobs/Dependency-Scanning.gitlab-ci.yml Point Security/License-Scanning.gitlab-ci.yml to newly added Jobs/License-Scanning.gitlab-ci.yml Changelog: changed
f9997416 · Olivier Gonzalez · Marcel Amirault · 431ce1da · f9997416 · f9997416
Commit f9997416 authored Feb 16, 2022 by Olivier Gonzalez Committed by Marcel Amirault Feb 16, 2022
15 changed files
--- a/config/metrics/counts_28d/20210216184559_ci_templates_total_unique_counts_monthly.yml
+++ b/config/metrics/counts_28d/20210216184559_ci_templates_total_unique_counts_monthly.yml
@@ -91,6 +91,8 @@ options:
  - p_ci_templates_jobs_secret_detection
  - p_ci_templates_jobs_code_intelligence
  - p_ci_templates_jobs_code_quality
+  - p_ci_templates_jobs_dependency_scanning
+  - p_ci_templates_jobs_license_scanning
  - p_ci_templates_jobs_deploy_ecs
  - p_ci_templates_jobs_deploy_ec2
  - p_ci_templates_jobs_deploy
@@ -135,6 +137,8 @@ options:
  - p_ci_templates_implicit_jobs_secret_detection
  - p_ci_templates_implicit_jobs_code_intelligence
  - p_ci_templates_implicit_jobs_code_quality
+  - p_ci_templates_implicit_jobs_dependency_scanning
+  - p_ci_templates_implicit_jobs_license_scanning
  - p_ci_templates_implicit_jobs_deploy_ecs
  - p_ci_templates_implicit_jobs_deploy_ec2
  - p_ci_templates_implicit_auto_devops_deploy

--- a/config/metrics/counts_28d/20220210134101_p_ci_templates_implicit_jobs_dependency_scanning_monthly.yml
+++ b/config/metrics/counts_28d/20220210134101_p_ci_templates_implicit_jobs_dependency_scanning_monthly.yml
+---
+key_path: redis_hll_counters.ci_templates.p_ci_templates_implicit_jobs_dependency_scanning_monthly
+description: Monthly counts for implicit use of Dependency Scanning CI template (Jobs folder)
+product_section: sec
+product_stage: secure
+product_group: composition_analysis
+product_category: dependency_scanning
+value_type: number
+status: active
+milestone: '14.8'
+introduced_by_url: https://gitlab.com/gitlab-org/gitlab/-/merge_requests/79454
+time_frame: 28d
+data_source: redis_hll
+data_category: optional
+instrumentation_class: RedisHLLMetric
+distribution:
+- ce
+- ee
+tier:
+- free
+- premium
+- ultimate
+options:
+  events:
+  - p_ci_templates_implicit_jobs_dependency_scanning
--- a/config/metrics/counts_28d/20220210134101_p_ci_templates_implicit_jobs_license_scanning_monthly.yml
+++ b/config/metrics/counts_28d/20220210134101_p_ci_templates_implicit_jobs_license_scanning_monthly.yml
+---
+key_path: redis_hll_counters.ci_templates.p_ci_templates_implicit_jobs_license_scanning_monthly
+description: Monthly counts for implicit use of License Scanning CI template (Jobs folder)
+product_section: sec
+product_stage: secure
+product_group: composition_analysis
+product_category: license_compliance
+value_type: number
+status: active
+milestone: '14.8'
+introduced_by_url: https://gitlab.com/gitlab-org/gitlab/-/merge_requests/79454
+time_frame: 28d
+data_source: redis_hll
+data_category: optional
+instrumentation_class: RedisHLLMetric
+distribution:
+- ce
+- ee
+tier:
+- free
+- premium
+- ultimate
+options:
+  events:
+  - p_ci_templates_implicit_jobs_license_scanning
--- a/config/metrics/counts_28d/20220210134101_p_ci_templates_jobs_dependency_scanning_monthly.yml
+++ b/config/metrics/counts_28d/20220210134101_p_ci_templates_jobs_dependency_scanning_monthly.yml
+---
+key_path: redis_hll_counters.ci_templates.p_ci_templates_jobs_dependency_scanning_monthly
+description: Monthly counts for Dependency Scanning CI template (Jobs folder)
+product_section: sec
+product_stage: secure
+product_group: composition_analysis
+product_category: dependency_scanning
+value_type: number
+status: active
+milestone: '14.8'
+introduced_by_url: https://gitlab.com/gitlab-org/gitlab/-/merge_requests/79454
+time_frame: 28d
+data_source: redis_hll
+data_category: optional
+instrumentation_class: RedisHLLMetric
+distribution:
+- ce
+- ee
+tier:
+- free
+- premium
+- ultimate
+options:
+  events:
+  - p_ci_templates_jobs_dependency_scanning
--- a/config/metrics/counts_28d/20220210134101_p_ci_templates_jobs_license_scanning_monthly.yml
+++ b/config/metrics/counts_28d/20220210134101_p_ci_templates_jobs_license_scanning_monthly.yml
+---
+key_path: redis_hll_counters.ci_templates.p_ci_templates_jobs_license_scanning_monthly
