Merge branch 'revert-4c24d8aa' into 'master'

Revert "feat: Update SECURE_ANALYZER_PREFIX in all Sec Section templates"

See merge request gitlab-org/gitlab!80195

.gitlab/ci/review-apps/dast.gitlab-ci.yml

@@ -5,7 +5,7 @@
   extends:
     - .reports:rules:schedule-dast
   image:
-    name: "registry.gitlab.com/security-products/dast:$DAST_VERSION"
+    name: "registry.gitlab.com/gitlab-org/security-products/dast:$DAST_VERSION"
   resource_group: dast_scan
   variables:
     DAST_USERNAME_FIELD: "user[login]"

app/validators/json_schemas/security_ci_configuration_schemas/sast_ui_schema.json

@@ -2,8 +2,8 @@
     "$schema": "http://json-schema.org/draft-07/schema#",
     "global": [
         {
-            "field": "SECURE_ANALYZERS_PREFIX",
-            "label": "Image prefix",
+            "field" : "SECURE_ANALYZERS_PREFIX",
+            "label" : "Image prefix",
             "type": "string",
             "default_value": "",
             "value": "",

doc/user/application_security/api_fuzzing/index.md

@@ -1163,11 +1163,11 @@ Steps:
 
 The Docker image for API Fuzzing must be pulled (downloaded) from the public registry and then pushed (imported) into a local registry. The GitLab container registry can be used to locally host the Docker image. This process can be performed using a special template. See [loading Docker images onto your offline host](../offline_deployments/index.md#loading-docker-images-onto-your-offline-host) for instructions.
 
-Once the Docker image is hosted locally, the `SECURE_ANALYZERS_PREFIX` variable is set with the location of the local registry. The variable must be set such that concatenating `/api-security:1` results in a valid image location.
+Once the Docker image is hosted locally, the `SECURE_ANALYZERS_PREFIX` variable is set with the location of the local registry. The variable must be set such that concatenating `/api-fuzzing:1` results in a valid image location.
 
-For example, the below line sets a registry for the image `registry.gitlab.com/security-products/api-security:1`:
+For example, the below line sets a registry for the image `registry.gitlab.com/gitlab-org/security-products/analyzers/api-fuzzing:1`:
 
-`SECURE_ANALYZERS_PREFIX: "registry.gitlab.com/security-products"`
+`SECURE_ANALYZERS_PREFIX: "registry.gitlab.com/gitlab-org/security-products/analyzers"`
 
 NOTE:
 Setting `SECURE_ANALYZERS_PREFIX` changes the Docker image registry location for all GitLab Secure templates.

doc/user/application_security/dast_api/index.md

@@ -1125,9 +1125,9 @@ Once the Docker image is hosted locally, the `SECURE_ANALYZERS_PREFIX` variable
 NOTE:
 DAST API and API Fuzzing both use the same underlying Docker image `api-fuzzing:1`.
 
-For example, the below line sets a registry for the image `registry.gitlab.com/security-products/api-fuzzing:1`:
+For example, the below line sets a registry for the image `registry.gitlab.com/gitlab-org/security-products/analyzers/api-fuzzing:1`:
 
-`SECURE_ANALYZERS_PREFIX: "registry.gitlab.com/security-products"`
+`SECURE_ANALYZERS_PREFIX: "registry.gitlab.com/gitlab-org/security-products/analyzers"`
 
 NOTE:
 Setting `SECURE_ANALYZERS_PREFIX` changes the Docker image registry location for all GitLab Secure templates.

doc/user/application_security/dependency_scanning/analyzers.md

@@ -45,7 +45,7 @@ Any custom change to the official analyzers can be achieved by using a
 You can switch to a custom Docker registry that provides the official analyzer
 images under a different prefix. For instance, the following instructs Dependency
 Scanning to pull `my-docker-registry/gl-images/gemnasium`
-instead of `registry.gitlab.com/security-products/dependency-scanning/gemnasium`.
+instead of `registry.gitlab.com/gitlab-org/security-products/analyzers/gemnasium`.
 In `.gitlab-ci.yml` define:
 
 ```yaml

doc/user/application_security/dependency_scanning/index.md

@@ -779,11 +779,11 @@ import the following default dependency scanning analyzer images from `registry.
 your [local Docker container registry](../../packages/container_registry/index.md):
 
 ```plaintext
-registry.gitlab.com/security-products/dependency-scanning/gemnasium:2
-registry.gitlab.com/security-products/dependency-scanning/gemnasium-maven:2
-registry.gitlab.com/security-products/dependency-scanning/gemnasium-python:2
-registry.gitlab.com/security-products/dependency-scanning/retire.js:2
-registry.gitlab.com/security-products/dependency-scanning/bundler-audit:2
+registry.gitlab.com/gitlab-org/security-products/analyzers/gemnasium:2
+registry.gitlab.com/gitlab-org/security-products/analyzers/gemnasium-maven:2
+registry.gitlab.com/gitlab-org/security-products/analyzers/gemnasium-python:2
+registry.gitlab.com/gitlab-org/security-products/analyzers/retire.js:2
+registry.gitlab.com/gitlab-org/security-products/analyzers/bundler-audit:2
 ```
 
 The process for importing Docker images into a local offline Docker registry depends on
@@ -1082,4 +1082,4 @@ analyzers, edit your `gitlab-ci.yml` file and either:
 
   For example, currently the `gemnasium-maven-dependency_scanning` job pulls the latest
   `gemnasium-maven` Docker image because `DS_ANALYZER_IMAGE` is set to
-  `"$SECURE_ANALYZERS_PREFIX/dependency-scanning/gemnasium-maven:$DS_MAJOR_VERSION"`.
+  `"$SECURE_ANALYZERS_PREFIX/gemnasium-maven:$DS_MAJOR_VERSION"`.

doc/user/application_security/index.md

@@ -92,9 +92,11 @@ For more details about each of the security scanning tools, see their respective
 
 ### Override the default registry base address
 
-By default, GitLab security scanners use `registry.gitlab.com/security-products` as the
+By default, GitLab security scanners use `registry.gitlab.com/gitlab-org/security-products/analyzers` as the
 base address for Docker images. You can override this globally by setting the CI/CD variable
-`SECURE_ANALYZERS_PREFIX` to another location. Note that this affects all scanners at once.
+`SECURE_ANALYZERS_PREFIX` to another location. Note that this affects all scanners at once, except
+the container-scanning analyzer which uses
+`registry.gitlab.com/security-products/container-scanning` as its registry.
 
 ### Use security scanning tools with merge request pipelines
 

doc/user/application_security/offline_deployments/index.md

@@ -179,7 +179,7 @@ set -ux
 
 # Specify needed analyzer images
 analyzers=${SAST_ANALYZERS:-"bandit eslint gosec"}
-gitlab=registry.gitlab.com/security-products/sast/
+gitlab=registry.gitlab.com/gitlab-org/security-products/analyzers/
 
 for i in "${analyzers[@]}"
 do

doc/user/compliance/license_compliance/index.md

@@ -669,7 +669,7 @@ import the following default License Compliance analyzer images from `registry.g
 offline [local Docker container registry](../../packages/container_registry/index.md):
 
 ```plaintext
-registry.gitlab.com/security-products/license-compliance/license-finder:latest
+registry.gitlab.com/gitlab-org/security-products/analyzers/license-finder:latest
 ```
 
 The process for importing Docker images into a local offline Docker registry depends on
@@ -872,7 +872,7 @@ A full list of variables can be found in [CI/CD variables](#available-cicd-varia
 To find out what tools are pre-installed in the `license_scanning` Docker image use the following command:
 
 ```shell
-$ docker run --entrypoint='' registry.gitlab.com/security-products/license-compliance/license-finder:3 /bin/bash -lc 'asdf list'
+$ docker run --entrypoint='' registry.gitlab.com/gitlab-org/security-products/analyzers/license-finder:3 /bin/bash -lc 'asdf list'
 golang
   1.14
 gradle
@@ -899,7 +899,7 @@ sbt
 To interact with the `license_scanning` runtime environment use the following command:
 
 ```shell
-$ docker run -it --entrypoint='' registry.gitlab.com/security-products/license-compliance/license-finder:3 /bin/bash -l
+$ docker run -it --entrypoint='' registry.gitlab.com/gitlab-org/security-products/analyzers/license-finder:3 /bin/bash -l
 root@6abb70e9f193:~#
 ```
 

