Add the global var SECURE_ANALYZERS_PREFIX

This variable helps to setup all Security Products with a single variable. It has numerous advantages over the previous version: - The var can be set up in `.gitlab-ci.yml` or in the UI - That means users can define it at the group level directly if needed - It flattens the paths used (sometimes it was with /analyzers/, sometimes not) - A single variable can now define all the base paths at once This change is especially useful for air-gapped environments, where all the images are generally duplicated locally. Having different prefixes is creating a lot of plumbing just to get started. Note that we need to create registry.gitlab.com/gitlab-org/security-products/secure-bundle before merging this. refs gitlab-org/gitlab#209258 and gitlab-org/gitlab#209846

Add the global var SECURE_ANALYZERS_PREFIX
This variable helps to setup all Security Products with a single variable. It has numerous advantages over the previous version: - The var can be set up in `.gitlab-ci.yml` or in the UI - That means users can define it at the group level directly if needed - It flattens the paths used (sometimes it was with /analyzers/, sometimes not) - A single variable can now define all the base paths at once This change is especially useful for air-gapped environments, where all the images are generally duplicated locally. Having different prefixes is creating a lot of plumbing just to get started. Note that we need to create registry.gitlab.com/gitlab-org/security-products/secure-bundle before merging this. refs gitlab-org/gitlab#209258 and gitlab-org/gitlab#209846
e5da8442 · Philippe Lafoucrière · Douglas Barbosa Alexandre · 17872da7 · e5da8442 · e5da8442
Commit e5da8442 authored May 11, 2020 by Philippe Lafoucrière Committed by Douglas Barbosa Alexandre May 11, 2020
15 changed files
--- a/changelogs/unreleased/28617-add-global-sec-prefix.yml
+++ b/changelogs/unreleased/28617-add-global-sec-prefix.yml
+---
+title: Add the global var SECURE_ANALYZERS_PREFIX
+merge_request: 28617
+author:
+type: added
--- a/doc/user/application_security/container_scanning/index.md
+++ b/doc/user/application_security/container_scanning/index.md
@@ -169,6 +169,7 @@ using environment variables.
 | Environment Variable           | Description                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        | Default                                                                                                         |
 | ------                         | ------                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                             | ------                                                                                                          |
+| `SECURE_ANALYZERS_PREFIX`      | Set the Docker registry base address from which to download the analyzer. | `"registry.gitlab.com/gitlab-org/security-products/analyzers"` |
 | `KLAR_TRACE`                   | Set to true to enable more verbose output from klar.                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                               | `"false"`                                                                                                       |
 | `CLAIR_TRACE`                  | Set to true to enable more verbose output from the clair server process.                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                           | `"false"`                                                                                   |
 | `DOCKER_USER`                  | Username for accessing a Docker registry requiring authentication.                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                 | `$CI_REGISTRY_USER`                                                                                             |
@@ -183,7 +184,7 @@ using environment variables.
 | `CLAIR_DB_IMAGE`               | The Docker image name and tag for the [PostgreSQL server hosting the vulnerabilities definitions](https://hub.docker.com/r/arminc/clair-db). It can be useful to override this value with a specific version, for example, to provide a consistent set of vulnerabilities for integration testing purposes, or to refer to a locally hosted vulnerabilities database for an on-premise offline installation.                                                                                                                                                                                                                                                                                                                                                                      | `arminc/clair-db:latest`                                                                                        |
 | `CLAIR_DB_IMAGE_TAG`           | (**DEPRECATED - use `CLAIR_DB_IMAGE` instead**) The Docker image tag for the [PostgreSQL server hosting the vulnerabilities definitions](https://hub.docker.com/r/arminc/clair-db). It can be useful to override this value with a specific version, for example, to provide a consistent set of vulnerabilities for integration testing purposes.                                                                                                                                                                                                                                                                                                                                                                                                                                   | `latest`                                                                                                        |
 | `DOCKERFILE_PATH`              | The path to the `Dockerfile` to be used for generating remediations. By default, the scanner will look for a file named `Dockerfile` in the root directory of the project, so this variable should only be configured if your `Dockerfile` is in a non-standard location, such as a subdirectory. See [Solutions for vulnerabilities](#solutions-for-vulnerabilities-auto-remediation) for more details.                                                                                                                                                                                                                                                                                                                                                                          | `Dockerfile`                                                                                                    |
-| `ADDITIONAL_CA_CERT_BUNDLE`   | Bundle of CA certs that you want to trust. | "" |
+| `ADDITIONAL_CA_CERT_BUNDLE`    | Bundle of CA certs that you want to trust. | "" |
 ### Overriding the Container Scanning template

--- a/doc/user/application_security/dast/index.md
+++ b/doc/user/application_security/dast/index.md
@@ -438,7 +438,8 @@ don't forget to add `stage: dast` when you override the template job definition.
