Merge branch '213816' into 'master'

Drop deprecated Secure ANALYZER_IMAGE_PREFIX vars

See merge request gitlab-org/gitlab!34325

changelogs/unreleased/213816.yml

+---
+title: Drop deprecated **_ANALYZER_IMAGE_PREFIX
+merge_request: 34325
+author:
+type: removed

doc/user/application_security/dependency_scanning/index.md

@@ -151,7 +151,6 @@ The following variables allow configuration of global dependency scanning settin
 | Environment variable                    | Description |
 | --------------------------------------- |------------ |
 | `SECURE_ANALYZERS_PREFIX`               | Override the name of the Docker registry providing the official default images (proxy). Read more about [customizing analyzers](analyzers.md). |
-| `DS_ANALYZER_IMAGE_PREFIX`              | **DEPRECATED:** Use `SECURE_ANALYZERS_PREFIX` instead. |
 | `DS_DEFAULT_ANALYZERS`                  | Override the names of the official default images. Read more about [customizing analyzers](analyzers.md). |
 | `DS_DISABLE_DIND`                       | Disable Docker-in-Docker and run analyzers [individually](#enabling-docker-in-docker). This variable is `true` by default. |
 | `ADDITIONAL_CA_CERT_BUNDLE`             | Bundle of CA certs to trust. |
@@ -428,14 +427,14 @@ For details on saving and transporting Docker images as a file, see Docker's doc
 ### Set Dependency Scanning CI job variables to use local Dependency Scanning analyzers
 
 Add the following configuration to your `.gitlab-ci.yml` file. You must replace
-`DS_ANALYZER_IMAGE_PREFIX` to refer to your local Docker container registry:
+`SECURE_ANALYZERS_PREFIX` to refer to your local Docker container registry:
 
 ```yaml
 include:
   - template: Dependency-Scanning.gitlab-ci.yml
 
 variables:
-  DS_ANALYZER_IMAGE_PREFIX: "docker-registry.example.com/analyzers"
+  SECURE_ANALYZERS_PREFIX: "docker-registry.example.com/analyzers"
   GEMNASIUM_DB_REMOTE_URL: "gitlab.example.com/gemnasium-db.git"
   GIT_SSL_NO_VERIFY: "true"
 ```

doc/user/application_security/sast/index.md

@@ -278,7 +278,6 @@ The following are Docker image-related variables.
 | Environment variable         | Description                                                                                                                                                                                                              |
 |------------------------------|--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
 | `SECURE_ANALYZERS_PREFIX`    | Override the name of the Docker registry providing the default images (proxy). Read more about [customizing analyzers](analyzers.md).                                                                                    |
-| `SAST_ANALYZER_IMAGE_PREFIX` | **DEPRECATED**: Use `SECURE_ANALYZERS_PREFIX` instead.                                                                                                                                                                       |
 | `SAST_ANALYZER_IMAGE_TAG`    | **DEPRECATED:** Override the Docker tag of the default images. Read more about [customizing analyzers](analyzers.md).                                                                                                        |
 | `SAST_DEFAULT_ANALYZERS`     | Override the names of default images. Read more about [customizing analyzers](analyzers.md).                                                                                                                             |
 | `SAST_DISABLE_DIND`          | Disable Docker-in-Docker and run analyzers [individually](#enabling-docker-in-docker). This variable is `true` by default. |
@@ -509,7 +508,7 @@ For details on saving and transporting Docker images as a file, see Docker's doc
 ### Set SAST CI job variables to use local SAST analyzers
 
 Add the following configuration to your `.gitlab-ci.yml` file. You must replace
-`SAST_ANALYZER_IMAGE_PREFIX` to refer to your local Docker container registry:
+`SECURE_ANALYZERS_PREFIX` to refer to your local Docker container registry:
 
