Merge branch '358742-update-security-policy-to-include-support-for-fips-mode' into 'master'

Update Security Policy to use FIPS images when FIPS Mode is enabled

See merge request gitlab-org/gitlab!85150

ee/app/services/security/security_orchestration_policies/ci_configuration_service.rb

@@ -45,6 +45,23 @@ module Security
         ci_configuration[template.to_sym]
           .deep_merge(variables: ci_configuration[:variables].deep_merge(ci_variables).compact)
           .except(:rules)
+          .merge(fips_mode_default_rules(template))
+      end
+
+      def fips_mode_default_rules(template)
+        return {} if template != 'container_scanning'
+
+        {
+          rules: [
+            {
+              if: '$CI_GITLAB_FIPS_MODE == "true" && $CS_ANALYZER_IMAGE !~ /-(fips|ubi)\z/',
+              variables: { CS_IMAGE_SUFFIX: '-fips' }
+            },
+            {
+              when: 'always'
+            }
+          ]
+        }
       end
 
       def child_pipeline_configuration(template, ci_variables)

ee/spec/services/security/security_orchestration_policies/ci_configuration_service_spec.rb

@@ -104,7 +104,16 @@ RSpec.describe Security::SecurityOrchestrationPolicies::CiConfigurationService d
             variables: {
               CS_ANALYZER_IMAGE: "#{Gitlab::Saas.registry_prefix}/security-products/container-scanning:4",
               GIT_STRATEGY: 'none'
+            },
+            rules: [
+              {
+                if: '$CI_GITLAB_FIPS_MODE == "true" && $CS_ANALYZER_IMAGE !~ /-(fips|ubi)\z/',
+                variables: { CS_IMAGE_SUFFIX: '-fips' }
+              },
+              {
+                when: 'always'
               }
+            ]
           }
 
           expect(subject.deep_symbolize_keys).to eq(expected_configuration)