ee/spec/lib/gitlab/ci/config/security_orchestration_policies/processor_spec.rb

@@ -139,19 +139,9 @@ RSpec.describe Gitlab::Ci::Config::SecurityOrchestrationPolicies::Processor do
           let(:expected_configuration) do
             {
               'secret-detection-0': hash_including(
-                rules: [
-                  { if: '$SECRET_DETECTION_DISABLED', when: 'never' },
-                  {
-                    if: '$CI_COMMIT_BRANCH && $SECURE_ANALYZERS_PREFIX == $DEFAULT_SECURE_ANALYZERS_PREFIX',
-                    variables: { SECURE_ANALYZERS_PREFIX: "$DEFAULT_SECURE_ANALYZERS_PREFIX" }
-                  },
-                  {
-                    if: "$CI_COMMIT_BRANCH",
-                    variables: { SECURE_ANALYZERS_PREFIX: "$DEPRECATED_SECURE_ANALYZERS_PREFIX" }
-                  }
-                ],
+                rules: [{ if: '$SECRET_DETECTION_DISABLED', when: 'never' }, { if: '$CI_COMMIT_BRANCH' }],
                 stage: 'test',
-                image: '$SECURE_ANALYZERS_PREFIX/secret-detection:$SECRETS_ANALYZER_VERSION',
+                image: '$SECURE_ANALYZERS_PREFIX/secrets:$SECRETS_ANALYZER_VERSION',
                 services: [],
                 allow_failure: true,
                 artifacts: {
@@ -161,9 +151,7 @@ RSpec.describe Gitlab::Ci::Config::SecurityOrchestrationPolicies::Processor do
                 },
                 variables: {
                   GIT_DEPTH: '50',
-                  SECURE_ANALYZERS_PREFIX: secure_analyzers_prefix,
-                  DEFAULT_SECURE_ANALYZERS_PREFIX: secure_analyzers_prefix,
-                  DEPRECATED_SECURE_ANALYZERS_PREFIX: 'registry.gitlab.com/gitlab-org/security-products/analyzers',
+                  SECURE_ANALYZERS_PREFIX: 'registry.gitlab.com/gitlab-org/security-products/analyzers',
                   SECRETS_ANALYZER_VERSION: '3',
                   SECRET_DETECTION_EXCLUDED_PATHS: '',
                   SECRET_DETECTION_HISTORIC_SCAN: 'false'

ee/spec/lib/gitlab/ci/templates/api_fuzzing_gitlab_ci_yaml_spec.rb

@@ -10,8 +10,8 @@ RSpec.describe 'API-Fuzzing.gitlab-ci.yml' do
   describe 'the template file' do
     let(:template_filename) { Rails.root.join("lib/gitlab/ci/templates/" + template.full_name) }
     let(:contents) { File.read(template_filename) }
-    let(:production_registry) { '$SECURE_ANALYZERS_PREFIX/api-security:$FUZZAPI_VERSION' }
-    let(:staging_registry) { '$SECURE_ANALYZERS_PREFIX/api-security-src:$FUZZAPI_VERSION' }
+    let(:production_registry) { '${SECURE_ANALYZERS_PREFIX}/api-fuzzing:${FUZZAPI_VERSION}' }
+    let(:staging_registry) { '${SECURE_ANALYZERS_PREFIX}/api-fuzzing-src:${FUZZAPI_VERSION}' }
 
     # Make sure future changes to the template use the production container registry.
     #

ee/spec/lib/gitlab/ci/templates/api_fuzzing_latest_gitlab_ci_yaml_spec.rb

@@ -10,8 +10,8 @@ RSpec.describe 'API-Fuzzing.latest.gitlab-ci.yml' do
   describe 'the template file' do
     let(:template_filename) { Rails.root.join("lib/gitlab/ci/templates/" + template.full_name) }
     let(:contents) { File.read(template_filename) }
-    let(:production_registry) { 'FUZZAPI_IMAGE: "api-security"' }
-    let(:staging_registry) { 'FUZZAPI_IMAGE: api-security-src' }
+    let(:production_registry) { 'FUZZAPI_IMAGE: api-fuzzing' }
+    let(:staging_registry) { 'FUZZAPI_IMAGE: api-fuzzing-src' }
 
     # Make sure future changes to the template use the production container registry.
     #

ee/spec/lib/gitlab/ci/templates/dast_api_gitlab_ci_yaml_spec.rb

@@ -10,8 +10,8 @@ RSpec.describe 'DAST-API.gitlab-ci.yml' do
   describe 'the template file' do
     let(:template_filename) { Rails.root.join("lib/gitlab/ci/templates/" + template.full_name) }
     let(:contents) { File.read(template_filename) }
-    let(:production_registry) { 'DAST_API_IMAGE: "api-security"' }
-    let(:staging_registry) { 'DAST_API_IMAGE: "api-security-src"' }
+    let(:production_registry) { '$SECURE_ANALYZERS_PREFIX/api-fuzzing:$DAST_API_VERSION' }
+    let(:staging_registry) { '$SECURE_ANALYZERS_PREFIX/api-fuzzing-src:$DAST_API_VERSION' }
 
     # Make sure future changes to the template use the production container registry.
     #

ee/spec/lib/gitlab/ci/templates/dast_api_latest_gitlab_ci_yaml_spec.rb

@@ -10,8 +10,8 @@ RSpec.describe 'DAST-API.latest.gitlab-ci.yml' do
   describe 'the template file' do
     let(:template_filename) { Rails.root.join("lib/gitlab/ci/templates/" + template.full_name) }
     let(:contents) { File.read(template_filename) }
-    let(:production_registry) { 'DAST_API_IMAGE: api-security' }
-    let(:staging_registry) { 'DAST_API_IMAGE: api-security-src' }
+    let(:production_registry) { 'DAST_API_IMAGE: api-fuzzing' }
+    let(:staging_registry) { 'DAST_API_IMAGE: api-fuzzing-src' }
 
     # Make sure future changes to the template use the production container registry.
     #

ee/spec/lib/gitlab/ci/templates/dependency_scanning_gitlab_ci_yaml_spec.rb

@@ -114,9 +114,10 @@ RSpec.describe 'Dependency-Scanning.gitlab-ci.yml' do
 
           with_them do
             let(:project) { create(:project, :custom_repo, files: files_at_depth_x) }
-            let(:files_at_depth_x) { files }
 
             context 'with file at root' do
+              let(:files_at_depth_x) { files }
+
               it 'creates a pipeline with the expected jobs' do
                 expect(build_names).to include(*include_build_names)
               end
@@ -147,8 +148,6 @@ RSpec.describe 'Dependency-Scanning.gitlab-ci.yml' do
                 expect { pipeline }.to raise_error(Ci::CreatePipelineService::CreateError)
               end
             end
-
-            it_behaves_like 'setting sec analyzer prefix dynamically', builds: params[:include_build_names], files: params[:files], namespace: 'dependency-scanning'
           end
         end
 

ee/spec/lib/gitlab/ci/templates/sast_gitlab_ci_yaml_spec.rb

@@ -98,8 +98,6 @@ RSpec.describe 'SAST.gitlab-ci.yml' do
             it 'creates a pipeline with the expected jobs' do
               expect(build_names).to include(*include_build_names)
             end
-
-            include_examples 'setting sec analyzer prefix dynamically', builds: params[:include_build_names], files: params[:files], namespace: 'sast'
           end
         end
       end

ee/spec/lib/gitlab/ci/templates/sast_iac_latest_gitlab_ci_yaml_spec.rb

-# frozen_string_literal: true
-
-require 'spec_helper'
-
-RSpec.describe 'SAST-IaC.latest.gitlab-ci.yml' do
-  subject(:template) { Gitlab::Template::GitlabCiYmlTemplate.find('SAST-IaC.latest') }
-
-  describe 'the created pipeline' do
-    let(:default_branch) { 'master' }
-    let(:files) { { 'README.md' => '' } }
-    let(:project) { create(:project, :custom_repo, files: files) }
-    let(:user) { project.first_owner }
-    let(:service) { Ci::CreatePipelineService.new(project, user, ref: 'master') }
-    let(:pipeline) { service.execute!(:push).payload }
-    let(:build_names) { pipeline.builds.pluck(:name) }
-
-    before do
-      stub_ci_pipeline_yaml_file(template.content)
-      allow_next_instance_of(Ci::BuildScheduleWorker) do |worker|
-        allow(worker).to receive(:perform).and_return(true)
-      end
-      allow(project).to receive(:default_branch).and_return(default_branch)
-    end
-
-    context 'when project has no license' do
-      context 'when SAST_DISABLED=1' do
-        before do
-          create(:ci_variable, project: project, key: 'SAST_DISABLED', value: '1')
-        end
-
-        it 'includes no jobs' do
-          expect { pipeline }.to raise_error(Ci::CreatePipelineService::CreateError)
-        end
-      end
-    end
-
-    context 'by default' do
-      it 'creates a pipeline with the expected jobs' do
-        expect(build_names).to match_array(%w(kics-iac-sast))
-      end
-    end
-
-    describe 'setting SECURE_ANALYZER_PREFIX' do
-      it_behaves_like 'setting sec analyzer prefix dynamically', builds: %w(kics-iac-sast), namespace: 'sast'
-    end
-  end
-end

ee/spec/lib/gitlab/ci/templates/secret_detection_gitlab_ci_yaml_spec.rb

-# frozen_string_literal: true
-
-require 'spec_helper'
-
-RSpec.describe 'Secret-Detection.gitlab-ci.yml' do
-  subject(:template) { Gitlab::Template::GitlabCiYmlTemplate.find('Secret-Detection') }
-
-  describe 'the created pipeline' do
-    let(:default_branch) { 'master' }
-    let(:files) { { 'README.md' => '' } }
-    let(:project) { create(:project, :custom_repo, files: files) }
-    let(:user) { project.first_owner }
-    let(:service) { Ci::CreatePipelineService.new(project, user, ref: 'master') }
-    let(:pipeline) { service.execute!(:push).payload }
-    let(:build_names) { pipeline.builds.pluck(:name) }
-
-    before do
-      stub_ci_pipeline_yaml_file(template.content)
-      allow_next_instance_of(Ci::BuildScheduleWorker) do |worker|
-        allow(worker).to receive(:perform).and_return(true)
-      end
-      allow(project).to receive(:default_branch).and_return(default_branch)
-    end
-
-    context 'when project has no license' do
-      context 'when SECRET_DETECTION_DISABLED=1' do
-        before do
-          create(:ci_variable, project: project, key: 'SECRET_DETECTION_DISABLED', value: '1')
-        end
-
-        it 'includes no jobs' do
-          expect { pipeline }.to raise_error(Ci::CreatePipelineService::CreateError)
-        end
-      end
-
-      context 'by default' do
-        it 'creates a pipeline with the expected jobs' do
-          expect(build_names).to match_array(%w(secret_detection))
-        end
-      end
-
-      describe 'setting SECURE_ANALYZER_PREFIX' do
-        it_behaves_like 'setting sec analyzer prefix dynamically', builds: %w(secret_detection)
-      end
-    end
-  end
-end

ee/spec/lib/gitlab/ci/templates/secure_binaries_ci_yaml_spec.rb

@@ -52,7 +52,7 @@ RSpec.describe 'Secure-Binaries.gitlab-ci.yml' do
 
       it_behaves_like 'an offline image download job' do
         it 'sets SECURE_BINARIES_IMAGE explicitly' do
-          image = '${SECURE_ANALYZERS_PREFIX}/${CI_JOB_NAME}:${SECURE_BINARIES_ANALYZER_VERSION}'
+          image = 'registry.gitlab.com/security-products/${CI_JOB_NAME}:${SECURE_BINARIES_ANALYZER_VERSION}'
 
           expect(build.variables.to_hash).to include('SECURE_BINARIES_IMAGE' => image)
         end

ee/spec/services/security/security_orchestration_policies/ci_configuration_service_spec.rb

