feat: Update SECURE_ANALYZER_PREFIX in all Sec Section templates
What does this MR do and why?
Follow-up to reverted MR !80195 (merged) due to reports of customers being unable to fetch images, see incident gitlab-com/gl-infra/production#6313 (comment 836069735)
Root cause was due to projects which override rules
per job, i.e. to enable Merge Request Pipelines. Since previous MR relied on dynamic setting of rules:variables:
, these variables are not being set when overridden and the correct registry location is not being fetched. Since we cannot expect rules
to not be overridden, we had to revert the original MR and explore a flattened registry hierarchy instead of the previous nested one.
With this new MR it's much simpler and only changes the raw variable values.
Relates to https://gitlab.com/gitlab-org/gitlab/-/issues/334325
Screenshots or screen recordings
Test cases
note: Below build failures are irrelevant, this is purely a change to the image locations so checking job initialization is sufficient.
- Default: Category:SAST, Category:Secret Detection, ~"Category:Dependency Scanning", ~"Category:License Compliance", Category:DAST, Category:Fuzz Testing https://gitlab.com/theoretick/all-the-templates-test/-/pipelines/467510351/builds
- With
SECURE_ANALYZERS_PREFIX=registry.example.com
set https://gitlab.com/theoretick/all-the-templates-test/-/pipelines/471913177
- With
-
DAST.latest.gitlab-ci.yml
+API-Fuzzing.latest.gitlab-ci.yml
https://gitlab.com/theoretick/all-the-templates-test/-/pipelines/478864725/builds- With
SECURE_ANALYZERS_PREFIX=registry.example.com
set https://gitlab.com/theoretick/all-the-templates-test/-/pipelines/478866438/builds
- With
-
DAST-On-Demand-Scan.gitlab-ci.yml
https://gitlab.com/theoretick/all-the-templates-test/-/pipelines/467511030/builds- With
SECURE_ANALYZERS_PREFIX=registry.example.com
set https://gitlab.com/theoretick/all-the-templates-test/-/pipelines/467511418/failures
- With
-
DAST-On-Demand-API-Scan.gitlab-ci.yml
https://gitlab.com/theoretick/all-the-templates-test/-/pipelines/478865091/builds- With
SECURE_ANALYZERS_PREFIX=registry.example.com
set https://gitlab.com/theoretick/all-the-templates-test/-/pipelines/478867078/builds
- With
How to set up and validate locally
-
Testing templates inclusions
-
Setup include:remote
for relevant templates (example) check base container image addresses
-
MR acceptance checklist
This checklist encourages us to confirm any changes have been analyzed to reduce risks in quality, performance, reliability, security, and maintainability.
-
I have evaluated the MR acceptance checklist for this MR.