 DAST can be [configured](#customizing-the-dast-settings) using environment variables.
 | Environment variable        | Required   | Description                                                                    |
-|-----------------------------| ----------|--------------------------------------------------------------------------------|
+|-----------------------------| -----------|--------------------------------------------------------------------------------|
+| `SECURE_ANALYZERS_PREFIX`   | no         | Set the Docker registry base address from which to download the analyzer.            |
 | `DAST_WEBSITE`  | no| The URL of the website to scan. `DAST_API_SPECIFICATION` must be specified if this is omitted. |
 | `DAST_API_SPECIFICATION`  | no | The API specification to import. `DAST_WEBSITE` must be specified if this is omitted. |
 | `DAST_AUTH_URL` | no | The authentication URL of the website to scan. Not supported for API scans. |
@@ -563,6 +564,8 @@ dast:
 The DAST job should now use local copies of the DAST analyzers to scan your code and generate
 security reports without requiring internet access.
+Alternatively, you can use the variable `SECURE_ANALYZERS_PREFIX` to override the base registry address of the `dast` image.
 ## Reports
 The DAST job can emit various reports.

--- a/doc/user/application_security/dependency_scanning/analyzers.md
+++ b/doc/user/application_security/dependency_scanning/analyzers.md
@@ -43,7 +43,7 @@ include:
  template: Dependency-Scanning.gitlab-ci.yml
 variables:
-  DS_ANALYZER_IMAGE_PREFIX: my-docker-registry/gl-images
+  SECURE_ANALYZERS_PREFIX: my-docker-registry/gl-images
 ```
 This configuration requires that your custom registry provides images for all

--- a/doc/user/application_security/dependency_scanning/index.md
+++ b/doc/user/application_security/dependency_scanning/index.md
@@ -140,7 +140,8 @@ The following variables allow configuration of global dependency scanning settin
 | Environment variable                    | Description |
 | --------------------------------------- |------------ |
-| `DS_ANALYZER_IMAGE_PREFIX`              | Override the name of the Docker registry providing the official default images (proxy). Read more about [customizing analyzers](analyzers.md). |
+| `SECURE_ANALYZERS_PREFIX`               | Override the name of the Docker registry providing the official default images (proxy). Read more about [customizing analyzers](analyzers.md). |
+| `DS_ANALYZER_IMAGE_PREFIX`              | **DEPRECATED:** Use `SECURE_ANALYZERS_PREFIX` instead. |
 | `DS_DEFAULT_ANALYZERS`                  | Override the names of the official default images. Read more about [customizing analyzers](analyzers.md). |
 | `DS_DISABLE_DIND`                       | Disable Docker-in-Docker and run analyzers [individually](#disabling-docker-in-docker-for-dependency-scanning).|
 | `ADDITIONAL_CA_CERT_BUNDLE`             | Bundle of CA certs to trust. |
@@ -168,7 +169,7 @@ The following variables are used for configuring specific analyzers (used for a
 | `GEMNASIUM_DB_LOCAL_PATH`               | `gemnasium`        | `/gemnasium-db`              | Path to local Gemnasium database. |
 | `GEMNASIUM_DB_REMOTE_URL`               | `gemnasium`        | `https://gitlab.com/gitlab-org/security-products/gemnasium-db.git` | Repository URL for fetching the Gemnasium database. |
 | `GEMNASIUM_DB_REF_NAME`                 | `gemnasium`        | `master`                     | Branch name for remote repository database. `GEMNASIUM_DB_REMOTE_URL` is required. |
-| `DS_REMEDIATE`                          | `gemnasium`        | `"true"`                       | Enable automatic remediation of vulnerable dependencies.  |
+| `DS_REMEDIATE`                          | `gemnasium`        | `"true"`                     | Enable automatic remediation of vulnerable dependencies.  |