   ```yaml
 include:

lib/gitlab/ci/templates/Security/Dependency-Scanning.gitlab-ci.yml

@@ -9,9 +9,6 @@ variables:
   # (SAST, Dependency Scanning, ...)
   SECURE_ANALYZERS_PREFIX: "registry.gitlab.com/gitlab-org/security-products/analyzers"
 
-  # Deprecated, use SECURE_ANALYZERS_PREFIX instead
-  DS_ANALYZER_IMAGE_PREFIX: "$SECURE_ANALYZERS_PREFIX"
-
   DS_DEFAULT_ANALYZERS: "bundler-audit, retire.js, gemnasium, gemnasium-maven, gemnasium-python"
   DS_EXCLUDED_PATHS: "spec, test, tests, tmp"
   DS_MAJOR_VERSION: 2
@@ -45,7 +42,7 @@ dependency_scanning:
       docker run \
         $(propagate_env_vars \
           DS_ANALYZER_IMAGES \
-          DS_ANALYZER_IMAGE_PREFIX \
+          SECURE_ANALYZERS_PREFIX \
           DS_ANALYZER_IMAGE_TAG \
           DS_DEFAULT_ANALYZERS \
           DS_EXCLUDED_PATHS \
@@ -98,7 +95,7 @@ dependency_scanning:
 gemnasium-dependency_scanning:
   extends: .ds-analyzer
   image:
-    name: "$DS_ANALYZER_IMAGE_PREFIX/gemnasium:$DS_MAJOR_VERSION"
+    name: "$SECURE_ANALYZERS_PREFIX/gemnasium:$DS_MAJOR_VERSION"
   rules:
     - if: $DEPENDENCY_SCANNING_DISABLED || $DS_DISABLE_DIND == 'false'
       when: never
@@ -117,7 +114,7 @@ gemnasium-dependency_scanning:
 gemnasium-maven-dependency_scanning:
   extends: .ds-analyzer
   image:
-    name: "$DS_ANALYZER_IMAGE_PREFIX/gemnasium-maven:$DS_MAJOR_VERSION"
+    name: "$SECURE_ANALYZERS_PREFIX/gemnasium-maven:$DS_MAJOR_VERSION"
   rules:
     - if: $DEPENDENCY_SCANNING_DISABLED || $DS_DISABLE_DIND == 'false'
       when: never
@@ -133,7 +130,7 @@ gemnasium-maven-dependency_scanning:
 gemnasium-python-dependency_scanning:
   extends: .ds-analyzer
   image:
-    name: "$DS_ANALYZER_IMAGE_PREFIX/gemnasium-python:$DS_MAJOR_VERSION"
+    name: "$SECURE_ANALYZERS_PREFIX/gemnasium-python:$DS_MAJOR_VERSION"
   rules:
     - if: $DEPENDENCY_SCANNING_DISABLED || $DS_DISABLE_DIND == 'false'
       when: never
@@ -156,7 +153,7 @@ gemnasium-python-dependency_scanning:
 bundler-audit-dependency_scanning:
   extends: .ds-analyzer
   image:
-    name: "$DS_ANALYZER_IMAGE_PREFIX/bundler-audit:$DS_MAJOR_VERSION"
+    name: "$SECURE_ANALYZERS_PREFIX/bundler-audit:$DS_MAJOR_VERSION"
   rules:
     - if: $DEPENDENCY_SCANNING_DISABLED || $DS_DISABLE_DIND == 'false'
       when: never
@@ -169,7 +166,7 @@ bundler-audit-dependency_scanning:
 retire-js-dependency_scanning:
   extends: .ds-analyzer
   image:
-    name: "$DS_ANALYZER_IMAGE_PREFIX/retire.js:$DS_MAJOR_VERSION"
+    name: "$SECURE_ANALYZERS_PREFIX/retire.js:$DS_MAJOR_VERSION"
   rules:
     - if: $DEPENDENCY_SCANNING_DISABLED || $DS_DISABLE_DIND == 'false'