+description: Monthly counts for License Scanning CI template (Jobs folder)
+product_section: sec
+product_stage: secure
+product_group: composition_analysis
+product_category: license_compliance
+value_type: number
+status: active
+milestone: '14.8'
+introduced_by_url: https://gitlab.com/gitlab-org/gitlab/-/merge_requests/79454
+time_frame: 28d
+data_source: redis_hll
+data_category: optional
+instrumentation_class: RedisHLLMetric
+distribution:
+- ce
+- ee
+tier:
+- free
+- premium
+- ultimate
+options:
+  events:
+  - p_ci_templates_jobs_license_scanning
--- a/config/metrics/counts_7d/20210216184557_ci_templates_total_unique_counts_weekly.yml
+++ b/config/metrics/counts_7d/20210216184557_ci_templates_total_unique_counts_weekly.yml
@@ -91,6 +91,8 @@ options:
  - p_ci_templates_jobs_secret_detection
  - p_ci_templates_jobs_code_intelligence
  - p_ci_templates_jobs_code_quality
+  - p_ci_templates_jobs_dependency_scanning
+  - p_ci_templates_jobs_license_scanning
  - p_ci_templates_jobs_deploy_ecs
  - p_ci_templates_jobs_deploy_ec2
  - p_ci_templates_jobs_deploy
@@ -135,6 +137,8 @@ options:
  - p_ci_templates_implicit_jobs_secret_detection
  - p_ci_templates_implicit_jobs_code_intelligence
  - p_ci_templates_implicit_jobs_code_quality
+  - p_ci_templates_implicit_jobs_dependency_scanning
+  - p_ci_templates_implicit_jobs_license_scanning
  - p_ci_templates_implicit_jobs_deploy_ecs
  - p_ci_templates_implicit_jobs_deploy_ec2
  - p_ci_templates_implicit_auto_devops_deploy

--- a/config/metrics/counts_7d/20220210134101_p_ci_templates_implicit_jobs_dependency_scanning_weekly.yml
+++ b/config/metrics/counts_7d/20220210134101_p_ci_templates_implicit_jobs_dependency_scanning_weekly.yml
+---
+key_path: redis_hll_counters.ci_templates.p_ci_templates_implicit_jobs_dependency_scanning_weekly
+description: Weekly counts for implicit use of Dependency Scanning CI template (Jobs folder)
+product_section: sec
+product_stage: secure
+product_group: composition_analysis
+product_category: dependency_scanning
+value_type: number
+status: active
+milestone: '14.8'
+introduced_by_url: https://gitlab.com/gitlab-org/gitlab/-/merge_requests/79454
+time_frame: 7d
+data_source: redis_hll
+data_category: optional
+instrumentation_class: RedisHLLMetric
+distribution:
+- ce
+- ee
+tier:
+- free
+- premium
+- ultimate
+options:
+  events:
+  - p_ci_templates_implicit_jobs_dependency_scanning
--- a/config/metrics/counts_7d/20220210134101_p_ci_templates_implicit_jobs_license_scanning_weekly.yml
+++ b/config/metrics/counts_7d/20220210134101_p_ci_templates_implicit_jobs_license_scanning_weekly.yml
+---
+key_path: redis_hll_counters.ci_templates.p_ci_templates_implicit_jobs_license_scanning_weekly
+description: Weekly counts for implicit use of License Scanning CI template (Jobs folder)
+product_section: sec
+product_stage: secure
+product_group: composition_analysis
+product_category: license_compliance
+value_type: number
+status: active
+milestone: '14.8'
+introduced_by_url: https://gitlab.com/gitlab-org/gitlab/-/merge_requests/79454
+time_frame: 7d
+data_source: redis_hll
+data_category: optional
+instrumentation_class: RedisHLLMetric
+distribution:
+- ce
+- ee
+tier:
+- free
+- premium
+- ultimate
+options:
+  events:
+  - p_ci_templates_implicit_jobs_license_scanning
--- a/config/metrics/counts_7d/20220210134101_p_ci_templates_jobs_dependency_scanning_weekly.yml
+++ b/config/metrics/counts_7d/20220210134101_p_ci_templates_jobs_dependency_scanning_weekly.yml
+---
+key_path: redis_hll_counters.ci_templates.p_ci_templates_jobs_dependency_scanning_weekly
+description: Weekly counts for Dependency Scanning CI template (Jobs folder)
+product_section: sec
+product_stage: secure
+product_group: composition_analysis
+product_category: dependency_scanning
+value_type: number
+status: active
+milestone: '14.8'
+introduced_by_url: https://gitlab.com/gitlab-org/gitlab/-/merge_requests/79454
+time_frame: 7d
+data_source: redis_hll
+data_category: optional
+instrumentation_class: RedisHLLMetric
+distribution:
+- ce
+- ee
+tier:
+- free
+- premium
+- ultimate
+options:
+  events:
+  - p_ci_templates_jobs_dependency_scanning
