Simplify DS QA job by using inherited variables

Everyone can contribute. Help move this issue forward while earning points, leveling up and collecting rewards.

Close this issue

Problem to solve

Support WANT variable in DS QA job attempted to use an inherited variable definition, however, this was not possible at the time because of a variable expansion limitation described by Use variable inside other variable. A workaround was added in Fix variable expansion in DS QA job which involved doing variable expansion in the shell. Now that Use variable inside other variable has been completed, we can simplify the template by using inherited variable definitions as originally attempted in Support WANT variable in DS QA job.

Proposal

See this MR as a starting point.

Remove the variable expansion in includes-dev/qa-dependency_scanning.yml and replace with variables:

.qa-dependency_scanning:
  stage: qa
  image:
    name: registry.gitlab.com/gitlab-org/security-products/analyzers/integration-test:stable
+ variables:
+   DEPENDENCY_SCANNING_REPORT: gl-dependency-scanning-report.json
+   GOT: $DEPENDENCY_SCANNING_REPORT
+   WANT: $DEPENDENCY_SCANNING_REPORT
+   DS_REPORT_URL: qa/expect/$WANT
+   DS_REPORT_PATH: $GOT
  script:
- # Do variable expansion in Shell because CI variables aren't properly expanded
- # See https://gitlab.com/gitlab-org/gitlab-runner/-/issues/1809
- #
- # Default filename for Dependency Scanning report
- - echo "DEPENDENCY_SCANNING_REPORT:" "${DEPENDENCY_SCANNING_REPORT:=gl-dependency-scanning-report.json}"
- # Default filename for expected report
- - echo "WANT:" "${WANT:=$DEPENDENCY_SCANNING_REPORT}"
- # URL (or path) of expected report
- - echo "DS_REPORT_URL:" "${DS_REPORT_URL:=qa/expect/$WANT}"
- # Default filename for actual report
- - echo "GOT:" "${GOT:=$DEPENDENCY_SCANNING_REPORT}"
- # Export URL/path of expected and actual reports and run QA script
- - export DS_REPORT_URL
- - export DS_REPORT_PATH=$GOT
    - dependency-scanning-qa

Move the DS_REPORT_URL variable from the global section of all the dependency scanning test projects and branches (42 in total), to an explicit qa-gemnasium-dependency_scanning section, similar to how this was done for the js-npm test project:
```
- variables:
-   DS_REPORT_URL: "https://gitlab.com/gitlab-org/security-products/analyzers/gemnasium/-/raw/master/qa/expect/$CI_PROJECT_NAME/gl-dependency-scanning-report.json"

+ qa-gemnasium-dependency_scanning:
+   variables:
+     DS_REPORT_URL: "https://gitlab.com/gitlab-org/security-products/analyzers/gemnasium/-/raw/master/qa/expect/$CI_PROJECT_NAME/gl-dependency-scanning-report.json"
```

Intended users

Sasha (Software Developer)

User experience goal

Complexity is reduced in .qa-dependency_scanning job definition, making it easier to maintain

Further details

See this discussion for background information.

Availability & Testing

All test projects should still pass after this change

What is the type of buyer?

Enterprise Edition GitLab Ultimate

Is this a cross-stage feature?

No, it only affects Category:Dependency Scanning

/cc @NicoleSchwartz @gonzoyumo @fcatteau

Edited Aug 22, 2025 by 🤖 GitLab Bot 🤖