       when: never

lib/gitlab/ci/templates/Security/SAST.gitlab-ci.yml

@@ -9,9 +9,6 @@ variables:
   # (SAST, Dependency Scanning, ...)
   SECURE_ANALYZERS_PREFIX: "registry.gitlab.com/gitlab-org/security-products/analyzers"
 
-  # Deprecated, use SECURE_ANALYZERS_PREFIX instead
-  SAST_ANALYZER_IMAGE_PREFIX: "$SECURE_ANALYZERS_PREFIX"
-
   SAST_DEFAULT_ANALYZERS: "bandit, brakeman, gosec, spotbugs, flawfinder, phpcs-security-audit, security-code-scan, nodejs-scan, eslint, tslint, secrets, sobelow, pmd-apex, kubesec"
   SAST_EXCLUDED_PATHS: "spec, test, tests, tmp"
   SAST_ANALYZER_IMAGE_TAG: 2
@@ -63,7 +60,7 @@ sast:
 bandit-sast:
   extends: .sast-analyzer
   image:
-    name: "$SAST_ANALYZER_IMAGE_PREFIX/bandit:$SAST_ANALYZER_IMAGE_TAG"
+    name: "$SECURE_ANALYZERS_PREFIX/bandit:$SAST_ANALYZER_IMAGE_TAG"
   rules:
     - if: $SAST_DISABLED || $SAST_DISABLE_DIND == 'false'
       when: never
@@ -76,7 +73,7 @@ bandit-sast:
 brakeman-sast:
   extends: .sast-analyzer
   image:
-    name: "$SAST_ANALYZER_IMAGE_PREFIX/brakeman:$SAST_ANALYZER_IMAGE_TAG"
+    name: "$SECURE_ANALYZERS_PREFIX/brakeman:$SAST_ANALYZER_IMAGE_TAG"
   rules:
     - if: $SAST_DISABLED || $SAST_DISABLE_DIND == 'false'
       when: never
@@ -88,7 +85,7 @@ brakeman-sast:
 eslint-sast:
   extends: .sast-analyzer
   image:
-    name: "$SAST_ANALYZER_IMAGE_PREFIX/eslint:$SAST_ANALYZER_IMAGE_TAG"
+    name: "$SECURE_ANALYZERS_PREFIX/eslint:$SAST_ANALYZER_IMAGE_TAG"
   rules:
     - if: $SAST_DISABLED || $SAST_DISABLE_DIND == 'false'
       when: never
@@ -102,7 +99,7 @@ eslint-sast:
 flawfinder-sast:
   extends: .sast-analyzer
   image:
-    name: "$SAST_ANALYZER_IMAGE_PREFIX/flawfinder:$SAST_ANALYZER_IMAGE_TAG"
+    name: "$SECURE_ANALYZERS_PREFIX/flawfinder:$SAST_ANALYZER_IMAGE_TAG"
   rules:
     - if: $SAST_DISABLED || $SAST_DISABLE_DIND == 'false'
       when: never
@@ -116,7 +113,7 @@ flawfinder-sast:
 kubesec-sast:
   extends: .sast-analyzer
   image:
-    name: "$SAST_ANALYZER_IMAGE_PREFIX/kubesec:$SAST_ANALYZER_IMAGE_TAG"
+    name: "$SECURE_ANALYZERS_PREFIX/kubesec:$SAST_ANALYZER_IMAGE_TAG"
   rules:
     - if: $SAST_DISABLED || $SAST_DISABLE_DIND == 'false'
       when: never
@@ -128,7 +125,7 @@ kubesec-sast:
 gosec-sast:
   extends: .sast-analyzer
   image:
-    name: "$SAST_ANALYZER_IMAGE_PREFIX/gosec:$SAST_ANALYZER_IMAGE_TAG"
+    name: "$SECURE_ANALYZERS_PREFIX/gosec:$SAST_ANALYZER_IMAGE_TAG"
   rules:
     - if: $SAST_DISABLED || $SAST_DISABLE_DIND == 'false'
       when: never
@@ -141,7 +138,7 @@ gosec-sast:
 nodejs-scan-sast:
   extends: .sast-analyzer