 | `PIP_INDEX_URL`                         | `gemnasium-python` | `https://pypi.org/simple`    | Base URL of Python Package Index. |
 | `PIP_EXTRA_INDEX_URL`                   | `gemnasium-python` |                              | Array of [extra URLs](https://pip.pypa.io/en/stable/reference/pip_install/#cmdoption-extra-index-url) of package indexes to use in addition to `PIP_INDEX_URL`. Comma-separated. |
 | `PIP_REQUIREMENTS_FILE`                 | `gemnasium-python` |                              | Pip requirements file to be scanned. |
@@ -176,9 +177,9 @@ The following variables are used for configuring specific analyzers (used for a
 | `DS_PIP_DEPENDENCY_PATH`                | `gemnasium-python` |                              | Path to load Python pip dependencies from. ([Introduced](https://gitlab.com/gitlab-org/gitlab/issues/12412) in GitLab 12.2) |
 | `DS_PYTHON_VERSION`                     | `retire.js`        |                              | Version of Python. If set to 2, dependencies are installed using Python 2.7 instead of Python 3.6. ([Introduced](https://gitlab.com/gitlab-org/gitlab/issues/12296) in GitLab 12.1)|
 | `MAVEN_CLI_OPTS`                        | `gemnasium-maven`  | `"-DskipTests --batch-mode"` | List of command line arguments that will be passed to `maven` by the analyzer. See an example for [using private repositories](../index.md#using-private-maven-repos). |
-| `GRADLE_CLI_OPTS`                        | `gemnasium-maven`  | | List of command line arguments that will be passed to `gradle` by the analyzer. |
+| `GRADLE_CLI_OPTS`                       | `gemnasium-maven`  |                              | List of command line arguments that will be passed to `gradle` by the analyzer. |
-| `SBT_CLI_OPTS`                        | `gemnasium-maven`  | | List of command-line arguments that the analyzer will pass to `sbt`. |
+| `SBT_CLI_OPTS`                          | `gemnasium-maven`  |                              | List of command-line arguments that the analyzer will pass to `sbt`. |
-| `BUNDLER_AUDIT_UPDATE_DISABLED`         | `bundler-audit`    | `"false"`                      | Disable automatic updates for the `bundler-audit` analyzer. Useful if you're running Dependency Scanning in an offline, air-gapped environment.|
+| `BUNDLER_AUDIT_UPDATE_DISABLED`         | `bundler-audit`    | `"false"`                    | Disable automatic updates for the `bundler-audit` analyzer. Useful if you're running Dependency Scanning in an offline, air-gapped environment.|
 | `BUNDLER_AUDIT_ADVISORY_DB_URL`         | `bundler-audit`    | `https://github.com/rubysec/ruby-advisory-db` | URL of the advisory database used by bundler-audit. |
 | `BUNDLER_AUDIT_ADVISORY_DB_REF_NAME`    | `bundler-audit`    | `master`                     | Git ref for the advisory database specified by `BUNDLER_AUDIT_ADVISORY_DB_URL`. |
 | `RETIREJS_JS_ADVISORY_DB`               | `retire.js`        | `https://raw.githubusercontent.com/RetireJS/retire.js/master/repository/jsrepository.json` | Path or URL to `retire.js` JS vulnerability data file. Note that if the URL hosting the data file uses a custom SSL certificate, for example in an offline installation, you can pass the certificate in the `ADDITIONAL_CA_CERT_BUNDLE` environment variable. |

--- a/doc/user/application_security/index.md
+++ b/doc/user/application_security/index.md
@@ -44,6 +44,12 @@ To add Container Scanning, follow the steps listed in the [Container Scanning do
 To further configure any of the other scanners, refer to each scanner's documentation.
+### Override the default registry base address
+By default, GitLab security scanners use `registry.gitlab.com/gitlab-org/security-products/analyzers` as the
+base address for Docker images. You can override this globally by setting the variable
+`SECURE_ANALYZERS_PREFIX` to another location. Note that this affects all scanners at once.