@@ -28,13 +28,9 @@ RSpec.describe Security::SecurityOrchestrationPolicies::CiConfigurationService d
 
         it 'returns prepared CI configuration with Secret Detection scans' do
           expected_configuration = {
-            rules: [
-              { if: '$SECRET_DETECTION_DISABLED', when: 'never' },
-              { if: '$CI_COMMIT_BRANCH && $SECURE_ANALYZERS_PREFIX == $DEFAULT_SECURE_ANALYZERS_PREFIX', variables: { SECURE_ANALYZERS_PREFIX: "$DEFAULT_SECURE_ANALYZERS_PREFIX" } },
-              { if: '$CI_COMMIT_BRANCH', variables: { SECURE_ANALYZERS_PREFIX: "$DEPRECATED_SECURE_ANALYZERS_PREFIX" } }
-            ],
+            rules: [{ if: '$SECRET_DETECTION_DISABLED', when: 'never' }, { if: '$CI_COMMIT_BRANCH' }],
             stage: 'test',
-            image: '$SECURE_ANALYZERS_PREFIX/secret-detection:$SECRETS_ANALYZER_VERSION',
+            image: '$SECURE_ANALYZERS_PREFIX/secrets:$SECRETS_ANALYZER_VERSION',
             services: [],
             allow_failure: true,
             artifacts: {
@@ -44,9 +40,7 @@ RSpec.describe Security::SecurityOrchestrationPolicies::CiConfigurationService d
             },
             variables: {
               GIT_DEPTH: '50',
-              SECURE_ANALYZERS_PREFIX: 'registry.gitlab.com/security-products',
-              DEFAULT_SECURE_ANALYZERS_PREFIX: 'registry.gitlab.com/security-products',
-              DEPRECATED_SECURE_ANALYZERS_PREFIX: 'registry.gitlab.com/gitlab-org/security-products/analyzers',
+              SECURE_ANALYZERS_PREFIX: 'registry.gitlab.com/gitlab-org/security-products/analyzers',
               SECRETS_ANALYZER_VERSION: '3',
               SECRET_DETECTION_EXCLUDED_PATHS: '',
               SECRET_DETECTION_HISTORIC_SCAN: 'false'

lib/gitlab/ci/templates/Jobs/SAST-IaC.latest.gitlab-ci.yml

 variables:
   # Setting this variable will affect all Security templates
   # (SAST, Dependency Scanning, ...)
-  SECURE_ANALYZERS_PREFIX: "registry.gitlab.com/security-products"
-  # These placeholders will be removed in %15.0 with deprecation of previous registry path, see https://gitlab.com/groups/gitlab-org/-/epics/6162
-  DEFAULT_SECURE_ANALYZERS_PREFIX: "registry.gitlab.com/security-products"
-  DEPRECATED_SECURE_ANALYZERS_PREFIX: "registry.gitlab.com/gitlab-org/security-products/analyzers"
-
+  SECURE_ANALYZERS_PREFIX: "registry.gitlab.com/gitlab-org/security-products/analyzers"
   SAST_EXCLUDED_PATHS: "spec, test, tests, tmp"
 
 iac-sast:
@@ -35,9 +31,4 @@ kics-iac-sast:
       when: never
     - if: $SAST_EXCLUDED_ANALYZERS =~ /kics/
       when: never
-    - if: $CI_COMMIT_BRANCH && $SECURE_ANALYZERS_PREFIX == $DEFAULT_SECURE_ANALYZERS_PREFIX
-      variables:
-        SECURE_ANALYZERS_PREFIX: "$DEFAULT_SECURE_ANALYZERS_PREFIX/sast"
     - if: $CI_COMMIT_BRANCH
-      variables:
-        SECURE_ANALYZERS_PREFIX: "$DEPRECATED_SECURE_ANALYZERS_PREFIX"

lib/gitlab/ci/templates/Jobs/SAST.gitlab-ci.yml

@@ -6,10 +6,7 @@
 variables:
   # Setting this variable will affect all Security templates
   # (SAST, Dependency Scanning, ...)
-  SECURE_ANALYZERS_PREFIX: "registry.gitlab.com/security-products"
-  # These placeholders will be removed in %15.0 with deprecation of previous registry path, see https://gitlab.com/groups/gitlab-org/-/epics/6162
-  DEFAULT_SECURE_ANALYZERS_PREFIX: "registry.gitlab.com/security-products"
-  DEPRECATED_SECURE_ANALYZERS_PREFIX: "registry.gitlab.com/gitlab-org/security-products/analyzers"
+  SECURE_ANALYZERS_PREFIX: "registry.gitlab.com/gitlab-org/security-products/analyzers"
 
   SAST_EXCLUDED_ANALYZERS: ""
   SAST_EXCLUDED_PATHS: "spec, test, tests, tmp"
@@ -48,14 +45,7 @@ bandit-sast:
       when: never
     - if: $SAST_EXCLUDED_ANALYZERS =~ /bandit/
       when: never
-    - if: $CI_COMMIT_BRANCH && $SECURE_ANALYZERS_PREFIX == $DEFAULT_SECURE_ANALYZERS_PREFIX
-      variables:
-        SECURE_ANALYZERS_PREFIX: "$DEFAULT_SECURE_ANALYZERS_PREFIX/sast"
-      exists:
-        - '**/*.py'
     - if: $CI_COMMIT_BRANCH
-      variables:
-        SECURE_ANALYZERS_PREFIX: "$DEPRECATED_SECURE_ANALYZERS_PREFIX"
       exists:
         - '**/*.py'
 
@@ -71,15 +61,7 @@ brakeman-sast:
       when: never
     - if: $SAST_EXCLUDED_ANALYZERS =~ /brakeman/
       when: never
-    - if: $CI_COMMIT_BRANCH && $SECURE_ANALYZERS_PREFIX == $DEFAULT_SECURE_ANALYZERS_PREFIX
-      variables:
-        SECURE_ANALYZERS_PREFIX: "$DEFAULT_SECURE_ANALYZERS_PREFIX/sast"
-      exists:
-        - '**/*.rb'
-        - '**/Gemfile'
     - if: $CI_COMMIT_BRANCH
-      variables:
-        SECURE_ANALYZERS_PREFIX: "$DEPRECATED_SECURE_ANALYZERS_PREFIX"
       exists:
         - '**/*.rb'
         - '**/Gemfile'
@@ -96,18 +78,7 @@ eslint-sast:
       when: never
     - if: $SAST_EXCLUDED_ANALYZERS =~ /eslint/
       when: never
-    - if: $CI_COMMIT_BRANCH && $SECURE_ANALYZERS_PREFIX == $DEFAULT_SECURE_ANALYZERS_PREFIX
-      variables:
-        SECURE_ANALYZERS_PREFIX: "$DEFAULT_SECURE_ANALYZERS_PREFIX/sast"
-      exists:
-        - '**/*.html'
-        - '**/*.js'
-        - '**/*.jsx'
-        - '**/*.ts'
-        - '**/*.tsx'
     - if: $CI_COMMIT_BRANCH
-      variables:
-        SECURE_ANALYZERS_PREFIX: "$DEPRECATED_SECURE_ANALYZERS_PREFIX"
       exists:
         - '**/*.html'
         - '**/*.js'
@@ -127,15 +98,7 @@ flawfinder-sast:
       when: never
     - if: $SAST_EXCLUDED_ANALYZERS =~ /flawfinder/
       when: never
-    - if: $CI_COMMIT_BRANCH && $SECURE_ANALYZERS_PREFIX == $DEFAULT_SECURE_ANALYZERS_PREFIX
-      variables:
-        SECURE_ANALYZERS_PREFIX: "$DEFAULT_SECURE_ANALYZERS_PREFIX/sast"
-      exists:
-        - '**/*.c'
-        - '**/*.cpp'
     - if: $CI_COMMIT_BRANCH
-      variables:
-        SECURE_ANALYZERS_PREFIX: "$DEPRECATED_SECURE_ANALYZERS_PREFIX"
       exists:
         - '**/*.c'
         - '**/*.cpp'
@@ -152,15 +115,8 @@ kubesec-sast:
       when: never
     - if: $SAST_EXCLUDED_ANALYZERS =~ /kubesec/
       when: never
-    - if: $CI_COMMIT_BRANCH &&
-          $SCAN_KUBERNETES_MANIFESTS == 'true' &&
-          $SECURE_ANALYZERS_PREFIX == $DEFAULT_SECURE_ANALYZERS_PREFIX
-      variables:
-        SECURE_ANALYZERS_PREFIX: "$DEFAULT_SECURE_ANALYZERS_PREFIX/sast"
     - if: $CI_COMMIT_BRANCH &&
           $SCAN_KUBERNETES_MANIFESTS == 'true'
-      variables:
-        SECURE_ANALYZERS_PREFIX: "$DEPRECATED_SECURE_ANALYZERS_PREFIX"
 