--- a/config/metrics/counts_7d/20220210134101_p_ci_templates_jobs_license_scanning_weekly.yml
+++ b/config/metrics/counts_7d/20220210134101_p_ci_templates_jobs_license_scanning_weekly.yml
+---
+key_path: redis_hll_counters.ci_templates.p_ci_templates_jobs_license_scanning_weekly
+description: Weekly counts for License Scanning CI template (Jobs folder)
+product_section: sec
+product_stage: secure
+product_group: composition_analysis
+product_category: license_compliance
+value_type: number
+status: active
+milestone: '14.8'
+introduced_by_url: https://gitlab.com/gitlab-org/gitlab/-/merge_requests/79454
+time_frame: 7d
+data_source: redis_hll
+data_category: optional
+instrumentation_class: RedisHLLMetric
+distribution:
+- ce
+- ee
+tier:
+- free
+- premium
+- ultimate
+options:
+  events:
+  - p_ci_templates_jobs_license_scanning
--- a/lib/gitlab/ci/templates/Jobs/Dependency-Scanning.gitlab-ci.yml
+++ b/lib/gitlab/ci/templates/Jobs/Dependency-Scanning.gitlab-ci.yml
+# To contribute improvements to CI/CD templates, please follow the Development guide at:
+# https://docs.gitlab.com/ee/development/cicd/templates.html
+# This specific template is located at:
+# https://gitlab.com/gitlab-org/gitlab/-/blob/master/lib/gitlab/ci/templates/Jobs/Dependency-Scanning.gitlab-ci.yml
+
+# Read more about this feature here: https://docs.gitlab.com/ee/user/application_security/dependency_scanning/
+#
+# Configure dependency scanning with CI/CD variables (https://docs.gitlab.com/ee/ci/variables/index.html).
+# List of available variables: https://docs.gitlab.com/ee/user/application_security/dependency_scanning/index.html#available-variables
+
+variables:
+  # Setting this variable will affect all Security templates
+  # (SAST, Dependency Scanning, ...)
+  SECURE_ANALYZERS_PREFIX: "registry.gitlab.com/gitlab-org/security-products/analyzers"
+  DS_DEFAULT_ANALYZERS: "bundler-audit, retire.js, gemnasium, gemnasium-maven, gemnasium-python"
+  DS_EXCLUDED_ANALYZERS: ""
+  DS_EXCLUDED_PATHS: "spec, test, tests, tmp"
+  DS_MAJOR_VERSION: 2
+
+dependency_scanning:
+  stage: test
+  script:
+    - echo "$CI_JOB_NAME is used for configuration only, and its script should not be executed"
+    - exit 1
+  artifacts:
+    reports:
+      dependency_scanning: gl-dependency-scanning-report.json
+  dependencies: []
+  rules:
+    - when: never
+
+.ds-analyzer:
+  extends: dependency_scanning
+  allow_failure: true
+  # `rules` must be overridden explicitly by each child job
+  # see https://gitlab.com/gitlab-org/gitlab/-/issues/218444
+  script:
+    - /analyzer run
+
+gemnasium-dependency_scanning:
+  extends: .ds-analyzer
+  image:
+    name: "$DS_ANALYZER_IMAGE"
+  variables:
+    # DS_ANALYZER_IMAGE is an undocumented variable used internally to allow QA to
+    # override the analyzer image with a custom value. This may be subject to change or
+    # breakage across GitLab releases.
+    DS_ANALYZER_IMAGE: "$SECURE_ANALYZERS_PREFIX/gemnasium:$DS_MAJOR_VERSION"
+    GEMNASIUM_LIBRARY_SCAN_ENABLED: "true"
+  rules:
+    - if: $DEPENDENCY_SCANNING_DISABLED
+      when: never
+    - if: $DS_EXCLUDED_ANALYZERS =~ /gemnasium([^-]|$)/
+      when: never
+    - if: $CI_COMMIT_BRANCH &&
+          $GITLAB_FEATURES =~ /\bdependency_scanning\b/ &&
+          $DS_DEFAULT_ANALYZERS =~ /gemnasium([^-]|$)/
+      exists:
+        - '{Gemfile.lock,*/Gemfile.lock,*/*/Gemfile.lock}'
+        - '{composer.lock,*/composer.lock,*/*/composer.lock}'
+        - '{gems.locked,*/gems.locked,*/*/gems.locked}'
+        - '{go.sum,*/go.sum,*/*/go.sum}'
+        - '{npm-shrinkwrap.json,*/npm-shrinkwrap.json,*/*/npm-shrinkwrap.json}'
+        - '{package-lock.json,*/package-lock.json,*/*/package-lock.json}'
+        - '{yarn.lock,*/yarn.lock,*/*/yarn.lock}'
+        - '{packages.lock.json,*/packages.lock.json,*/*/packages.lock.json}'
+        - '{conan.lock,*/conan.lock,*/*/conan.lock}'
+
+gemnasium-maven-dependency_scanning:
+  extends: .ds-analyzer
+  image:
+    name: "$DS_ANALYZER_IMAGE"
+  variables:
+    # DS_ANALYZER_IMAGE is an undocumented variable used internally to allow QA to
+    # override the analyzer image with a custom value. This may be subject to change or
+    # breakage across GitLab releases.