 ## Security scanning tools
 GitLab uses the following tools to scan and report known vulnerabilities found in your project.

--- a/doc/user/application_security/sast/analyzers.md
+++ b/doc/user/application_security/sast/analyzers.md
@@ -52,7 +52,7 @@ include:
  - template: SAST.gitlab-ci.yml
 variables:
-  SAST_ANALYZER_IMAGE_PREFIX: my-docker-registry/gl-images
+  SECURE_ANALYZERS_PREFIX: my-docker-registry/gl-images
 ```
 This configuration requires that your custom registry provides images for all

--- a/doc/user/application_security/sast/index.md
+++ b/doc/user/application_security/sast/index.md
@@ -293,8 +293,9 @@ The following are Docker image-related variables.
 | Environment variable         | Description                                                                                                                                                                                                              |
 |------------------------------|--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
-| `SAST_ANALYZER_IMAGE_PREFIX` | Override the name of the Docker registry providing the default images (proxy). Read more about [customizing analyzers](analyzers.md).                                                                                    |
+| `SECURE_ANALYZERS_PREFIX`    | Override the name of the Docker registry providing the default images (proxy). Read more about [customizing analyzers](analyzers.md).                                                                                    |
-| `SAST_ANALYZER_IMAGE_TAG`    | **DEPRECATED:** Override the Docker tag of the default images. Read more about [customizing analyzers](analyzers.md).                                                                                                                    |
+| `SAST_ANALYZER_IMAGE_PREFIX` | **DEPRECATED**: Use `SECURE_ANALYZERS_PREFIX` instead.                                                                                                                                                                       |
+| `SAST_ANALYZER_IMAGE_TAG`    | **DEPRECATED:** Override the Docker tag of the default images. Read more about [customizing analyzers](analyzers.md).                                                                                                        |
 | `SAST_DEFAULT_ANALYZERS`     | Override the names of default images. Read more about [customizing analyzers](analyzers.md).                                                                                                                             |
 | `SAST_DISABLE_DIND`          | Disable Docker in Docker and run analyzers [individually](#disabling-docker-in-docker-for-sast).                                                                                                                         |
@@ -575,7 +576,7 @@ include:
  - template: SAST.gitlab-ci.yml
 variables:
-  SAST_ANALYZER_IMAGE_PREFIX: "localhost:5000/analyzers"
+  SECURE_ANALYZERS_PREFIX: "localhost:5000/analyzers"
  SAST_DISABLE_DIND: "true"
  ```

--- a/doc/user/compliance/license_compliance/index.md
+++ b/doc/user/compliance/license_compliance/index.md
@@ -133,16 +133,17 @@ The License Compliance settings can be changed through [environment variables](#
 License Compliance can be configured using environment variables.
-| Environment variable  | Required | Description |
+| Environment variable        | Required | Description |
-|-----------------------|----------|-------------|
+|-----------------------------|----------|-------------|
-| `ADDITIONAL_CA_CERT_BUNDLE` | no | Bundle of trusted CA certificates (currently supported in Pip, Pipenv, Maven, Gradle, and NPM projects). |
+| `SECURE_ANALYZERS_PREFIX`   | no       | Set the Docker registry base address to download the analyzer from. |
-| `GRADLE_CLI_OPTS` | no | Additional arguments for the gradle executable. If not supplied, defaults to `--exclude-task=test`. |