 gosec-sast:
   extends: .sast-analyzer
@@ -174,14 +130,7 @@ gosec-sast:
       when: never
     - if: $SAST_EXCLUDED_ANALYZERS =~ /gosec/
       when: never
-    - if: $CI_COMMIT_BRANCH && $SECURE_ANALYZERS_PREFIX == $DEFAULT_SECURE_ANALYZERS_PREFIX
-      variables:
-        SECURE_ANALYZERS_PREFIX: "$DEFAULT_SECURE_ANALYZERS_PREFIX/sast"
-      exists:
-        - '**/*.go'
     - if: $CI_COMMIT_BRANCH
-      variables:
-        SECURE_ANALYZERS_PREFIX: "$DEPRECATED_SECURE_ANALYZERS_PREFIX"
       exists:
         - '**/*.go'
 
@@ -200,18 +149,8 @@ mobsf-android-sast:
       when: never
     - if: $SAST_EXCLUDED_ANALYZERS =~ /mobsf/
       when: never
-    - if: $CI_COMMIT_BRANCH &&
-          $SAST_EXPERIMENTAL_FEATURES == 'true' &&
-          $SECURE_ANALYZERS_PREFIX == $DEFAULT_SECURE_ANALYZERS_PREFIX
-      variables:
-        SECURE_ANALYZERS_PREFIX: "$DEFAULT_SECURE_ANALYZERS_PREFIX/sast"
-      exists:
-        - '**/*.apk'
-        - '**/AndroidManifest.xml'
     - if: $CI_COMMIT_BRANCH &&
           $SAST_EXPERIMENTAL_FEATURES == 'true'
-      variables:
-        SECURE_ANALYZERS_PREFIX: "$DEPRECATED_SECURE_ANALYZERS_PREFIX"
       exists:
         - '**/*.apk'
         - '**/AndroidManifest.xml'
@@ -223,18 +162,8 @@ mobsf-ios-sast:
       when: never
     - if: $SAST_EXCLUDED_ANALYZERS =~ /mobsf/
       when: never
-    - if: $CI_COMMIT_BRANCH &&
-          $SAST_EXPERIMENTAL_FEATURES == 'true' &&
-          $SECURE_ANALYZERS_PREFIX == $DEFAULT_SECURE_ANALYZERS_PREFIX
-      variables:
-        SECURE_ANALYZERS_PREFIX: "$DEFAULT_SECURE_ANALYZERS_PREFIX/sast"
-      exists:
-        - '**/*.ipa'
-        - '**/*.xcodeproj/*'
     - if: $CI_COMMIT_BRANCH &&
           $SAST_EXPERIMENTAL_FEATURES == 'true'
-      variables:
-        SECURE_ANALYZERS_PREFIX: "$DEPRECATED_SECURE_ANALYZERS_PREFIX"
       exists:
         - '**/*.ipa'
         - '**/*.xcodeproj/*'
@@ -251,14 +180,7 @@ nodejs-scan-sast:
       when: never
     - if: $SAST_EXCLUDED_ANALYZERS =~ /nodejs-scan/
       when: never
-    - if: $CI_COMMIT_BRANCH && $SECURE_ANALYZERS_PREFIX == $DEFAULT_SECURE_ANALYZERS_PREFIX
-      variables:
-        SECURE_ANALYZERS_PREFIX: "$DEFAULT_SECURE_ANALYZERS_PREFIX/sast"
-      exists:
-        - '**/package.json'
     - if: $CI_COMMIT_BRANCH
-      variables:
-        SECURE_ANALYZERS_PREFIX: "$DEPRECATED_SECURE_ANALYZERS_PREFIX"
       exists:
         - '**/package.json'
 
@@ -274,14 +196,7 @@ phpcs-security-audit-sast:
       when: never
     - if: $SAST_EXCLUDED_ANALYZERS =~ /phpcs-security-audit/
       when: never
-    - if: $CI_COMMIT_BRANCH && $SECURE_ANALYZERS_PREFIX == $DEFAULT_SECURE_ANALYZERS_PREFIX
-      variables:
-        SECURE_ANALYZERS_PREFIX: "$DEFAULT_SECURE_ANALYZERS_PREFIX/sast"
-      exists:
-        - '**/*.php'
     - if: $CI_COMMIT_BRANCH
-      variables:
-        SECURE_ANALYZERS_PREFIX: "$DEPRECATED_SECURE_ANALYZERS_PREFIX"
       exists:
         - '**/*.php'
 
@@ -297,14 +212,7 @@ pmd-apex-sast:
       when: never
     - if: $SAST_EXCLUDED_ANALYZERS =~ /pmd-apex/
       when: never
-    - if: $CI_COMMIT_BRANCH && $SECURE_ANALYZERS_PREFIX == $DEFAULT_SECURE_ANALYZERS_PREFIX
-      variables:
-        SECURE_ANALYZERS_PREFIX: "$DEFAULT_SECURE_ANALYZERS_PREFIX/sast"
-      exists:
-        - '**/*.cls'
     - if: $CI_COMMIT_BRANCH
-      variables:
-        SECURE_ANALYZERS_PREFIX: "$DEPRECATED_SECURE_ANALYZERS_PREFIX"
       exists:
         - '**/*.cls'
 
@@ -313,7 +221,6 @@ security-code-scan-sast:
   image:
     name: "$SAST_ANALYZER_IMAGE"
   variables:
-    SAST_ANALYZER_IMAGE_TAG: '3'
     SAST_ANALYZER_IMAGE: "$SECURE_ANALYZERS_PREFIX/security-code-scan:$SAST_ANALYZER_IMAGE_TAG"
   rules:
     - if: $SAST_DISABLED
@@ -322,29 +229,15 @@ security-code-scan-sast:
       when: never
     # This rule shim will be removed in %15.0,
     # See https://gitlab.com/gitlab-org/gitlab/-/issues/350935
-    - if: $CI_COMMIT_BRANCH && $CI_SERVER_VERSION_MAJOR == '14' && $SECURE_ANALYZERS_PREFIX == $DEFAULT_SECURE_ANALYZERS_PREFIX
-      variables:
-        SAST_ANALYZER_IMAGE_TAG: '2'
-        SECURE_ANALYZERS_PREFIX: "$DEFAULT_SECURE_ANALYZERS_PREFIX/sast"
-      exists:
-        - '**/*.csproj'
-        - '**/*.vbproj'
     - if: $CI_COMMIT_BRANCH && $CI_SERVER_VERSION_MAJOR == '14'
       variables:
         SAST_ANALYZER_IMAGE_TAG: '2'
-        SECURE_ANALYZERS_PREFIX: "$DEPRECATED_SECURE_ANALYZERS_PREFIX"
-      exists:
-        - '**/*.csproj'
-        - '**/*.vbproj'
-    - if: $CI_COMMIT_BRANCH && $SECURE_ANALYZERS_PREFIX == $DEFAULT_SECURE_ANALYZERS_PREFIX
-      variables:
-        SECURE_ANALYZERS_PREFIX: "$DEFAULT_SECURE_ANALYZERS_PREFIX/sast"
       exists:
         - '**/*.csproj'
         - '**/*.vbproj'
     - if: $CI_COMMIT_BRANCH
       variables:
-        SECURE_ANALYZERS_PREFIX: "$DEPRECATED_SECURE_ANALYZERS_PREFIX"
+        SAST_ANALYZER_IMAGE_TAG: '3'
       exists:
         - '**/*.csproj'
         - '**/*.vbproj'
@@ -361,20 +254,7 @@ semgrep-sast:
       when: never
     - if: $SAST_EXCLUDED_ANALYZERS =~ /semgrep/
       when: never
-    - if: $CI_COMMIT_BRANCH && $SECURE_ANALYZERS_PREFIX == $DEFAULT_SECURE_ANALYZERS_PREFIX
-      variables:
-        SECURE_ANALYZERS_PREFIX: "$DEFAULT_SECURE_ANALYZERS_PREFIX/sast"
-      exists:
-        - '**/*.py'
-        - '**/*.js'
-        - '**/*.jsx'
-        - '**/*.ts'
-        - '**/*.tsx'
-        - '**/*.c'
-        - '**/*.go'
     - if: $CI_COMMIT_BRANCH
-      variables:
-        SECURE_ANALYZERS_PREFIX: "$DEPRECATED_SECURE_ANALYZERS_PREFIX"
       exists:
         - '**/*.py'
         - '**/*.js'
@@ -396,14 +276,7 @@ sobelow-sast:
       when: never
     - if: $SAST_EXCLUDED_ANALYZERS =~ /sobelow/
       when: never
-    - if: $CI_COMMIT_BRANCH && $SECURE_ANALYZERS_PREFIX == $DEFAULT_SECURE_ANALYZERS_PREFIX
-      variables:
-        SECURE_ANALYZERS_PREFIX: "$DEFAULT_SECURE_ANALYZERS_PREFIX/sast"
-      exists:
-        - 'mix.exs'
     - if: $CI_COMMIT_BRANCH
-      variables:
-        SECURE_ANALYZERS_PREFIX: "$DEPRECATED_SECURE_ANALYZERS_PREFIX"
       exists:
         - 'mix.exs'
 