+    DS_ANALYZER_IMAGE: "$SECURE_ANALYZERS_PREFIX/gemnasium-maven:$DS_MAJOR_VERSION"
+    # Stop reporting Gradle as "maven".
+    # See https://gitlab.com/gitlab-org/gitlab/-/issues/338252
+    DS_REPORT_PACKAGE_MANAGER_MAVEN_WHEN_JAVA: "false"
+  rules:
+    - if: $DEPENDENCY_SCANNING_DISABLED
+      when: never
+    - if: $DS_EXCLUDED_ANALYZERS =~ /gemnasium-maven/
+      when: never
+    - if: $CI_COMMIT_BRANCH &&
+          $GITLAB_FEATURES =~ /\bdependency_scanning\b/ &&
+          $DS_DEFAULT_ANALYZERS =~ /gemnasium-maven/
+      exists:
+        - '{build.gradle,*/build.gradle,*/*/build.gradle}'
+        - '{build.gradle.kts,*/build.gradle.kts,*/*/build.gradle.kts}'
+        - '{build.sbt,*/build.sbt,*/*/build.sbt}'
+        - '{pom.xml,*/pom.xml,*/*/pom.xml}'
+
+gemnasium-python-dependency_scanning:
+  extends: .ds-analyzer
+  image:
+    name: "$DS_ANALYZER_IMAGE"
+  variables:
+    # DS_ANALYZER_IMAGE is an undocumented variable used internally to allow QA to
+    # override the analyzer image with a custom value. This may be subject to change or
+    # breakage across GitLab releases.
+    DS_ANALYZER_IMAGE: "$SECURE_ANALYZERS_PREFIX/gemnasium-python:$DS_MAJOR_VERSION"
+    # Stop reporting Pipenv and Setuptools as "pip".
+    # See https://gitlab.com/gitlab-org/gitlab/-/issues/338252
+    DS_REPORT_PACKAGE_MANAGER_PIP_WHEN_PYTHON: "false"
+  rules:
+    - if: $DEPENDENCY_SCANNING_DISABLED
+      when: never
+    - if: $DS_EXCLUDED_ANALYZERS =~ /gemnasium-python/
+      when: never
+    - if: $CI_COMMIT_BRANCH &&
+          $GITLAB_FEATURES =~ /\bdependency_scanning\b/ &&
+          $DS_DEFAULT_ANALYZERS =~ /gemnasium-python/
+      exists:
+        - '{requirements.txt,*/requirements.txt,*/*/requirements.txt}'
+        - '{requirements.pip,*/requirements.pip,*/*/requirements.pip}'
+        - '{Pipfile,*/Pipfile,*/*/Pipfile}'
+        - '{requires.txt,*/requires.txt,*/*/requires.txt}'
+        - '{setup.py,*/setup.py,*/*/setup.py}'
+        # Support passing of $PIP_REQUIREMENTS_FILE
+        # See https://docs.gitlab.com/ee/user/application_security/dependency_scanning/#configuring-specific-analyzers-used-by-dependency-scanning
+    - if: $CI_COMMIT_BRANCH &&
+          $GITLAB_FEATURES =~ /\bdependency_scanning\b/ &&
+          $DS_DEFAULT_ANALYZERS =~ /gemnasium-python/ &&
+          $PIP_REQUIREMENTS_FILE
+
+bundler-audit-dependency_scanning:
+  extends: .ds-analyzer
+  image:
+    name: "$DS_ANALYZER_IMAGE"
+  variables:
+    # DS_ANALYZER_IMAGE is an undocumented variable used internally to allow QA to
+    # override the analyzer image with a custom value. This may be subject to change or
+    # breakage across GitLab releases.
+    DS_ANALYZER_IMAGE: "$SECURE_ANALYZERS_PREFIX/bundler-audit:$DS_MAJOR_VERSION"
+  rules:
+    - if: $DEPENDENCY_SCANNING_DISABLED
+      when: never
+    - if: $DS_EXCLUDED_ANALYZERS =~ /bundler-audit/
+      when: never
+    - if: $CI_COMMIT_BRANCH &&
+          $GITLAB_FEATURES =~ /\bdependency_scanning\b/ &&
+          $DS_DEFAULT_ANALYZERS =~ /bundler-audit/
+      exists:
+        - '{Gemfile.lock,*/Gemfile.lock,*/*/Gemfile.lock}'
+
+retire-js-dependency_scanning:
+  extends: .ds-analyzer
+  image:
+    name: "$DS_ANALYZER_IMAGE"
+  variables:
+    # DS_ANALYZER_IMAGE is an undocumented variable used internally to allow QA to
+    # override the analyzer image with a custom value. This may be subject to change or
+    # breakage across GitLab releases.