+| `ADDITIONAL_CA_CERT_BUNDLE` | no       | Bundle of trusted CA certificates (currently supported in Pip, Pipenv, Maven, Gradle, and NPM projects). |
-| `LICENSE_FINDER_CLI_OPTS` | no | Additional arguments for the `license_finder` executable. For example, if your project has both Golang and Ruby code stored in different directories and you want to only scan the Ruby code, you can update your `.gitlab-ci-yml` template to specify which project directories to scan, like `LICENSE_FINDER_CLI_OPTS: '--debug --aggregate-paths=. ruby'`. |
+| `GRADLE_CLI_OPTS`           | no       | Additional arguments for the gradle executable. If not supplied, defaults to `--exclude-task=test`. |
-| `LM_JAVA_VERSION`      | no | Version of Java. If set to `11`, Maven and Gradle use Java 11 instead of Java 8. |
+| `LICENSE_FINDER_CLI_OPTS`   | no       | Additional arguments for the `license_finder` executable. For example, if your project has both Golang and Ruby code stored in different directories and you want to only scan the Ruby code, you can update your `.gitlab-ci-yml` template to specify which project directories to scan, like `LICENSE_FINDER_CLI_OPTS: '--debug --aggregate-paths=. ruby'`. |
-| `LM_PYTHON_VERSION`    | no | Version of Python. If set to `3`, dependencies are installed using Python 3 instead of Python 2.7. |
+| `LM_JAVA_VERSION`           | no       | Version of Java. If set to `11`, Maven and Gradle use Java 11 instead of Java 8. |
-| `MAVEN_CLI_OPTS`       | no | Additional arguments for the mvn executable. If not supplied, defaults to `-DskipTests`. |
+| `LM_PYTHON_VERSION`         | no       | Version of Python. If set to `3`, dependencies are installed using Python 3 instead of Python 2.7. |
-| `PIP_INDEX_URL` | no | Base URL of Python Package Index (default: `https://pypi.org/simple/`). |
+| `MAVEN_CLI_OPTS`            | no       | Additional arguments for the mvn executable. If not supplied, defaults to `-DskipTests`. |
-| `SETUP_CMD`            | no | Custom setup for the dependency installation (experimental). |
+| `PIP_INDEX_URL`             | no       | Base URL of Python Package Index (default: `https://pypi.org/simple/`). |
+| `SETUP_CMD`                 | no       | Custom setup for the dependency installation (experimental). |
 ### Installing custom dependencies

--- a/lib/gitlab/ci/templates/Security/Container-Scanning.gitlab-ci.yml
+++ b/lib/gitlab/ci/templates/Security/Container-Scanning.gitlab-ci.yml
 # Read more about this feature here: https://docs.gitlab.com/ee/user/application_security/container_scanning/
 variables:
+  # Setting this variable will affect all Security templates
+  # (SAST, Dependency Scanning, ...)
+  SECURE_ANALYZERS_PREFIX: "registry.gitlab.com/gitlab-org/security-products/analyzers"
  CS_MAJOR_VERSION: 2
 container_scanning:
  stage: test
-  image: registry.gitlab.com/gitlab-org/security-products/analyzers/klar:$CS_MAJOR_VERSION
+  image: $SECURE_ANALYZERS_PREFIX/klar:$CS_MAJOR_VERSION
  variables:
    # By default, use the latest clair vulnerabilities database, however, allow it to be overridden here with a specific image
    # to enable container scanning to run offline, or to provide a consistent list of vulnerabilities for integration testing purposes
    CLAIR_DB_IMAGE_TAG: "latest"
-    CLAIR_DB_IMAGE: "arminc/clair-db:$CLAIR_DB_IMAGE_TAG"
+    CLAIR_DB_IMAGE: "$SECURE_ANALYZERS_PREFIX/clair-vulnerabilities-db:$CLAIR_DB_IMAGE_TAG"
    # Override the GIT_STRATEGY variable in your `.gitlab-ci.yml` file and set it to `fetch` if you want to provide a `clair-whitelist.yml`
    # file. See https://docs.gitlab.com/ee/user/application_security/container_scanning/index.html#overriding-the-container-scanning-template
    # for details

--- a/lib/gitlab/ci/templates/Security/DAST.gitlab-ci.yml
+++ b/lib/gitlab/ci/templates/Security/DAST.gitlab-ci.yml
@@ -12,11 +12,14 @@ stages:
 variables:
  DAST_VERSION: 1
+  # Setting this variable will affect all Security templates
+  # (SAST, Dependency Scanning, ...)