@@ -423,17 +296,7 @@ spotbugs-sast:
       when: never
     - if: $SAST_DISABLED
       when: never
-    - if: $CI_COMMIT_BRANCH && $SECURE_ANALYZERS_PREFIX == $DEFAULT_SECURE_ANALYZERS_PREFIX
-      variables:
-        SECURE_ANALYZERS_PREFIX: "$DEFAULT_SECURE_ANALYZERS_PREFIX/sast"
-      exists:
-        - '**/*.groovy'
-        - '**/*.java'
-        - '**/*.scala'
-        - '**/*.kt'
     - if: $CI_COMMIT_BRANCH
-      variables:
-        SECURE_ANALYZERS_PREFIX: "$DEPRECATED_SECURE_ANALYZERS_PREFIX"
       exists:
         - '**/*.groovy'
         - '**/*.java'

lib/gitlab/ci/templates/Jobs/Secret-Detection.gitlab-ci.yml

@@ -5,19 +5,13 @@
 # How to set: https://docs.gitlab.com/ee/ci/yaml/#variables
 
 variables:
-  # Setting this variable will affect all Security templates
-  # (SAST, Dependency Scanning, ...)
-  SECURE_ANALYZERS_PREFIX: "registry.gitlab.com/security-products"
-  # These placeholders will be removed in %15.0 with deprecation of previous registry path
-  DEFAULT_SECURE_ANALYZERS_PREFIX: "registry.gitlab.com/security-products"
-  DEPRECATED_SECURE_ANALYZERS_PREFIX: "registry.gitlab.com/gitlab-org/security-products/analyzers"
-
+  SECURE_ANALYZERS_PREFIX: "registry.gitlab.com/gitlab-org/security-products/analyzers"
   SECRETS_ANALYZER_VERSION: "3"
   SECRET_DETECTION_EXCLUDED_PATHS: ""
 
 .secret-analyzer:
   stage: test
-  image: "$SECURE_ANALYZERS_PREFIX/secret-detection:$SECRETS_ANALYZER_VERSION"
+  image: "$SECURE_ANALYZERS_PREFIX/secrets:$SECRETS_ANALYZER_VERSION"
   services: []
   allow_failure: true
   variables:
@@ -33,12 +27,7 @@ secret_detection:
   rules:
     - if: $SECRET_DETECTION_DISABLED
       when: never
-    - if: $CI_COMMIT_BRANCH && $SECURE_ANALYZERS_PREFIX == $DEFAULT_SECURE_ANALYZERS_PREFIX
-      variables:
-        SECURE_ANALYZERS_PREFIX: "$DEFAULT_SECURE_ANALYZERS_PREFIX"
     - if: $CI_COMMIT_BRANCH
-      variables:
-        SECURE_ANALYZERS_PREFIX: "$DEPRECATED_SECURE_ANALYZERS_PREFIX"
   script:
     - if [ -n "$CI_COMMIT_TAG" ]; then echo "Skipping Secret Detection for tags. No code changes have occurred."; exit 0; fi
     - if [ "$CI_COMMIT_BRANCH" = "$CI_DEFAULT_BRANCH" ]; then echo "Running Secret Detection on default branch."; /analyzer run; exit 0; fi

lib/gitlab/ci/templates/Security/API-Fuzzing.gitlab-ci.yml

@@ -10,8 +10,8 @@
 
 variables:
     FUZZAPI_VERSION: "1"
-    SECURE_ANALYZERS_PREFIX: "registry.gitlab.com/security-products"
-    FUZZAPI_IMAGE: "$SECURE_ANALYZERS_PREFIX/api-security:$FUZZAPI_VERSION"
+    SECURE_ANALYZERS_PREFIX: "registry.gitlab.com/gitlab-org/security-products/analyzers"
+    FUZZAPI_IMAGE: ${SECURE_ANALYZERS_PREFIX}/api-fuzzing:${FUZZAPI_VERSION}
 
 apifuzzer_fuzz:
     stage: fuzz

lib/gitlab/ci/templates/Security/API-Fuzzing.latest.gitlab-ci.yml

@@ -10,8 +10,8 @@
 
 variables:
     FUZZAPI_VERSION: "1"
-    SECURE_ANALYZERS_PREFIX: "registry.gitlab.com/security-products"
-    FUZZAPI_IMAGE: "api-security"
+    SECURE_ANALYZERS_PREFIX: "registry.gitlab.com/gitlab-org/security-products/analyzers"
+    FUZZAPI_IMAGE: api-fuzzing
 
 apifuzzer_fuzz:
     stage: fuzz

lib/gitlab/ci/templates/Security/DAST-API.gitlab-ci.yml

@@ -24,14 +24,14 @@
 variables:
   # Setting this variable affects all Security templates
   # (SAST, Dependency Scanning, ...)
-  SECURE_ANALYZERS_PREFIX: "registry.gitlab.com/security-products"
+  SECURE_ANALYZERS_PREFIX: "registry.gitlab.com/gitlab-org/security-products/analyzers"
   #
   DAST_API_VERSION: "1"
-  DAST_API_IMAGE: "api-security"
+  DAST_API_IMAGE: $SECURE_ANALYZERS_PREFIX/api-fuzzing:$DAST_API_VERSION
 
 dast_api:
   stage: dast
-  image: $SECURE_ANALYZERS_PREFIX/$DAST_API_IMAGE:$DAST_API_VERSION
+  image: $DAST_API_IMAGE
   allow_failure: true
   rules:
     - if: $DAST_API_DISABLED

lib/gitlab/ci/templates/Security/DAST-API.latest.gitlab-ci.yml

@@ -24,10 +24,10 @@
 variables:
   # Setting this variable affects all Security templates
   # (SAST, Dependency Scanning, ...)
-  SECURE_ANALYZERS_PREFIX: "registry.gitlab.com/security-products"
+  SECURE_ANALYZERS_PREFIX: "registry.gitlab.com/gitlab-org/security-products/analyzers"
   #
   DAST_API_VERSION: "1"
-  DAST_API_IMAGE: api-security
+  DAST_API_IMAGE: api-fuzzing
 
 dast_api:
   stage: dast

lib/gitlab/ci/templates/Security/DAST-On-Demand-API-Scan.gitlab-ci.yml

@@ -5,9 +5,9 @@ stages:
   - dast
 
 variables:
-  SECURE_ANALYZERS_PREFIX: "registry.gitlab.com/security-products"
+  SECURE_ANALYZERS_PREFIX: "registry.gitlab.com/gitlab-org/security-products/analyzers"
   DAST_API_VERSION: "1"
-  DAST_API_IMAGE: $SECURE_ANALYZERS_PREFIX/api-security:$DAST_API_VERSION
+  DAST_API_IMAGE: $SECURE_ANALYZERS_PREFIX/api-fuzzing:$DAST_API_VERSION
 
 dast:
   stage: dast

lib/gitlab/ci/templates/Security/DAST-On-Demand-Scan.gitlab-ci.yml

@@ -11,7 +11,9 @@ stages:
 
 variables:
   DAST_VERSION: 2
-  SECURE_ANALYZERS_PREFIX: "registry.gitlab.com/security-products"
+  # Setting this variable will affect all Security templates
+  # (SAST, Dependency Scanning, ...)
+  SECURE_ANALYZERS_PREFIX: "registry.gitlab.com/gitlab-org/security-products/analyzers"
 
 dast:
   stage: dast

lib/gitlab/ci/templates/Security/DAST.gitlab-ci.yml

@@ -25,7 +25,7 @@ variables:
   DAST_VERSION: 2
   # Setting this variable will affect all Security templates
   # (SAST, Dependency Scanning, ...)
-  SECURE_ANALYZERS_PREFIX: "registry.gitlab.com/security-products"
+  SECURE_ANALYZERS_PREFIX: "registry.gitlab.com/gitlab-org/security-products/analyzers"
 
 dast:
   stage: dast

lib/gitlab/ci/templates/Security/DAST.latest.gitlab-ci.yml

@@ -25,7 +25,7 @@ variables:
   DAST_VERSION: 2
   # Setting this variable will affect all Security templates
   # (SAST, Dependency Scanning, ...)
-  SECURE_ANALYZERS_PREFIX: "registry.gitlab.com/security-products"
+  SECURE_ANALYZERS_PREFIX: "registry.gitlab.com/gitlab-org/security-products/analyzers"
 