+    DS_ANALYZER_IMAGE: "$SECURE_ANALYZERS_PREFIX/retire.js:$DS_MAJOR_VERSION"
+  rules:
+    - if: $DEPENDENCY_SCANNING_DISABLED
+      when: never
+    - if: $DS_EXCLUDED_ANALYZERS =~ /retire.js/
+      when: never
+    - if: $CI_COMMIT_BRANCH &&
+          $GITLAB_FEATURES =~ /\bdependency_scanning\b/ &&
+          $DS_DEFAULT_ANALYZERS =~ /retire.js/
+      exists:
+        - '{package.json,*/package.json,*/*/package.json}'
--- a/lib/gitlab/ci/templates/Jobs/License-Scanning.gitlab-ci.yml
+++ b/lib/gitlab/ci/templates/Jobs/License-Scanning.gitlab-ci.yml
+# To contribute improvements to CI/CD templates, please follow the Development guide at:
+# https://docs.gitlab.com/ee/development/cicd/templates.html
+# This specific template is located at:
+# https://gitlab.com/gitlab-org/gitlab/-/blob/master/lib/gitlab/ci/templates/Jobs/License-Scanning.gitlab-ci.yml
+
+# Read more about this feature here: https://docs.gitlab.com/ee/user/compliance/license_compliance/index.html
+#
+# Configure license scanning with CI/CD variables (https://docs.gitlab.com/ee/ci/variables/index.html).
+# List of available variables: https://docs.gitlab.com/ee/user/compliance/license_compliance/#available-variables
+
+variables:
+  # Setting this variable will affect all Security templates
+  # (SAST, Dependency Scanning, ...)
+  SECURE_ANALYZERS_PREFIX: "registry.gitlab.com/gitlab-org/security-products/analyzers"
+
+  LICENSE_MANAGEMENT_SETUP_CMD: ''  # If needed, specify a command to setup your environment with a custom package manager.
+  LICENSE_MANAGEMENT_VERSION: 3
+
+license_scanning:
+  stage: test
+  image:
+    name: "$SECURE_ANALYZERS_PREFIX/license-finder:$LICENSE_MANAGEMENT_VERSION"
+    entrypoint: [""]
+  variables:
+    LM_REPORT_VERSION: '2.1'
+    SETUP_CMD: $LICENSE_MANAGEMENT_SETUP_CMD
+  allow_failure: true
+  script:
+    - /run.sh analyze .
+  artifacts:
+    reports:
+      license_scanning: gl-license-scanning-report.json
+  dependencies: []
+  rules:
+    - if: $LICENSE_MANAGEMENT_DISABLED
+      when: never
+    - if: $CI_COMMIT_BRANCH &&
+          $GITLAB_FEATURES =~ /\blicense_scanning\b/
--- a/lib/gitlab/ci/templates/Security/Dependency-Scanning.gitlab-ci.yml
+++ b/lib/gitlab/ci/templates/Security/Dependency-Scanning.gitlab-ci.yml
-# To contribute improvements to CI/CD templates, please follow the Development guide at:
-# https://docs.gitlab.com/ee/development/cicd/templates.html
-# This specific template is located at:
-# https://gitlab.com/gitlab-org/gitlab/-/blob/master/lib/gitlab/ci/templates/Security/Dependency-Scanning.gitlab-ci.yml
+# This template moved to Jobs/Dependency-Scanning.gitlab-ci.yml in GitLab 14.8
+# Issue: https://gitlab.com/gitlab-org/gitlab/-/issues/292977

-# Read more about this feature here: https://docs.gitlab.com/ee/user/application_security/dependency_scanning/
-#
-# Configure dependency scanning with CI/CD variables (https://docs.gitlab.com/ee/ci/variables/index.html).
-# List of available variables: https://docs.gitlab.com/ee/user/application_security/dependency_scanning/index.html#available-variables
-
-variables:
-  # Setting this variable will affect all Security templates
-  # (SAST, Dependency Scanning, ...)
-  SECURE_ANALYZERS_PREFIX: "registry.gitlab.com/gitlab-org/security-products/analyzers"
-  DS_DEFAULT_ANALYZERS: "bundler-audit, retire.js, gemnasium, gemnasium-maven, gemnasium-python"
-  DS_EXCLUDED_ANALYZERS: ""
-  DS_EXCLUDED_PATHS: "spec, test, tests, tmp"
-  DS_MAJOR_VERSION: 2
-
-dependency_scanning:
-  stage: test
-  script:
-    - echo "$CI_JOB_NAME is used for configuration only, and its script should not be executed"
-    - exit 1
-  artifacts:
-    reports:
-      dependency_scanning: gl-dependency-scanning-report.json
-  dependencies: []
-  rules:
-    - when: never
-
-.ds-analyzer:
-  extends: dependency_scanning
-  allow_failure: true
-  # `rules` must be overridden explicitly by each child job
-  # see https://gitlab.com/gitlab-org/gitlab/-/issues/218444
-  script:
-    - /analyzer run
-
-gemnasium-dependency_scanning:
-  extends: .ds-analyzer
-  image:
-    name: "$DS_ANALYZER_IMAGE"
-  variables:
-    # DS_ANALYZER_IMAGE is an undocumented variable used internally to allow QA to
-    # override the analyzer image with a custom value. This may be subject to change or
-    # breakage across GitLab releases.