+  SECURE_ANALYZERS_PREFIX: "registry.gitlab.com/gitlab-org/security-products/analyzers"
 dast:
  stage: dast
  image:
-    name: "registry.gitlab.com/gitlab-org/security-products/dast:$DAST_VERSION"
+    name: "$SECURE_ANALYZERS_PREFIX/dast:$DAST_VERSION"
  variables:
    GIT_STRATEGY: none
  allow_failure: true

--- a/lib/gitlab/ci/templates/Security/Dependency-Scanning.gitlab-ci.yml
+++ b/lib/gitlab/ci/templates/Security/Dependency-Scanning.gitlab-ci.yml
@@ -5,8 +5,13 @@
 # How to set: https://docs.gitlab.com/ee/ci/yaml/#variables
 variables:
-  SECURITY_SCANNER_IMAGE_PREFIX: "registry.gitlab.com/gitlab-org/security-products"
+  # Setting this variable will affect all Security templates
-  DS_ANALYZER_IMAGE_PREFIX: "$SECURITY_SCANNER_IMAGE_PREFIX/analyzers"
+  # (SAST, Dependency Scanning, ...)
+  SECURE_ANALYZERS_PREFIX: "registry.gitlab.com/gitlab-org/security-products/analyzers"
+  # Deprecated, use SECURE_ANALYZERS_PREFIX instead
+  DS_ANALYZER_IMAGE_PREFIX: "$SECURE_ANALYZERS_PREFIX"
  DS_DEFAULT_ANALYZERS: "bundler-audit, retire.js, gemnasium, gemnasium-maven, gemnasium-python"
  DS_MAJOR_VERSION: 2
  DS_DISABLE_DIND: "false"
@@ -67,7 +72,7 @@ dependency_scanning:
        ) \
        --volume "$PWD:/code" \
        --volume /var/run/docker.sock:/var/run/docker.sock \
-        "$SECURITY_SCANNER_IMAGE_PREFIX/dependency-scanning:$DS_MAJOR_VERSION" /code
+        "registry.gitlab.com/gitlab-org/security-products/dependency-scanning:$DS_MAJOR_VERSION" /code
  artifacts:
    reports:
      dependency_scanning: gl-dependency-scanning-report.json

--- a/lib/gitlab/ci/templates/Security/License-Scanning.gitlab-ci.yml
+++ b/lib/gitlab/ci/templates/Security/License-Scanning.gitlab-ci.yml
@@ -5,13 +5,17 @@
 # How to set: https://docs.gitlab.com/ee/ci/yaml/#variables
 variables:
+  # Setting this variable will affect all Security templates
+  # (SAST, Dependency Scanning, ...)
+  SECURE_ANALYZERS_PREFIX: "registry.gitlab.com/gitlab-org/security-products/analyzers"
  LICENSE_MANAGEMENT_SETUP_CMD: ''  # If needed, specify a command to setup your environment with a custom package manager.
  LICENSE_MANAGEMENT_VERSION: 3
 license_scanning:
  stage: test
  image:
-    name: "registry.gitlab.com/gitlab-org/security-products/license-management:$LICENSE_MANAGEMENT_VERSION"
+    name: "$SECURE_ANALYZERS_PREFIX/license-finder:$LICENSE_MANAGEMENT_VERSION"
    entrypoint: [""]
  variables:
    LM_REPORT_FILE: gl-license-scanning-report.json

--- a/lib/gitlab/ci/templates/Security/SAST.gitlab-ci.yml
+++ b/lib/gitlab/ci/templates/Security/SAST.gitlab-ci.yml
@@ -5,7 +5,13 @@
 # How to set: https://docs.gitlab.com/ee/ci/yaml/#variables
 variables:
-  SAST_ANALYZER_IMAGE_PREFIX: "registry.gitlab.com/gitlab-org/security-products/analyzers"
+  # Setting this variable will affect all Security templates
+  # (SAST, Dependency Scanning, ...)