 dast:
   stage: dast

lib/gitlab/ci/templates/Security/Dependency-Scanning.gitlab-ci.yml

@@ -11,11 +11,7 @@
 variables:
   # Setting this variable will affect all Security templates
   # (SAST, Dependency Scanning, ...)
-  SECURE_ANALYZERS_PREFIX: "registry.gitlab.com/security-products"
-  # These placeholders will be removed in %15.0 with deprecation of previous registry path, see https://gitlab.com/groups/gitlab-org/-/epics/6162
-  DEFAULT_SECURE_ANALYZERS_PREFIX: "registry.gitlab.com/security-products"
-  DEPRECATED_SECURE_ANALYZERS_PREFIX: "registry.gitlab.com/gitlab-org/security-products/analyzers"
-
+  SECURE_ANALYZERS_PREFIX: "registry.gitlab.com/gitlab-org/security-products/analyzers"
   DS_DEFAULT_ANALYZERS: "bundler-audit, retire.js, gemnasium, gemnasium-maven, gemnasium-python"
   DS_EXCLUDED_ANALYZERS: ""
   DS_EXCLUDED_PATHS: "spec, test, tests, tmp"
@@ -55,27 +51,9 @@ gemnasium-dependency_scanning:
       when: never
     - if: $DS_EXCLUDED_ANALYZERS =~ /gemnasium([^-]|$)/
       when: never
-    - if: $CI_COMMIT_BRANCH &&
-          $GITLAB_FEATURES =~ /\bdependency_scanning\b/ &&
-          $DS_DEFAULT_ANALYZERS =~ /gemnasium([^-]|$)/ &&
-          $SECURE_ANALYZERS_PREFIX == $DEFAULT_SECURE_ANALYZERS_PREFIX
-      variables:
-        SECURE_ANALYZERS_PREFIX: "$DEFAULT_SECURE_ANALYZERS_PREFIX/dependency-scanning"
-      exists:
-        - '{Gemfile.lock,*/Gemfile.lock,*/*/Gemfile.lock}'
-        - '{composer.lock,*/composer.lock,*/*/composer.lock}'
-        - '{gems.locked,*/gems.locked,*/*/gems.locked}'
-        - '{go.sum,*/go.sum,*/*/go.sum}'
-        - '{npm-shrinkwrap.json,*/npm-shrinkwrap.json,*/*/npm-shrinkwrap.json}'
-        - '{package-lock.json,*/package-lock.json,*/*/package-lock.json}'
-        - '{yarn.lock,*/yarn.lock,*/*/yarn.lock}'
-        - '{packages.lock.json,*/packages.lock.json,*/*/packages.lock.json}'
-        - '{conan.lock,*/conan.lock,*/*/conan.lock}'
     - if: $CI_COMMIT_BRANCH &&
           $GITLAB_FEATURES =~ /\bdependency_scanning\b/ &&
           $DS_DEFAULT_ANALYZERS =~ /gemnasium([^-]|$)/
-      variables:
-        SECURE_ANALYZERS_PREFIX: "$DEPRECATED_SECURE_ANALYZERS_PREFIX"
       exists:
         - '{Gemfile.lock,*/Gemfile.lock,*/*/Gemfile.lock}'
         - '{composer.lock,*/composer.lock,*/*/composer.lock}'
@@ -104,22 +82,9 @@ gemnasium-maven-dependency_scanning:
       when: never
     - if: $DS_EXCLUDED_ANALYZERS =~ /gemnasium-maven/
       when: never
-    - if: $CI_COMMIT_BRANCH &&
-          $GITLAB_FEATURES =~ /\bdependency_scanning\b/ &&
-          $DS_DEFAULT_ANALYZERS =~ /gemnasium-maven/ &&
-          $SECURE_ANALYZERS_PREFIX == $DEFAULT_SECURE_ANALYZERS_PREFIX
-      variables:
-        SECURE_ANALYZERS_PREFIX: "$DEFAULT_SECURE_ANALYZERS_PREFIX/dependency-scanning"
-      exists:
-        - '{build.gradle,*/build.gradle,*/*/build.gradle}'
-        - '{build.gradle.kts,*/build.gradle.kts,*/*/build.gradle.kts}'
-        - '{build.sbt,*/build.sbt,*/*/build.sbt}'
-        - '{pom.xml,*/pom.xml,*/*/pom.xml}'
     - if: $CI_COMMIT_BRANCH &&
           $GITLAB_FEATURES =~ /\bdependency_scanning\b/ &&
           $DS_DEFAULT_ANALYZERS =~ /gemnasium-maven/
-      variables:
-        SECURE_ANALYZERS_PREFIX: "$DEPRECATED_SECURE_ANALYZERS_PREFIX"
       exists:
         - '{build.gradle,*/build.gradle,*/*/build.gradle}'
         - '{build.gradle.kts,*/build.gradle.kts,*/*/build.gradle.kts}'
@@ -143,23 +108,9 @@ gemnasium-python-dependency_scanning:
       when: never
     - if: $DS_EXCLUDED_ANALYZERS =~ /gemnasium-python/
       when: never
-    - if: $CI_COMMIT_BRANCH &&
-          $GITLAB_FEATURES =~ /\bdependency_scanning\b/ &&
-          $DS_DEFAULT_ANALYZERS =~ /gemnasium-python/ &&
-          $SECURE_ANALYZERS_PREFIX == $DEFAULT_SECURE_ANALYZERS_PREFIX
-      variables:
-        SECURE_ANALYZERS_PREFIX: "$DEFAULT_SECURE_ANALYZERS_PREFIX/dependency-scanning"
-      exists:
-        - '{requirements.txt,*/requirements.txt,*/*/requirements.txt}'
-        - '{requirements.pip,*/requirements.pip,*/*/requirements.pip}'
-        - '{Pipfile,*/Pipfile,*/*/Pipfile}'
-        - '{requires.txt,*/requires.txt,*/*/requires.txt}'
-        - '{setup.py,*/setup.py,*/*/setup.py}'
     - if: $CI_COMMIT_BRANCH &&
           $GITLAB_FEATURES =~ /\bdependency_scanning\b/ &&
           $DS_DEFAULT_ANALYZERS =~ /gemnasium-python/
-      variables:
-        SECURE_ANALYZERS_PREFIX: "$DEPRECATED_SECURE_ANALYZERS_PREFIX"
       exists:
         - '{requirements.txt,*/requirements.txt,*/*/requirements.txt}'
         - '{requirements.pip,*/requirements.pip,*/*/requirements.pip}'
@@ -168,19 +119,10 @@ gemnasium-python-dependency_scanning:
         - '{setup.py,*/setup.py,*/*/setup.py}'
         # Support passing of $PIP_REQUIREMENTS_FILE
         # See https://docs.gitlab.com/ee/user/application_security/dependency_scanning/#configuring-specific-analyzers-used-by-dependency-scanning
-    - if: $CI_COMMIT_BRANCH &&
-          $GITLAB_FEATURES =~ /\bdependency_scanning\b/ &&
-          $DS_DEFAULT_ANALYZERS =~ /gemnasium-python/ &&
-          $PIP_REQUIREMENTS_FILE &&
-          $SECURE_ANALYZERS_PREFIX == $DEFAULT_SECURE_ANALYZERS_PREFIX
-      variables:
-        SECURE_ANALYZERS_PREFIX: "$DEFAULT_SECURE_ANALYZERS_PREFIX/dependency-scanning"
     - if: $CI_COMMIT_BRANCH &&
           $GITLAB_FEATURES =~ /\bdependency_scanning\b/ &&
           $DS_DEFAULT_ANALYZERS =~ /gemnasium-python/ &&
           $PIP_REQUIREMENTS_FILE
-      variables:
-        SECURE_ANALYZERS_PREFIX: "$DEPRECATED_SECURE_ANALYZERS_PREFIX"
 
 bundler-audit-dependency_scanning:
   extends: .ds-analyzer
@@ -196,19 +138,9 @@ bundler-audit-dependency_scanning:
       when: never
     - if: $DS_EXCLUDED_ANALYZERS =~ /bundler-audit/
       when: never
-    - if: $CI_COMMIT_BRANCH &&
-          $GITLAB_FEATURES =~ /\bdependency_scanning\b/ &&
-          $DS_DEFAULT_ANALYZERS =~ /bundler-audit/ &&
-          $SECURE_ANALYZERS_PREFIX == $DEFAULT_SECURE_ANALYZERS_PREFIX
-      variables:
-        SECURE_ANALYZERS_PREFIX: "$DEFAULT_SECURE_ANALYZERS_PREFIX/dependency-scanning"
-      exists:
-        - '{Gemfile.lock,*/Gemfile.lock,*/*/Gemfile.lock}'
     - if: $CI_COMMIT_BRANCH &&
           $GITLAB_FEATURES =~ /\bdependency_scanning\b/ &&
           $DS_DEFAULT_ANALYZERS =~ /bundler-audit/
-      variables:
-        SECURE_ANALYZERS_PREFIX: "$DEPRECATED_SECURE_ANALYZERS_PREFIX"
       exists:
         - '{Gemfile.lock,*/Gemfile.lock,*/*/Gemfile.lock}'
 
@@ -226,18 +158,8 @@ retire-js-dependency_scanning:
       when: never
     - if: $DS_EXCLUDED_ANALYZERS =~ /retire.js/
       when: never
-    - if: $CI_COMMIT_BRANCH &&
-          $GITLAB_FEATURES =~ /\bdependency_scanning\b/ &&
-          $DS_DEFAULT_ANALYZERS =~ /retire.js/ &&
-          $SECURE_ANALYZERS_PREFIX == $DEFAULT_SECURE_ANALYZERS_PREFIX
-      variables:
-        SECURE_ANALYZERS_PREFIX: "$DEFAULT_SECURE_ANALYZERS_PREFIX/dependency-scanning"
-      exists:
-        - '{package.json,*/package.json,*/*/package.json}'
     - if: $CI_COMMIT_BRANCH &&
           $GITLAB_FEATURES =~ /\bdependency_scanning\b/ &&
           $DS_DEFAULT_ANALYZERS =~ /retire.js/
       exists:
         - '{package.json,*/package.json,*/*/package.json}'
-      variables:
-        SECURE_ANALYZERS_PREFIX: "$DEPRECATED_SECURE_ANALYZERS_PREFIX"

lib/gitlab/ci/templates/Security/License-Scanning.gitlab-ci.yml

@@ -11,7 +11,7 @@
 variables:
   # Setting this variable will affect all Security templates
   # (SAST, Dependency Scanning, ...)
-  SECURE_ANALYZERS_PREFIX: "registry.gitlab.com/security-products"
+  SECURE_ANALYZERS_PREFIX: "registry.gitlab.com/gitlab-org/security-products/analyzers"
 