   image:
-    name: "$SAST_ANALYZER_IMAGE_PREFIX/nodejs-scan:$SAST_ANALYZER_IMAGE_TAG"
+    name: "$SECURE_ANALYZERS_PREFIX/nodejs-scan:$SAST_ANALYZER_IMAGE_TAG"
   rules:
     - if: $SAST_DISABLED || $SAST_DISABLE_DIND == 'false'
       when: never
@@ -154,7 +151,7 @@ nodejs-scan-sast:
 phpcs-security-audit-sast:
   extends: .sast-analyzer
   image:
-    name: "$SAST_ANALYZER_IMAGE_PREFIX/phpcs-security-audit:$SAST_ANALYZER_IMAGE_TAG"
+    name: "$SECURE_ANALYZERS_PREFIX/phpcs-security-audit:$SAST_ANALYZER_IMAGE_TAG"
   rules:
     - if: $SAST_DISABLED || $SAST_DISABLE_DIND == 'false'
       when: never
@@ -167,7 +164,7 @@ phpcs-security-audit-sast:
 pmd-apex-sast:
   extends: .sast-analyzer
   image:
-    name: "$SAST_ANALYZER_IMAGE_PREFIX/pmd-apex:$SAST_ANALYZER_IMAGE_TAG"
+    name: "$SECURE_ANALYZERS_PREFIX/pmd-apex:$SAST_ANALYZER_IMAGE_TAG"
   rules:
     - if: $SAST_DISABLED || $SAST_DISABLE_DIND == 'false'
       when: never
@@ -180,7 +177,7 @@ pmd-apex-sast:
 secrets-sast:
   extends: .sast-analyzer
   image:
-    name: "$SAST_ANALYZER_IMAGE_PREFIX/secrets:$SAST_ANALYZER_IMAGE_TAG"
+    name: "$SECURE_ANALYZERS_PREFIX/secrets:$SAST_ANALYZER_IMAGE_TAG"
   rules:
     - if: $SAST_DISABLED || $SAST_DISABLE_DIND == 'false'
       when: never
@@ -191,7 +188,7 @@ secrets-sast:
 security-code-scan-sast:
   extends: .sast-analyzer
   image:
-    name: "$SAST_ANALYZER_IMAGE_PREFIX/security-code-scan:$SAST_ANALYZER_IMAGE_TAG"
+    name: "$SECURE_ANALYZERS_PREFIX/security-code-scan:$SAST_ANALYZER_IMAGE_TAG"
   rules:
     - if: $SAST_DISABLED || $SAST_DISABLE_DIND == 'false'
       when: never
@@ -205,7 +202,7 @@ security-code-scan-sast:
 sobelow-sast:
   extends: .sast-analyzer
   image:
-    name: "$SAST_ANALYZER_IMAGE_PREFIX/sobelow:$SAST_ANALYZER_IMAGE_TAG"
+    name: "$SECURE_ANALYZERS_PREFIX/sobelow:$SAST_ANALYZER_IMAGE_TAG"
   rules:
     - if: $SAST_DISABLED || $SAST_DISABLE_DIND == 'false'
       when: never
@@ -218,7 +215,7 @@ sobelow-sast:
 spotbugs-sast:
   extends: .sast-analyzer
   image:
-    name: "$SAST_ANALYZER_IMAGE_PREFIX/spotbugs:$SAST_ANALYZER_IMAGE_TAG"
+    name: "$SECURE_ANALYZERS_PREFIX/spotbugs:$SAST_ANALYZER_IMAGE_TAG"
   rules:
     - if: $SAST_DISABLED || $SAST_DISABLE_DIND == 'false'
       when: never
@@ -233,7 +230,7 @@ spotbugs-sast:
 tslint-sast:
   extends: .sast-analyzer
   image:
-    name: "$SAST_ANALYZER_IMAGE_PREFIX/tslint:$SAST_ANALYZER_IMAGE_TAG"
+    name: "$SECURE_ANALYZERS_PREFIX/tslint:$SAST_ANALYZER_IMAGE_TAG"
   rules:
     - if: $SAST_DISABLED || $SAST_DISABLE_DIND == 'false'
       when: never