+  SECURE_ANALYZERS_PREFIX: "registry.gitlab.com/gitlab-org/security-products/analyzers"
+  # Deprecated, use SECURE_ANALYZERS_PREFIX instead
+  SAST_ANALYZER_IMAGE_PREFIX: "$SECURE_ANALYZERS_PREFIX"
  SAST_DEFAULT_ANALYZERS: "bandit, brakeman, gosec, spotbugs, flawfinder, phpcs-security-audit, security-code-scan, nodejs-scan, eslint, tslint, secrets, sobelow, pmd-apex, kubesec"
  SAST_ANALYZER_IMAGE_TAG: 2
  SAST_DISABLE_DIND: "false"

--- a/lib/gitlab/ci/templates/Security/Secure-Binaries.gitlab-ci.yml
+++ b/lib/gitlab/ci/templates/Security/Secure-Binaries.gitlab-ci.yml
@@ -16,7 +16,7 @@ variables:
    bandit, brakeman, gosec, spotbugs, flawfinder, phpcs-security-audit, security-code-scan, nodejs-scan, eslint, tslint, secrets, sobelow, pmd-apex, kubesec,
    bundler-audit, retire.js, gemnasium, gemnasium-maven, gemnasium-python,
    klar, clair-vulnerabilities-db,
-    license-management,
+    license-finder,
    dast
  SECURE_BINARIES_DOWNLOAD_IMAGES: "true"
@@ -39,7 +39,7 @@ variables:
  script:
    - docker info
    - env
-    - if [ -z "$SECURE_BINARIES_IMAGE" ]; then export SECURE_BINARIES_IMAGE=${SECURE_BINARIES_IMAGE:-"registry.gitlab.com/gitlab-org/security-products/${CI_JOB_NAME}:${SECURE_BINARIES_ANALYZER_VERSION}"}; fi
+    - if [ -z "$SECURE_BINARIES_IMAGE" ]; then export SECURE_BINARIES_IMAGE=${SECURE_BINARIES_IMAGE:-"registry.gitlab.com/gitlab-org/security-products/analyzers/${CI_JOB_NAME}:${SECURE_BINARIES_ANALYZER_VERSION}"}; fi
    - docker pull ${SECURE_BINARIES_IMAGE}
    - mkdir -p output/$(dirname ${CI_JOB_NAME})
    - |
@@ -62,98 +62,98 @@ variables:
 # SAST jobs
 #
-analyzers/bandit:
+bandit:
  extends: .download_images
  only:
    variables:
      - $SECURE_BINARIES_DOWNLOAD_IMAGES == "true" &&
          $SECURE_BINARIES_ANALYZERS =~ /\bbandit\b/
-analyzers/brakeman:
+brakeman:
  extends: .download_images
  only:
    variables:
      - $SECURE_BINARIES_DOWNLOAD_IMAGES == "true" &&
          $SECURE_BINARIES_ANALYZERS =~ /\bbrakeman\b/
-analyzers/gosec:
+gosec:
  extends: .download_images
  only:
    variables:
      - $SECURE_BINARIES_DOWNLOAD_IMAGES == "true" &&
          $SECURE_BINARIES_ANALYZERS =~ /\bgosec\b/
-analyzers/spotbugs:
+spotbugs:
  extends: .download_images
  only:
    variables:
      - $SECURE_BINARIES_DOWNLOAD_IMAGES == "true" &&
          $SECURE_BINARIES_ANALYZERS =~ /\bspotbugs\b/
-analyzers/flawfinder:
+flawfinder:
  extends: .download_images
  only:
    variables:
      - $SECURE_BINARIES_DOWNLOAD_IMAGES == "true" &&
          $SECURE_BINARIES_ANALYZERS =~ /\bflawfinder\b/
-analyzers/phpcs-security-audit:
+phpcs-security-audit:
  extends: .download_images
  only:
    variables:
      - $SECURE_BINARIES_DOWNLOAD_IMAGES == "true" &&
          $SECURE_BINARIES_ANALYZERS =~ /\bphpcs-security-audit\b/
-analyzers/security-code-scan:
+security-code-scan:
  extends: .download_images
  only:
    variables:
      - $SECURE_BINARIES_DOWNLOAD_IMAGES == "true" &&
          $SECURE_BINARIES_ANALYZERS =~ /\bsecurity-code-scan\b/
-analyzers/nodejs-scan:
+nodejs-scan:
  extends: .download_images
  only:
    variables:
      - $SECURE_BINARIES_DOWNLOAD_IMAGES == "true" &&