   LICENSE_MANAGEMENT_SETUP_CMD: ''  # If needed, specify a command to setup your environment with a custom package manager.
   LICENSE_MANAGEMENT_VERSION: 3
@@ -19,7 +19,7 @@ variables:
 license_scanning:
   stage: test
   image:
-    name: "$SECURE_ANALYZERS_PREFIX/license-compliance/license-finder:$LICENSE_MANAGEMENT_VERSION"
+    name: "$SECURE_ANALYZERS_PREFIX/license-finder:$LICENSE_MANAGEMENT_VERSION"
     entrypoint: [""]
   variables:
     LM_REPORT_VERSION: '2.1'

lib/gitlab/ci/templates/Security/Secure-Binaries.gitlab-ci.yml

@@ -14,14 +14,11 @@
 # Docs: https://docs.gitlab.com/ee/topics/airgap/
 
 variables:
-  # Setting this variable will affect all Security templates
-  # (SAST, Dependency Scanning, ...)
-  SECURE_ANALYZERS_PREFIX: "registry.gitlab.com/security-products"
   SECURE_BINARIES_ANALYZERS: >-
-    bandit, brakeman, gosec, spotbugs, flawfinder, phpcs-security-audit, security-code-scan, nodejs-scan, eslint, secrets, sobelow, pmd-apex, kics, kubesec, semgrep,
+    bandit, brakeman, gosec, spotbugs, flawfinder, phpcs-security-audit, security-code-scan, nodejs-scan, eslint, secrets, sobelow, pmd-apex, kubesec, semgrep,
     bundler-audit, retire.js, gemnasium, gemnasium-maven, gemnasium-python,
     license-finder,
-    dast, dast-runner-validation, api-security
+    dast, dast-runner-validation, api-fuzzing
 
   SECURE_BINARIES_DOWNLOAD_IMAGES: "true"
   SECURE_BINARIES_PUSH_IMAGES: "true"
@@ -43,7 +40,7 @@ variables:
   script:
     - docker info
     - env
-    - if [ -z "$SECURE_BINARIES_IMAGE" ]; then export SECURE_BINARIES_IMAGE=${SECURE_BINARIES_IMAGE:-"registry.gitlab.com/security-products/${CI_JOB_NAME}:${SECURE_BINARIES_ANALYZER_VERSION}"}; fi
+    - if [ -z "$SECURE_BINARIES_IMAGE" ]; then export SECURE_BINARIES_IMAGE=${SECURE_BINARIES_IMAGE:-"registry.gitlab.com/gitlab-org/security-products/analyzers/${CI_JOB_NAME}:${SECURE_BINARIES_ANALYZER_VERSION}"}; fi
     - docker pull --quiet ${SECURE_BINARIES_IMAGE}
     - mkdir -p output/$(dirname ${CI_JOB_NAME})
     - |
@@ -66,27 +63,22 @@ variables:
 # SAST jobs
 #
 
-.download_sast_images:
-  extends: .download_images
-  variables:
-    SECURE_BINARIES_IMAGE: "${SECURE_ANALYZERS_PREFIX}/sast/${CI_JOB_NAME}:${SECURE_BINARIES_ANALYZER_VERSION}"
-
 bandit:
-  extends: .download_sast_images
+  extends: .download_images
   only:
     variables:
       - $SECURE_BINARIES_DOWNLOAD_IMAGES == "true" &&
           $SECURE_BINARIES_ANALYZERS =~ /\bbandit\b/
 
 brakeman:
-  extends: .download_sast_images
+  extends: .download_images
   only:
     variables:
       - $SECURE_BINARIES_DOWNLOAD_IMAGES == "true" &&
           $SECURE_BINARIES_ANALYZERS =~ /\bbrakeman\b/
 
 gosec:
-  extends: .download_sast_images
+  extends: .download_images
   variables:
     SECURE_BINARIES_ANALYZER_VERSION: "3"
   only:
@@ -95,28 +87,28 @@ gosec:
           $SECURE_BINARIES_ANALYZERS =~ /\bgosec\b/
 
 spotbugs:
-  extends: .download_sast_images
+  extends: .download_images
   only:
     variables:
       - $SECURE_BINARIES_DOWNLOAD_IMAGES == "true" &&
           $SECURE_BINARIES_ANALYZERS =~ /\bspotbugs\b/
 
 flawfinder:
-  extends: .download_sast_images
+  extends: .download_images
   only:
     variables:
       - $SECURE_BINARIES_DOWNLOAD_IMAGES == "true" &&
           $SECURE_BINARIES_ANALYZERS =~ /\bflawfinder\b/
 
 phpcs-security-audit:
-  extends: .download_sast_images
+  extends: .download_images
   only:
     variables:
       - $SECURE_BINARIES_DOWNLOAD_IMAGES == "true" &&
           $SECURE_BINARIES_ANALYZERS =~ /\bphpcs-security-audit\b/
 
 security-code-scan:
-  extends: .download_sast_images
+  extends: .download_images
   variables:
     SECURE_BINARIES_ANALYZER_VERSION: "3"
   only:
@@ -125,21 +117,21 @@ security-code-scan:
           $SECURE_BINARIES_ANALYZERS =~ /\bsecurity-code-scan\b/
 
 nodejs-scan:
-  extends: .download_sast_images
+  extends: .download_images
   only:
     variables:
       - $SECURE_BINARIES_DOWNLOAD_IMAGES == "true" &&
           $SECURE_BINARIES_ANALYZERS =~ /\bnodejs-scan\b/
 
 eslint:
-  extends: .download_sast_images
+  extends: .download_images
   only:
     variables:
       - $SECURE_BINARIES_DOWNLOAD_IMAGES == "true" &&
           $SECURE_BINARIES_ANALYZERS =~ /\beslint\b/
 
 secrets:
-  extends: .download_sast_images
+  extends: .download_images
   only:
     variables:
       - $SECURE_BINARIES_DOWNLOAD_IMAGES == "true" &&
@@ -148,28 +140,28 @@ secrets:
     SECURE_BINARIES_ANALYZER_VERSION: "3"
 
 semgrep:
-  extends: .download_sast_images
+  extends: .download_images
   only:
     variables:
       - $SECURE_BINARIES_DOWNLOAD_IMAGES == "true" &&
           $SECURE_BINARIES_ANALYZERS =~ /\bsemgrep\b/
 
 sobelow:
-  extends: .download_sast_images
+  extends: .download_images
   only:
     variables:
       - $SECURE_BINARIES_DOWNLOAD_IMAGES == "true" &&
           $SECURE_BINARIES_ANALYZERS =~ /\bsobelow\b/
 
 pmd-apex:
-  extends: .download_sast_images
+  extends: .download_images
   only:
     variables:
       - $SECURE_BINARIES_DOWNLOAD_IMAGES == "true" &&
           $SECURE_BINARIES_ANALYZERS =~ /\bsecrets\b/
 
 kubesec:
-  extends: .download_sast_images
+  extends: .download_images
   only:
     variables:
       - $SECURE_BINARIES_DOWNLOAD_IMAGES == "true" &&
@@ -179,41 +171,36 @@ kubesec:
 # Dependency Scanning jobs
 #
 
-.download_ds_images:
-  extends: .download_images
-  variables:
-    SECURE_BINARIES_IMAGE: "${SECURE_ANALYZERS_PREFIX}/dependency-scanning/${CI_JOB_NAME}:${SECURE_BINARIES_ANALYZER_VERSION}"
-
 bundler-audit:
-  extends: .download_ds_images
+  extends: .download_images
   only:
     variables:
       - $SECURE_BINARIES_DOWNLOAD_IMAGES == "true" &&
           $SECURE_BINARIES_ANALYZERS =~ /\bbundler-audit\b/
 
 retire.js:
-  extends: .download_ds_images
+  extends: .download_images
   only:
     variables:
       - $SECURE_BINARIES_DOWNLOAD_IMAGES == "true" &&
           $SECURE_BINARIES_ANALYZERS =~ /\bretire\.js\b/
 
 gemnasium:
-  extends: .download_ds_images
+  extends: .download_images
   only:
     variables:
       - $SECURE_BINARIES_DOWNLOAD_IMAGES == "true" &&
           $SECURE_BINARIES_ANALYZERS =~ /\bgemnasium\b/
 
 gemnasium-maven:
-  extends: .download_ds_images
+  extends: .download_images
   only:
     variables:
       - $SECURE_BINARIES_DOWNLOAD_IMAGES == "true" &&
           $SECURE_BINARIES_ANALYZERS =~ /\bgemnasium-maven\b/
 
 gemnasium-python:
-  extends: .download_ds_images
+  extends: .download_images
   only:
     variables:
       - $SECURE_BINARIES_DOWNLOAD_IMAGES == "true" &&
@@ -226,7 +213,6 @@ gemnasium-python:
 license-finder:
   extends: .download_images
   variables:
-    SECURE_BINARIES_IMAGE: "${SECURE_ANALYZERS_PREFIX}/license-compliance/${CI_JOB_NAME}:${SECURE_BINARIES_ANALYZER_VERSION}"
     SECURE_BINARIES_ANALYZER_VERSION: "3"
   only:
     variables:
@@ -237,13 +223,8 @@ license-finder:
 # DAST
 #
 