-    DS_ANALYZER_IMAGE: "$SECURE_ANALYZERS_PREFIX/gemnasium:$DS_MAJOR_VERSION"
-    GEMNASIUM_LIBRARY_SCAN_ENABLED: "true"
-  rules:
-    - if: $DEPENDENCY_SCANNING_DISABLED
-      when: never
-    - if: $DS_EXCLUDED_ANALYZERS =~ /gemnasium([^-]|$)/
-      when: never
-    - if: $CI_COMMIT_BRANCH &&
-          $GITLAB_FEATURES =~ /\bdependency_scanning\b/ &&
-          $DS_DEFAULT_ANALYZERS =~ /gemnasium([^-]|$)/
-      exists:
-        - '{Gemfile.lock,*/Gemfile.lock,*/*/Gemfile.lock}'
-        - '{composer.lock,*/composer.lock,*/*/composer.lock}'
-        - '{gems.locked,*/gems.locked,*/*/gems.locked}'
-        - '{go.sum,*/go.sum,*/*/go.sum}'
-        - '{npm-shrinkwrap.json,*/npm-shrinkwrap.json,*/*/npm-shrinkwrap.json}'
-        - '{package-lock.json,*/package-lock.json,*/*/package-lock.json}'
-        - '{yarn.lock,*/yarn.lock,*/*/yarn.lock}'
-        - '{packages.lock.json,*/packages.lock.json,*/*/packages.lock.json}'
-        - '{conan.lock,*/conan.lock,*/*/conan.lock}'
-
-gemnasium-maven-dependency_scanning:
-  extends: .ds-analyzer
-  image:
-    name: "$DS_ANALYZER_IMAGE"
-  variables:
-    # DS_ANALYZER_IMAGE is an undocumented variable used internally to allow QA to
-    # override the analyzer image with a custom value. This may be subject to change or
-    # breakage across GitLab releases.
-    DS_ANALYZER_IMAGE: "$SECURE_ANALYZERS_PREFIX/gemnasium-maven:$DS_MAJOR_VERSION"
-    # Stop reporting Gradle as "maven".
-    # See https://gitlab.com/gitlab-org/gitlab/-/issues/338252
-    DS_REPORT_PACKAGE_MANAGER_MAVEN_WHEN_JAVA: "false"
-  rules:
-    - if: $DEPENDENCY_SCANNING_DISABLED
-      when: never
-    - if: $DS_EXCLUDED_ANALYZERS =~ /gemnasium-maven/
-      when: never
-    - if: $CI_COMMIT_BRANCH &&
-          $GITLAB_FEATURES =~ /\bdependency_scanning\b/ &&
-          $DS_DEFAULT_ANALYZERS =~ /gemnasium-maven/
-      exists:
-        - '{build.gradle,*/build.gradle,*/*/build.gradle}'
-        - '{build.gradle.kts,*/build.gradle.kts,*/*/build.gradle.kts}'
-        - '{build.sbt,*/build.sbt,*/*/build.sbt}'
-        - '{pom.xml,*/pom.xml,*/*/pom.xml}'
-
-gemnasium-python-dependency_scanning:
-  extends: .ds-analyzer
-  image:
-    name: "$DS_ANALYZER_IMAGE"
-  variables:
-    # DS_ANALYZER_IMAGE is an undocumented variable used internally to allow QA to
-    # override the analyzer image with a custom value. This may be subject to change or
-    # breakage across GitLab releases.
-    DS_ANALYZER_IMAGE: "$SECURE_ANALYZERS_PREFIX/gemnasium-python:$DS_MAJOR_VERSION"
-    # Stop reporting Pipenv and Setuptools as "pip".
-    # See https://gitlab.com/gitlab-org/gitlab/-/issues/338252
-    DS_REPORT_PACKAGE_MANAGER_PIP_WHEN_PYTHON: "false"
-  rules:
-    - if: $DEPENDENCY_SCANNING_DISABLED
-      when: never
-    - if: $DS_EXCLUDED_ANALYZERS =~ /gemnasium-python/
-      when: never
-    - if: $CI_COMMIT_BRANCH &&
-          $GITLAB_FEATURES =~ /\bdependency_scanning\b/ &&
-          $DS_DEFAULT_ANALYZERS =~ /gemnasium-python/
-      exists:
-        - '{requirements.txt,*/requirements.txt,*/*/requirements.txt}'
-        - '{requirements.pip,*/requirements.pip,*/*/requirements.pip}'
-        - '{Pipfile,*/Pipfile,*/*/Pipfile}'
-        - '{requires.txt,*/requires.txt,*/*/requires.txt}'
-        - '{setup.py,*/setup.py,*/*/setup.py}'
-        # Support passing of $PIP_REQUIREMENTS_FILE
-        # See https://docs.gitlab.com/ee/user/application_security/dependency_scanning/#configuring-specific-analyzers-used-by-dependency-scanning
-    - if: $CI_COMMIT_BRANCH &&
-          $GITLAB_FEATURES =~ /\bdependency_scanning\b/ &&
-          $DS_DEFAULT_ANALYZERS =~ /gemnasium-python/ &&
-          $PIP_REQUIREMENTS_FILE
-
-bundler-audit-dependency_scanning:
-  extends: .ds-analyzer
-  image:
-    name: "$DS_ANALYZER_IMAGE"
-  variables:
-    # DS_ANALYZER_IMAGE is an undocumented variable used internally to allow QA to
-    # override the analyzer image with a custom value. This may be subject to change or
-    # breakage across GitLab releases.