          $SECURE_BINARIES_ANALYZERS =~ /\bnodejs-scan\b/
-analyzers/eslint:
+eslint:
  extends: .download_images
  only:
    variables:
      - $SECURE_BINARIES_DOWNLOAD_IMAGES == "true" &&
          $SECURE_BINARIES_ANALYZERS =~ /\beslint\b/
-analyzers/tslint:
+tslint:
  extends: .download_images
  only:
    variables:
      - $SECURE_BINARIES_DOWNLOAD_IMAGES == "true" &&
          $SECURE_BINARIES_ANALYZERS =~ /\btslint\b/
-analyzers/secrets:
+secrets:
  extends: .download_images
  only:
    variables:
      - $SECURE_BINARIES_DOWNLOAD_IMAGES == "true" &&
          $SECURE_BINARIES_ANALYZERS =~ /\bsecrets\b/
-analyzers/sobelow:
+sobelow:
  extends: .download_images
  only:
    variables:
      - $SECURE_BINARIES_DOWNLOAD_IMAGES == "true" &&
          $SECURE_BINARIES_ANALYZERS =~ /\bsobelow\b/
-analyzers/pmd-apex:
+pmd-apex:
  extends: .download_images
  only:
    variables:
      - $SECURE_BINARIES_DOWNLOAD_IMAGES == "true" &&
          $SECURE_BINARIES_ANALYZERS =~ /\bsecrets\b/
-analyzers/kubesec:
+kubesec:
  extends: .download_images
  only:
    variables:
@@ -163,14 +163,14 @@ analyzers/kubesec:
 # Container Scanning jobs
 #
-analyzers/klar:
+klar:
  extends: .download_images
  only:
    variables:
      - $SECURE_BINARIES_DOWNLOAD_IMAGES == "true" &&
          $SECURE_BINARIES_ANALYZERS =~ /\bklar\b/
-analyzers/clair-vulnerabilities-db:
+clair-vulnerabilities-db:
  extends: .download_images
  only:
    variables:
@@ -184,35 +184,35 @@ analyzers/clair-vulnerabilities-db:
 # Dependency Scanning jobs
 #
-analyzers/bundler-audit:
+bundler-audit:
  extends: .download_images
  only:
    variables:
      - $SECURE_BINARIES_DOWNLOAD_IMAGES == "true" &&
          $SECURE_BINARIES_ANALYZERS =~ /\bbundler-audit\b/
-analyzers/retire.js:
+retire.js:
  extends: .download_images
  only:
    variables:
      - $SECURE_BINARIES_DOWNLOAD_IMAGES == "true" &&
          $SECURE_BINARIES_ANALYZERS =~ /\bretire\.js\b/
-analyzers/gemnasium:
+gemnasium:
  extends: .download_images
  only:
    variables:
      - $SECURE_BINARIES_DOWNLOAD_IMAGES == "true" &&
          $SECURE_BINARIES_ANALYZERS =~ /\bgemnasium\b/
-analyzers/gemnasium-maven:
+gemnasium-maven:
  extends: .download_images
  only:
    variables:
      - $SECURE_BINARIES_DOWNLOAD_IMAGES == "true" &&
          $SECURE_BINARIES_ANALYZERS =~ /\bgemnasium-maven\b/
-analyzers/gemnasium-python:
+gemnasium-python:
  extends: .download_images
  only:
    variables:
@@ -223,14 +223,14 @@ analyzers/gemnasium-python:
 # License Scanning
 #
-license-management:
+license-finder:
  extends: .download_images
  variables:
    SECURE_BINARIES_ANALYZER_VERSION: "3"
  only:
    variables:
      - $SECURE_BINARIES_DOWNLOAD_IMAGES == "true" &&
-          $SECURE_BINARIES_ANALYZERS =~ /\blicense-management\b/
+          $SECURE_BINARIES_ANALYZERS =~ /\blicense-finder\b/
 #
 # DAST
@@ -238,9 +238,9 @@ license-management:
 dast:
  extends: .download_images
+  variables:
+    SECURE_BINARIES_ANALYZER_VERSION: "1"
  only:
    variables:
      - $SECURE_BINARIES_DOWNLOAD_IMAGES == "true" &&
          $SECURE_BINARIES_ANALYZERS =~ /\bdast\b/
-  variables:
-    SECURE_BINARIES_ANALYZER_VERSION: 1