Deprecate but keep support for

Klar up to version 3. A new analyzer based on
Trivy will be used from version 4 onwards

changelogs/unreleased/deprecated_but_keep_support_for_klar_up_to_3.yml

+---
+title: Deprecate but keep support for Klar up to version 3. A new analyzer based on
+  Trivy will be used from version 4 onwards
+merge_request: 57281
+author:
+type: changed

ee/spec/lib/gitlab/ci/templates/container_scanning_gitlab_ci_yaml_spec.rb

@@ -33,6 +33,16 @@ RSpec.describe 'Container-Scanning.gitlab-ci.yml' do
       end
 
       context 'by default' do
+        it 'includes job' do
+          expect(build_names).to match_array(%w[container_scanning_deprecated])
+        end
+      end
+
+      context 'with CS_MAJOR_VERSION greater than 3' do
+        before do
+          create(:ci_variable, project: project, key: 'CS_MAJOR_VERSION', value: '4')
+        end
+
         it 'includes job' do
           expect(build_names).to match_array(%w[container_scanning])
         end

lib/gitlab/ci/templates/Security/Container-Scanning.gitlab-ci.yml

@@ -6,14 +6,10 @@ variables:
   SECURE_ANALYZERS_PREFIX: "registry.gitlab.com/gitlab-org/security-products/analyzers"
   CS_MAJOR_VERSION: 3
 
-container_scanning:
+.cs_common:
   stage: test
   image: "$CS_ANALYZER_IMAGE"
   variables:
-    # By default, use the latest clair vulnerabilities database, however, allow it to be overridden here with a specific image
-    # to enable container scanning to run offline, or to provide a consistent list of vulnerabilities for integration testing purposes
-    CLAIR_DB_IMAGE_TAG: "latest"
-    CLAIR_DB_IMAGE: "$SECURE_ANALYZERS_PREFIX/clair-vulnerabilities-db:$CLAIR_DB_IMAGE_TAG"
     # Override the GIT_STRATEGY variable in your `.gitlab-ci.yml` file and set it to `fetch` if you want to provide a `clair-whitelist.yml`
     # file. See https://docs.gitlab.com/ee/user/application_security/container_scanning/index.html#overriding-the-container-scanning-template
     # for details
@@ -21,19 +17,44 @@ container_scanning:
     # CS_ANALYZER_IMAGE is an undocumented variable used internally to allow QA to
     # override the analyzer image with a custom value. This may be subject to change or
     # breakage across GitLab releases.
-    CS_ANALYZER_IMAGE: $SECURE_ANALYZERS_PREFIX/klar:$CS_MAJOR_VERSION
+    CS_ANALYZER_IMAGE: $SECURE_ANALYZERS_PREFIX/$CS_PROJECT:$CS_MAJOR_VERSION
   allow_failure: true
+  artifacts:
+    reports:
+      container_scanning: gl-container-scanning-report.json
+  dependencies: []
+
+container_scanning_deprecated:
+  extends: .cs_common
+  variables:
+    # By default, use the latest clair vulnerabilities database, however, allow it to be overridden here with a specific image
+    # to enable container scanning to run offline, or to provide a consistent list of vulnerabilities for integration testing purposes
+    CLAIR_DB_IMAGE_TAG: "latest"
+    CLAIR_DB_IMAGE: "$SECURE_ANALYZERS_PREFIX/clair-vulnerabilities-db:$CLAIR_DB_IMAGE_TAG"
+    CS_PROJECT: 'klar'
   services:
     - name: $CLAIR_DB_IMAGE
       alias: clair-vulnerabilities-db
   script:
     - /analyzer run
+  rules:
+    - if: $CONTAINER_SCANNING_DISABLED
+      when: never
+    - if: $CI_COMMIT_BRANCH &&
+          $GITLAB_FEATURES =~ /\bcontainer_scanning\b/ &&
+          $CS_MAJOR_VERSION =~ /^[0-3]$/
+
+container_scanning:
+  extends: .cs_common
+  variables:
+    CS_PROJECT: 'container-scanning'
+  script:
+    - gtcs scan
   artifacts:
-    reports:
-      container_scanning: gl-container-scanning-report.json
-  dependencies: []
+    paths: [gl-container-scanning-report.json]
   rules:
     - if: $CONTAINER_SCANNING_DISABLED
       when: never
     - if: $CI_COMMIT_BRANCH &&
-          $GITLAB_FEATURES =~ /\bcontainer_scanning\b/
+          $GITLAB_FEATURES =~ /\bcontainer_scanning\b/ &&
+          $CS_MAJOR_VERSION !~ /^[0-3]$/