-    DS_ANALYZER_IMAGE: "$SECURE_ANALYZERS_PREFIX/bundler-audit:$DS_MAJOR_VERSION"
-  rules:
-    - if: $DEPENDENCY_SCANNING_DISABLED
-      when: never
-    - if: $DS_EXCLUDED_ANALYZERS =~ /bundler-audit/
-      when: never
-    - if: $CI_COMMIT_BRANCH &&
-          $GITLAB_FEATURES =~ /\bdependency_scanning\b/ &&
-          $DS_DEFAULT_ANALYZERS =~ /bundler-audit/
-      exists:
-        - '{Gemfile.lock,*/Gemfile.lock,*/*/Gemfile.lock}'
-
-retire-js-dependency_scanning:
-  extends: .ds-analyzer
-  image:
-    name: "$DS_ANALYZER_IMAGE"
-  variables:
-    # DS_ANALYZER_IMAGE is an undocumented variable used internally to allow QA to
-    # override the analyzer image with a custom value. This may be subject to change or
-    # breakage across GitLab releases.
-    DS_ANALYZER_IMAGE: "$SECURE_ANALYZERS_PREFIX/retire.js:$DS_MAJOR_VERSION"
-  rules:
-    - if: $DEPENDENCY_SCANNING_DISABLED
-      when: never
-    - if: $DS_EXCLUDED_ANALYZERS =~ /retire.js/
-      when: never
-    - if: $CI_COMMIT_BRANCH &&
-          $GITLAB_FEATURES =~ /\bdependency_scanning\b/ &&
-          $DS_DEFAULT_ANALYZERS =~ /retire.js/
-      exists:
-        - '{package.json,*/package.json,*/*/package.json}'
+include:
+  template: Jobs/Dependency-Scanning.gitlab-ci.yml
--- a/lib/gitlab/ci/templates/Security/License-Scanning.gitlab-ci.yml
+++ b/lib/gitlab/ci/templates/Security/License-Scanning.gitlab-ci.yml
-# To contribute improvements to CI/CD templates, please follow the Development guide at:
-# https://docs.gitlab.com/ee/development/cicd/templates.html
-# This specific template is located at:
-# https://gitlab.com/gitlab-org/gitlab/-/blob/master/lib/gitlab/ci/templates/Security/License-Scanning.gitlab-ci.yml
+# This template moved to Jobs/License-Scanning.gitlab-ci.yml in GitLab 14.8
+# Issue: https://gitlab.com/gitlab-org/gitlab/-/issues/292977

-# Read more about this feature here: https://docs.gitlab.com/ee/user/compliance/license_compliance/index.html
-#
-# Configure license scanning with CI/CD variables (https://docs.gitlab.com/ee/ci/variables/index.html).
-# List of available variables: https://docs.gitlab.com/ee/user/compliance/license_compliance/#available-variables
-
-variables:
-  # Setting this variable will affect all Security templates
-  # (SAST, Dependency Scanning, ...)
-  SECURE_ANALYZERS_PREFIX: "registry.gitlab.com/gitlab-org/security-products/analyzers"
-
-  LICENSE_MANAGEMENT_SETUP_CMD: ''  # If needed, specify a command to setup your environment with a custom package manager.
-  LICENSE_MANAGEMENT_VERSION: 3
-
-license_scanning:
-  stage: test
-  image:
-    name: "$SECURE_ANALYZERS_PREFIX/license-finder:$LICENSE_MANAGEMENT_VERSION"
-    entrypoint: [""]
-  variables:
-    LM_REPORT_VERSION: '2.1'
-    SETUP_CMD: $LICENSE_MANAGEMENT_SETUP_CMD
-  allow_failure: true
-  script:
-    - /run.sh analyze .