-.download_dast_images:
-  extends: .download_images
-  variables:
-    SECURE_BINARIES_IMAGE: "${SECURE_ANALYZERS_PREFIX}/${CI_JOB_NAME}:${SECURE_BINARIES_ANALYZER_VERSION}"
-
 dast:
-  extends: .download_dast_images
+  extends: .download_images
   variables:
     SECURE_BINARIES_ANALYZER_VERSION: "2"
   only:
@@ -252,19 +233,20 @@ dast:
           $SECURE_BINARIES_ANALYZERS =~ /\bdast\b/
 
 dast-runner-validation:
-  extends: .download_dast_images
+  extends: .download_images
   variables:
     SECURE_BINARIES_ANALYZER_VERSION: "1"
+    SECURE_BINARIES_IMAGE: "registry.gitlab.com/security-products/${CI_JOB_NAME}:${SECURE_BINARIES_ANALYZER_VERSION}"
   only:
     variables:
       - $SECURE_BINARIES_DOWNLOAD_IMAGES == "true" &&
           $SECURE_BINARIES_ANALYZERS =~ /\bdast-runner-validation\b/
 
-api-security:
-  extends: .download_dast_images
+api-fuzzing:
+  extends: .download_images
   variables:
     SECURE_BINARIES_ANALYZER_VERSION: "1"
   only:
     variables:
       - $SECURE_BINARIES_DOWNLOAD_IMAGES == "true" &&
-          $SECURE_BINARIES_ANALYZERS =~ /\bapi-security\b/
+          $SECURE_BINARIES_ANALYZERS =~ /\bapi-fuzzing\b/

spec/lib/security/ci_configuration/sast_build_action_spec.rb

@@ -6,7 +6,7 @@ RSpec.describe Security::CiConfiguration::SastBuildAction do
   let(:default_sast_values) do
     { 'global' =>
       [
-        { 'field' => 'SECURE_ANALYZERS_PREFIX', 'defaultValue' => 'registry.gitlab.com/security-products', 'value' => 'registry.gitlab.com/security-products' }
+        { 'field' => 'SECURE_ANALYZERS_PREFIX', 'defaultValue' => 'registry.gitlab.com/gitlab-org/security-products/analyzers', 'value' => 'registry.gitlab.com/gitlab-org/security-products/analyzers' }
       ],
       'pipeline' =>
       [
@@ -19,7 +19,7 @@ RSpec.describe Security::CiConfiguration::SastBuildAction do
   let(:params) do
     { 'global' =>
       [
-        { 'field' => 'SECURE_ANALYZERS_PREFIX', 'defaultValue' => 'registry.gitlab.com/security-products', 'value' => 'new_registry' }
+        { 'field' => 'SECURE_ANALYZERS_PREFIX', 'defaultValue' => 'registry.gitlab.com/gitlab-org/security-products/analyzers', 'value' => 'new_registry' }
       ],
       'pipeline' =>
       [
@@ -164,7 +164,7 @@ RSpec.describe Security::CiConfiguration::SastBuildAction do
       let(:params) do
         { 'global' =>
           [
-            { 'field' => 'SECURE_ANALYZERS_PREFIX', 'defaultValue' => 'registry.gitlab.com/security-products', 'value' => 'registry.gitlab.com/security-products' }
+            { 'field' => 'SECURE_ANALYZERS_PREFIX', 'defaultValue' => 'registry.gitlab.com/gitlab-org/security-products/analyzers', 'value' => 'registry.gitlab.com/gitlab-org/security-products/analyzers' }
           ],
           'pipeline' =>
           [
@@ -219,21 +219,21 @@ RSpec.describe Security::CiConfiguration::SastBuildAction do
 
     def existing_gitlab_ci_and_template_array_without_sast
       { "stages" => %w(test security),
-       "variables" => { "RANDOM" => "make sure this persists", "SECURE_ANALYZERS_PREFIX" => "localhost:5000" },
+       "variables" => { "RANDOM" => "make sure this persists", "SECURE_ANALYZERS_PREFIX" => "localhost:5000/analyzers" },
        "sast" => { "variables" => { "SEARCH_MAX_DEPTH" => 1 }, "stage" => "security" },
        "include" => [{ "template" => "existing.yml" }] }
     end
 
     def existing_gitlab_ci_and_single_template_with_sast_and_default_stage
       { "stages" => %w(test),
-       "variables" => { "SECURE_ANALYZERS_PREFIX" => "localhost:5000" },
+       "variables" => { "SECURE_ANALYZERS_PREFIX" => "localhost:5000/analyzers" },
        "sast" => { "variables" => { "SEARCH_MAX_DEPTH" => 1 }, "stage" => "test" },
        "include" => { "template" => "Security/SAST.gitlab-ci.yml" } }
     end
 
     def existing_gitlab_ci_and_single_template_without_sast
       { "stages" => %w(test security),
-       "variables" => { "RANDOM" => "make sure this persists", "SECURE_ANALYZERS_PREFIX" => "localhost:5000" },
+       "variables" => { "RANDOM" => "make sure this persists", "SECURE_ANALYZERS_PREFIX" => "localhost:5000/analyzers" },
        "sast" => { "variables" => { "SEARCH_MAX_DEPTH" => 1 }, "stage" => "security" },
        "include" => { "template" => "existing.yml" } }
     end
@@ -246,13 +246,13 @@ RSpec.describe Security::CiConfiguration::SastBuildAction do
 
     def existing_gitlab_ci_with_no_sast_section
       { "stages" => %w(test security),
-       "variables" => { "RANDOM" => "make sure this persists", "SECURE_ANALYZERS_PREFIX" => "localhost:5000" },
+       "variables" => { "RANDOM" => "make sure this persists", "SECURE_ANALYZERS_PREFIX" => "localhost:5000/analyzers" },
        "include" => [{ "template" => "Security/SAST.gitlab-ci.yml" }] }
     end
 
     def existing_gitlab_ci_with_no_sast_variables
       { "stages" => %w(test security),
-       "variables" => { "RANDOM" => "make sure this persists", "SECURE_ANALYZERS_PREFIX" => "localhost:5000" },
+       "variables" => { "RANDOM" => "make sure this persists", "SECURE_ANALYZERS_PREFIX" => "localhost:5000/analyzers" },
        "sast" => { "stage" => "security" },
        "include" => [{ "template" => "Security/SAST.gitlab-ci.yml" }] }
     end
@@ -275,7 +275,7 @@ RSpec.describe Security::CiConfiguration::SastBuildAction do
         let(:params) do
           { 'global' =>
             [
-              { 'field' => 'SECURE_ANALYZERS_PREFIX', 'defaultValue' => 'registry.gitlab.com/security-products', 'value' => '' }
+              { 'field' => 'SECURE_ANALYZERS_PREFIX', 'defaultValue' => 'registry.gitlab.com/gitlab-org/security-products/analyzers', 'value' => '' }
             ] }
         end
 

spec/services/ci/create_pipeline_service/parameter_content_spec.rb

@@ -15,7 +15,7 @@ RSpec.describe Ci::CreatePipelineService do
 
       variables:
         DAST_VERSION: 1
-        SECURE_ANALYZERS_PREFIX: "registry.gitlab.com/security-products"
+        SECURE_ANALYZERS_PREFIX: "registry.gitlab.com/gitlab-org/security-products/analyzers"
 
       dast:
         stage: dast

spec/support/helpers/ci/template_helpers.rb

@@ -3,7 +3,7 @@
 module Ci
   module TemplateHelpers
     def secure_analyzers_prefix
-      'registry.gitlab.com/security-products'
+      'registry.gitlab.com/gitlab-org/security-products/analyzers'
     end
   end
 end

spec/support/shared_examples/lib/gitlab/ci/templates/security_templates_shared_examples.rb

-# frozen_string_literal: true
-
-require 'spec_helper'
-
-RSpec.shared_examples 'setting sec analyzer prefix dynamically' do |builds: [], files: { 'README.md' => '' }, variables: {}, namespace: ''|
-  using RSpec::Parameterized::TableSyntax
-
-  let(:default_analyzer_prefix) { 'registry.gitlab.com/security-products' }
-
-  where(:builds, :files, :analyzer_prefix, :expected_prefix) do
-    builds | files | nil                     | "$DEFAULT_SECURE_ANALYZERS_PREFIX#{namespace.present? ? "/#{namespace}" : nil}"
-    builds | files | 'registry.example.com'  | 'registry.example.com'
-  end
-
-  with_them do
-    before do
-      if analyzer_prefix
-        if analyzer_prefix != default_analyzer_prefix
-          create(:ci_variable, project: project, key: 'SECURE_ANALYZERS_PREFIX', value: analyzer_prefix)
-        end
-      end
-
-      variables.each do |(key, value)|
-        create(:ci_variable, project: project, key: key, value: value)
-      end
-    end
-
-    it 'creates a build with the expected tag' do
-      expect(build_names).to include(*builds)
-
-      prefixes = pipeline.builds.map { |build| build.variables["SECURE_ANALYZERS_PREFIX"].value }
-      expect(prefixes.uniq).to match_array(expected_prefix)
-    end
-  end
-end