Create Dependency Scanning CI/CD Component

Summary

This issue is to track the work related to converting the Dependency scanning template to a component.

Proposal

Follow the steps noted in #432540 (closed) to convert the template to a component.

Implement what's been proposed in #431827 (comment 1749127927):

• Create a single CI component based on the existing CI template.
• Expose the image prefix, tag, and suffix as inputs, but not the image names. This way we don't expose the jobs, and their names aren't part of the contract.
• Don't expose the FIPS mode. Instead document how to set the image suffix.
• Expose all CI vars as inputs.
• Simplify rules.
  • Remove FIPS rules.
  • Drop GITLAB_FEATURES rules.
  • Drop _DISABLED rules.
  • Keep rules to check the excluded_analyzers.
  • Also, keep the rule that check the files and the branch: if: CI_COMMIT_BRANCH ...exists:.

Pros

• Users can easily migrate from CI templates.
• The component is consistent with the SAST one.
• groupcomposition analysis can rename and reorganize the jobs with introducing a breaking change.

Cons

• It needs to be configured for FIPS.
• It comes with workflow rules that can't be overridden easily.
• MR pipelines aren't supported out of the box.
• It lacks granularity. It isn't possible to selectively enable Dependency Scanning for a specific package manager or language. However, this ensures that the component doesn't leak implementation details.

Pros and cons have been discussed in the spike issue: #431827 (closed)

Confirm purpose and User Reception (how does this benefit the user?)

To kickstart the CI Catalog adoption and component usage for users.

Additional details

Some relevant technical details, if applicable, such as:

• Does this need a feature flag?
• Does there need to be an associated instrumentation issue created related to this work?
• Is there an example response showing the data structure that should be returned (new endpoints only)?
• What permissions should be used?
• Is this EE or CE?
  • EE
  • CE
• Additional comments:

Documentation

Create a project README for the component that covers the following:

• usage
• inputs table
• how to contribute

See https://gitlab.com/explore/catalog/components/sast

Testing

Add a job integration tests to the tests projects. They're similar to the integration tests for the DS CI template, but they use a different branch. The git branches have the -FREEZE suffix so that the Secure Test Project Orchestrator runs test pipelines for them on a daily basis. Suggestion: component-FREEZE.

Links/References

• Proposal in spike issue: #431827 (comment 1749127927)
• Early implementation: Draft: Add dependency scanning component (gitlab-components/dependency-scanning!1 - closed)

Shared by groupstatic analysis:

• Dogfooding issue: #390656 (comment 1398042783)
• Migrate secret-detection template to a CI compo... (#413877 - closed)
• &10738 (comment 1464475476)

Implementation plan

• Create https://gitlab.com/explore/catalog/components/dependency-scanning project.
  • Implement proposal.
  • Add documentation.
  • Release as 0.4.0.
• Implement job integration tests.
  • Add component-FREEZE branches to test projects use for job integration tests of Gemnasium, and replace CI template include with CI component include. This is not a trivial task and will require its own refinement. See #498965 (closed) for progress on the QA tests.