-  artifacts:
-    reports:
-      license_scanning: gl-license-scanning-report.json
-  dependencies: []
-  rules:
-    - if: $LICENSE_MANAGEMENT_DISABLED
-      when: never
-    - if: $CI_COMMIT_BRANCH &&
-          $GITLAB_FEATURES =~ /\blicense_scanning\b/
+include:
+  template: Jobs/License-Scanning.gitlab-ci.yml
--- a/lib/gitlab/usage_data_counters/known_events/ci_templates.yml
+++ b/lib/gitlab/usage_data_counters/known_events/ci_templates.yml
@@ -83,10 +83,6 @@
  category: ci_templates
  redis_slot: ci_templates
  aggregation: weekly
- name: p_ci_templates_security_sast_iac_latest
-  category: ci_templates
-  redis_slot: ci_templates
-  aggregation: weekly
 - name: p_ci_templates_security_dast_runner_validation
  category: ci_templates
  redis_slot: ci_templates
@@ -123,10 +119,6 @@
  category: ci_templates
  redis_slot: ci_templates
  aggregation: weekly
- name: p_ci_templates_security_dast_api_latest
-  category: ci_templates
-  redis_slot: ci_templates
-  aggregation: weekly
 - name: p_ci_templates_security_container_scanning
  category: ci_templates
  redis_slot: ci_templates
@@ -139,6 +131,10 @@
  category: ci_templates
  redis_slot: ci_templates
  aggregation: weekly
+- name: p_ci_templates_security_dast_api_latest
+  category: ci_templates
+  redis_slot: ci_templates
+  aggregation: weekly
 - name: p_ci_templates_security_api_fuzzing
  category: ci_templates
  redis_slot: ci_templates
@@ -147,6 +143,10 @@
  category: ci_templates
  redis_slot: ci_templates
  aggregation: weekly
+- name: p_ci_templates_security_sast_iac_latest
+  category: ci_templates
+  redis_slot: ci_templates
+  aggregation: weekly
 - name: p_ci_templates_security_cluster_image_scanning
  category: ci_templates
  redis_slot: ci_templates
@@ -203,6 +203,10 @@
  category: ci_templates
  redis_slot: ci_templates
  aggregation: weekly
+- name: p_ci_templates_kaniko
+  category: ci_templates
+  redis_slot: ci_templates
+  aggregation: weekly
 - name: p_ci_templates_managed_cluster_applications
  category: ci_templates
  redis_slot: ci_templates
@@ -283,11 +287,11 @@
  category: ci_templates
  redis_slot: ci_templates
  aggregation: weekly
- name: p_ci_templates_jobs_sast_iac_latest
+- name: p_ci_templates_jobs_secret_detection
  category: ci_templates
  redis_slot: ci_templates
  aggregation: weekly
- name: p_ci_templates_jobs_secret_detection
+- name: p_ci_templates_jobs_license_scanning
  category: ci_templates
  redis_slot: ci_templates
  aggregation: weekly
@@ -323,6 +327,10 @@
  category: ci_templates
  redis_slot: ci_templates
  aggregation: weekly
+- name: p_ci_templates_jobs_dependency_scanning
+  category: ci_templates
+  redis_slot: ci_templates
+  aggregation: weekly
 - name: p_ci_templates_jobs_deploy_latest
  category: ci_templates
  redis_slot: ci_templates
@@ -339,6 +347,10 @@
  category: ci_templates
  redis_slot: ci_templates
  aggregation: weekly
+- name: p_ci_templates_jobs_sast_iac_latest
+  category: ci_templates
+  redis_slot: ci_templates
+  aggregation: weekly
 - name: p_ci_templates_terraform_latest
  category: ci_templates
  redis_slot: ci_templates
@@ -467,11 +479,11 @@
  category: ci_templates
  redis_slot: ci_templates
  aggregation: weekly
- name: p_ci_templates_implicit_jobs_sast_iac_latest
+- name: p_ci_templates_implicit_jobs_secret_detection
  category: ci_templates
  redis_slot: ci_templates
  aggregation: weekly
- name: p_ci_templates_implicit_jobs_secret_detection
+- name: p_ci_templates_implicit_jobs_license_scanning
  category: ci_templates
  redis_slot: ci_templates
  aggregation: weekly
@@ -507,6 +519,10 @@
  category: ci_templates
  redis_slot: ci_templates
  aggregation: weekly
+- name: p_ci_templates_implicit_jobs_dependency_scanning
+  category: ci_templates
+  redis_slot: ci_templates
+  aggregation: weekly
 - name: p_ci_templates_implicit_jobs_deploy_latest
  category: ci_templates
  redis_slot: ci_templates
@@ -523,11 +539,11 @@
  category: ci_templates
  redis_slot: ci_templates
  aggregation: weekly
- name: p_ci_templates_implicit_security_sast
+- name: p_ci_templates_implicit_jobs_sast_iac_latest
  category: ci_templates
  redis_slot: ci_templates
  aggregation: weekly
- name: p_ci_templates_implicit_security_sast_iac_latest
+- name: p_ci_templates_implicit_security_sast
  category: ci_templates
  redis_slot: ci_templates
  aggregation: weekly
@@ -567,10 +583,6 @@
  category: ci_templates
  redis_slot: ci_templates
  aggregation: weekly
- name: p_ci_templates_implicit_security_dast_api_latest
-  category: ci_templates
-  redis_slot: ci_templates
-  aggregation: weekly
 - name: p_ci_templates_implicit_security_container_scanning
  category: ci_templates
  redis_slot: ci_templates
@@ -583,6 +595,10 @@
  category: ci_templates
  redis_slot: ci_templates
  aggregation: weekly
+- name: p_ci_templates_implicit_security_dast_api_latest
+  category: ci_templates
+  redis_slot: ci_templates
+  aggregation: weekly
 - name: p_ci_templates_implicit_security_api_fuzzing
  category: ci_templates
  redis_slot: ci_templates
@@ -591,11 +607,11 @@
  category: ci_templates
  redis_slot: ci_templates
  aggregation: weekly
- name: p_ci_templates_implicit_security_cluster_image_scanning
+- name: p_ci_templates_implicit_security_sast_iac_latest
  category: ci_templates
  redis_slot: ci_templates
  aggregation: weekly
- name: p_ci_templates_kaniko
+- name: p_ci_templates_implicit_security_cluster_image_scanning
  category: ci_templates
  redis_slot: ci_templates
  aggregation: weekly