diff --git a/doc/user/application_security/iac_scanning/index.md b/doc/user/application_security/iac_scanning/index.md
index a4d2f8b2e4403910d0528cdc241fe82cac042659..35968a6361f99feabf66f1ca4a133b593935d736 100644
--- a/doc/user/application_security/iac_scanning/index.md
+++ b/doc/user/application_security/iac_scanning/index.md
@@ -46,6 +46,27 @@ GitLab IaC scanning supports a variety of IaC configuration files. Our IaC secur
1. IaC scanning can analyze Azure Resource Manager templates in JSON format. If you write templates in the [Bicep](https://docs.microsoft.com/en-us/azure/azure-resource-manager/bicep/overview) language, you must use [the bicep CLI](https://docs.microsoft.com/en-us/azure/azure-resource-manager/bicep/bicep-cli) to convert your Bicep files into JSON before GitLab IaC scanning can analyze them.
1. Terraform modules in a custom registry are not scanned for vulnerabilities. You can follow [this issue](https://gitlab.com/gitlab-org/gitlab/-/issues/357004) for the proposed feature.
+### Supported distributions
+
+GitLab scanners are provided with a base alpine image for size and maintainability.
+
+#### FIPS-enabled images
+
+> [Introduced](https://gitlab.com/groups/gitlab-org/-/epics/6479) in GitLab 14.10.
+
+GitLab also offers [FIPS-enabled Red Hat UBI](https://www.redhat.com/en/blog/introducing-red-hat-universal-base-image)
+versions of the images. You can therefore replace standard images with FIPS-enabled
+images. To configure the images, set the `SAST_IMAGE_SUFFIX` to `-fips` or modify the
+standard tag plus the `-fips` extension.
+
+```yaml
+variables:
+ SAST_IMAGE_SUFFIX: '-fips'
+
+include:
+ - template: Security/SAST-IaC.latest.gitlab-ci.yml
+```
+
### Making IaC analyzers available to all GitLab tiers
All open source (OSS) analyzers are available with the GitLab Free tier. Future proprietary analyzers may be restricted to higher tiers.
diff --git a/doc/user/application_security/sast/index.md b/doc/user/application_security/sast/index.md
index 0b470e8404e821b8026c028ca19fca754314d943..4aa462bd690b91e35bd2e76d86cbfc28afc3b495 100644
--- a/doc/user/application_security/sast/index.md
+++ b/doc/user/application_security/sast/index.md
@@ -132,6 +132,27 @@ The following analyzers have multi-project support:
Multi-project support in the Security Code Scan requires a Solution (`.sln`) file in the root of
the repository. For details on the Solution format, see the Microsoft reference [Solution (`.sln`) file](https://docs.microsoft.com/en-us/visualstudio/extensibility/internals/solution-dot-sln-file?view=vs-2019).
+### Supported distributions
+
+GitLab scanners are provided with a base alpine image for size and maintainability.
+
+#### FIPS-enabled images
+
+> [Introduced](https://gitlab.com/groups/gitlab-org/-/epics/6479) in GitLab 14.10.
+
+GitLab also offers [Red Hat UBI](https://www.redhat.com/en/blog/introducing-red-hat-universal-base-image)
+versions of the images. You can therefore replace standard images with FIPS-enabled
+images. To configure the images, set the `SAST_IMAGE_SUFFIX` to `-fips` or modify the
+standard tag plus the `-fips` extension.
+
+```yaml
+variables:
+ SAST_IMAGE_SUFFIX: '-fips'
+
+include:
+ - template: Security/SAST.gitlab-ci.yml
+```
+
### Making SAST analyzers available to all GitLab tiers
All open source (OSS) analyzers have been moved to the GitLab Free tier as of GitLab 13.3.
diff --git a/doc/user/application_security/secret_detection/index.md b/doc/user/application_security/secret_detection/index.md
index cf8bcb0e3e3933d35d9f9a3efe320906dc66c988..b337b027065ad813c2503bdd7f06937efb903716 100644
--- a/doc/user/application_security/secret_detection/index.md
+++ b/doc/user/application_security/secret_detection/index.md
@@ -108,6 +108,27 @@ The results are saved as a
that you can later download and analyze. Due to implementation limitations, we
always take the latest Secret Detection artifact available.
+### Supported distributions
+
+GitLab scanners are provided with a base alpine image for size and maintainability.
+
+#### FIPS-enabled images
+
+> [Introduced](https://gitlab.com/groups/gitlab-org/-/epics/6479) in GitLab 14.10.
+
+GitLab also offers [FIPS-enabled Red Hat UBI](https://www.redhat.com/en/blog/introducing-red-hat-universal-base-image)
+versions of the images. You can therefore replace standard images with FIPS-enabled
+images. To configure the images, set the `SAST_IMAGE_SUFFIX` to `-fips` or modify the
+standard tag plus the `-fips` extension.
+
+```yaml
+variables:
+ SECRET_DETECTION_IMAGE_SUFFIX: '-fips'
+
+include:
+ - template: Security/Secret-Detection.gitlab-ci.yml
+```
+
### Enable Secret Detection via an automatic merge request
> - [Introduced](https://gitlab.com/groups/gitlab-org/-/epics/4496) in GitLab 13.11, deployed behind a feature flag, enabled by default.
diff --git a/ee/spec/lib/gitlab/ci/config/security_orchestration_policies/processor_spec.rb b/ee/spec/lib/gitlab/ci/config/security_orchestration_policies/processor_spec.rb
index 684c16369425312ae17214f7d96d5ed6d6739bac..ba54ec5676c45fbb5a081cb65e64c67eaca9c7b5 100644
--- a/ee/spec/lib/gitlab/ci/config/security_orchestration_policies/processor_spec.rb
+++ b/ee/spec/lib/gitlab/ci/config/security_orchestration_policies/processor_spec.rb
@@ -161,7 +161,7 @@
'secret-detection-0': hash_including(
rules: [{ if: '$SECRET_DETECTION_DISABLED', when: 'never' }, { if: '$CI_COMMIT_BRANCH' }],
stage: 'test',
- image: '$SECURE_ANALYZERS_PREFIX/secrets:$SECRETS_ANALYZER_VERSION',
+ image: '$SECURE_ANALYZERS_PREFIX/secrets:$SECRETS_ANALYZER_VERSION$SECRET_DETECTION_IMAGE_SUFFIX',
services: [],
allow_failure: true,
artifacts: {
@@ -173,6 +173,7 @@
GIT_DEPTH: '50',
SECURE_ANALYZERS_PREFIX: secure_analyzers_prefix,
SECRETS_ANALYZER_VERSION: '3',
+ SECRET_DETECTION_IMAGE_SUFFIX: '',
SECRET_DETECTION_EXCLUDED_PATHS: '',
SECRET_DETECTION_HISTORIC_SCAN: 'false'
})
diff --git a/ee/spec/services/security/security_orchestration_policies/ci_configuration_service_spec.rb b/ee/spec/services/security/security_orchestration_policies/ci_configuration_service_spec.rb
index 1d8c1d99169b77f4088d1fd5252640c7e7abefc9..28fce0df366614bbb0bf769c04621ea3c94aab24 100644
--- a/ee/spec/services/security/security_orchestration_policies/ci_configuration_service_spec.rb
+++ b/ee/spec/services/security/security_orchestration_policies/ci_configuration_service_spec.rb
@@ -32,7 +32,7 @@
expected_configuration = {
rules: [{ if: '$SECRET_DETECTION_DISABLED', when: 'never' }, { if: '$CI_COMMIT_BRANCH' }],
stage: 'test',
- image: '$SECURE_ANALYZERS_PREFIX/secrets:$SECRETS_ANALYZER_VERSION',
+ image: '$SECURE_ANALYZERS_PREFIX/secrets:$SECRETS_ANALYZER_VERSION$SECRET_DETECTION_IMAGE_SUFFIX',
services: [],
allow_failure: true,
artifacts: {
@@ -44,6 +44,7 @@
GIT_DEPTH: '50',
SECURE_ANALYZERS_PREFIX: secure_analyzers_prefix,
SECRETS_ANALYZER_VERSION: '3',
+ SECRET_DETECTION_IMAGE_SUFFIX: '',
SECRET_DETECTION_EXCLUDED_PATHS: '',
SECRET_DETECTION_HISTORIC_SCAN: 'false'
}
diff --git a/lib/gitlab/ci/templates/Jobs/SAST-IaC.latest.gitlab-ci.yml b/lib/gitlab/ci/templates/Jobs/SAST-IaC.latest.gitlab-ci.yml
index 5ddfb2a54be2450e1f03e4874737ac1b9cbde874..488e7ec72fd050ded597475116d359f92b2b09df 100644
--- a/lib/gitlab/ci/templates/Jobs/SAST-IaC.latest.gitlab-ci.yml
+++ b/lib/gitlab/ci/templates/Jobs/SAST-IaC.latest.gitlab-ci.yml
@@ -1,7 +1,14 @@
+# Read more about this feature here: https://docs.gitlab.com/ee/user/application_security/iac_scanning/
+#
+# Configure SAST with CI/CD variables (https://docs.gitlab.com/ee/ci/variables/index.html).
+# List of available variables: https://docs.gitlab.com/ee/user/application_security/iac_scanning/index.html
+
variables:
# Setting this variable will affect all Security templates
# (SAST, Dependency Scanning, ...)
SECURE_ANALYZERS_PREFIX: "registry.gitlab.com/security-products"
+ SAST_IMAGE_SUFFIX: ""
+
SAST_EXCLUDED_PATHS: "spec, test, tests, tmp"
iac-sast:
@@ -25,7 +32,7 @@ kics-iac-sast:
name: "$SAST_ANALYZER_IMAGE"
variables:
SAST_ANALYZER_IMAGE_TAG: 1
- SAST_ANALYZER_IMAGE: "$SECURE_ANALYZERS_PREFIX/kics:$SAST_ANALYZER_IMAGE_TAG"
+ SAST_ANALYZER_IMAGE: "$SECURE_ANALYZERS_PREFIX/kics:$SAST_ANALYZER_IMAGE_TAG$SAST_IMAGE_SUFFIX"
rules:
- if: $SAST_DISABLED
when: never
diff --git a/lib/gitlab/ci/templates/Jobs/SAST.gitlab-ci.yml b/lib/gitlab/ci/templates/Jobs/SAST.gitlab-ci.yml
index 241eae89dd361d0a36bca82ace006d340a0f4362..91b403d7006ea1cff5c7d6c4e9d02b3dd4ceccae 100644
--- a/lib/gitlab/ci/templates/Jobs/SAST.gitlab-ci.yml
+++ b/lib/gitlab/ci/templates/Jobs/SAST.gitlab-ci.yml
@@ -7,6 +7,7 @@ variables:
# Setting this variable will affect all Security templates
# (SAST, Dependency Scanning, ...)
SECURE_ANALYZERS_PREFIX: "registry.gitlab.com/security-products"
+ SAST_IMAGE_SUFFIX: ""
SAST_EXCLUDED_ANALYZERS: ""
SAST_EXCLUDED_PATHS: "spec, test, tests, tmp"
@@ -251,7 +252,7 @@ semgrep-sast:
name: "$SAST_ANALYZER_IMAGE"
variables:
SAST_ANALYZER_IMAGE_TAG: 2
- SAST_ANALYZER_IMAGE: "$SECURE_ANALYZERS_PREFIX/semgrep:$SAST_ANALYZER_IMAGE_TAG"
+ SAST_ANALYZER_IMAGE: "$SECURE_ANALYZERS_PREFIX/semgrep:$SAST_ANALYZER_IMAGE_TAG$SAST_IMAGE_SUFFIX"
rules:
- if: $SAST_DISABLED
when: never
diff --git a/lib/gitlab/ci/templates/Jobs/Secret-Detection.gitlab-ci.yml b/lib/gitlab/ci/templates/Jobs/Secret-Detection.gitlab-ci.yml
index 0ef6f63bb94c1c6633ac014477510bf7c22f5a1e..c9dcea27b50adf1ec77e594841a01021a8d2a123 100644
--- a/lib/gitlab/ci/templates/Jobs/Secret-Detection.gitlab-ci.yml
+++ b/lib/gitlab/ci/templates/Jobs/Secret-Detection.gitlab-ci.yml
@@ -6,12 +6,14 @@
variables:
SECURE_ANALYZERS_PREFIX: "registry.gitlab.com/security-products"
+ SECRET_DETECTION_IMAGE_SUFFIX: ""
+
SECRETS_ANALYZER_VERSION: "3"
SECRET_DETECTION_EXCLUDED_PATHS: ""
.secret-analyzer:
stage: test
- image: "$SECURE_ANALYZERS_PREFIX/secrets:$SECRETS_ANALYZER_VERSION"
+ image: "$SECURE_ANALYZERS_PREFIX/secrets:$SECRETS_ANALYZER_VERSION$SECRET_DETECTION_IMAGE_SUFFIX"
services: []
allow_failure: true
variables: