Add latest changes from gitlab-org/gitlab@master

28 files changed, 353 insertions, 60 deletions

diff --git a/app/assets/stylesheets/page_bundles/profile.scss b/app/assets/stylesheets/page_bundles/profile.scss
index 356f57678f3..9e4deb16a9d 100644
--- a/app/assets/stylesheets/page_bundles/profile.scss
+++ b/app/assets/stylesheets/page_bundles/profile.scss
@@ -252,3 +252,32 @@
 .twitter-icon {
   color: $twitter;
 }
+
+.key-created-at {
+  line-height: 42px;
+}
+
+.key-list-item {
+  .key-list-item-info {
+    @include media-breakpoint-up(sm) {
+      float: left;
+    }
+  }
+}
+
+.ssh-keys-list {
+  .last-used-at,
+  .expires,
+  .key-created-at {
+    line-height: 32px;
+  }
+}
+
+.subkeys-list {
+  @include basic-list;
+
+  li {
+    padding: 3px 0;
+    border: 0;
+  }
+}
diff --git a/app/assets/stylesheets/pages/profile.scss b/app/assets/stylesheets/pages/profile.scss
index 55b9d749bbb..8e4dd39e498 100644
--- a/app/assets/stylesheets/pages/profile.scss
+++ b/app/assets/stylesheets/pages/profile.scss
@@ -10,35 +10,6 @@
   }
 }
 
-.subkeys-list {
-  @include basic-list;
-
-  li {
-    padding: 3px 0;
-    border: 0;
-  }
-}
-
-.key-list-item {
-  .key-list-item-info {
-    @include media-breakpoint-up(sm) {
-      float: left;
-    }
-  }
-}
-
-.ssh-keys-list {
-  .last-used-at,
-  .expires,
-  .key-created-at {
-    line-height: 32px;
-  }
-}
-
-.key-created-at {
-  line-height: 42px;
-}
-
 .provider-btn-group {
   display: inline-block;
   margin-right: 10px;
diff --git a/app/views/admin/application_settings/_help_page.html.haml b/app/views/admin/application_settings/_help_page.html.haml
index 21eb4caf579..11ebad07e9a 100644
--- a/app/views/admin/application_settings/_help_page.html.haml
+++ b/app/views/admin/application_settings/_help_page.html.haml
@@ -21,4 +21,4 @@
       - docs_link_url = help_page_path('user/admin_area/settings/help_page', anchor: 'destination-requirements')
       - docs_link_start = '<a href="%{url}" target="_blank" rel="noopener noreferrer">'.html_safe % { url: docs_link_url }
       %span.form-text.text-muted#support_help_block= html_escape(_('Requests for pages at %{code_start}%{help_text_url}%{code_end} redirect to the URL. The destination must meet certain requirements. %{docs_link_start}Learn more.%{docs_link_end}')) % { code_start: '<code>'.html_safe, help_text_url: help_url, code_end: '</code>'.html_safe, docs_link_start: docs_link_start, docs_link_end: '</a>'.html_safe }
-  = f.submit _('Save changes'), class: "gl-button btn btn-confirm"
+  = f.submit _('Save changes'), pajamas_button: true
diff --git a/app/views/admin/application_settings/_sidekiq_job_limits.html.haml b/app/views/admin/application_settings/_sidekiq_job_limits.html.haml
index eaf4bbf4702..068a8155450 100644
--- a/app/views/admin/application_settings/_sidekiq_job_limits.html.haml
+++ b/app/views/admin/application_settings/_sidekiq_job_limits.html.haml
@@ -1,4 +1,4 @@
-= form_for @application_setting, url: preferences_admin_application_settings_path(anchor: 'js-sidekiq-job-limits-settings'), html: { class: 'fieldset-form' } do |f|
+= gitlab_ui_form_for @application_setting, url: preferences_admin_application_settings_path(anchor: 'js-sidekiq-job-limits-settings'), html: { class: 'fieldset-form' } do |f|
   = form_errors(@application_setting)
 
   %fieldset
@@ -18,4 +18,4 @@
       .form-text.text-muted
         = _("Threshold in bytes at which to reject Sidekiq jobs. Set this to 0 to if you don't want to limit Sidekiq jobs.")
 
-  = f.submit _('Save changes'), class: "gl-button btn btn-confirm"
+  = f.submit _('Save changes'), pajamas_button: true
diff --git a/app/views/admin/application_settings/_snowplow.html.haml b/app/views/admin/application_settings/_snowplow.html.haml
index 8684b909853..4e7d9b8ab21 100644
--- a/app/views/admin/application_settings/_snowplow.html.haml
+++ b/app/views/admin/application_settings/_snowplow.html.haml
@@ -31,4 +31,4 @@
           .form-text.text-muted
             = _('The Snowplow cookie domain.')
 
-      = f.submit _('Save changes'), class: 'gl-button btn btn-confirm', data: { qa_selector: 'save_changes_button' }
+      = f.submit _('Save changes'), data: { qa_selector: 'save_changes_button' }, pajamas_button: true
diff --git a/app/views/admin/application_settings/_third_party_offers.html.haml b/app/views/admin/application_settings/_third_party_offers.html.haml
index 20a60ac870a..ed809c6db52 100644
--- a/app/views/admin/application_settings/_third_party_offers.html.haml
+++ b/app/views/admin/application_settings/_third_party_offers.html.haml
@@ -16,4 +16,4 @@
           = f.gitlab_ui_checkbox_component :hide_third_party_offers,
           _('Do not display content for customer experience improvement and offers from third parties')
 
-      = f.submit _('Save changes'), class: "gl-button btn btn-confirm"
+      = f.submit _('Save changes'), pajamas_button: true
diff --git a/app/views/admin/application_settings/_users_api_limits.html.haml b/app/views/admin/application_settings/_users_api_limits.html.haml
index 3918c76b12c..ca6f1113c4a 100644
--- a/app/views/admin/application_settings/_users_api_limits.html.haml
+++ b/app/views/admin/application_settings/_users_api_limits.html.haml
@@ -1,4 +1,4 @@
-= form_for @application_setting, url: network_admin_application_settings_path(anchor: 'js-users-api-limits-settings'), html: { class: 'fieldset-form' } do |f|
+= gitlab_ui_form_for @application_setting, url: network_admin_application_settings_path(anchor: 'js-users-api-limits-settings'), html: { class: 'fieldset-form' } do |f|
   = form_errors(@application_setting)
 
   %fieldset
@@ -11,4 +11,4 @@
       .form-text.text-muted{ id: 'users-api-limit-users-allowlist-field-description' }
         = _('List of users who are allowed to exceed the rate limit. Example: username1, username2')
 
-  = f.submit _('Save changes'), class: "gl-button btn btn-confirm", data: { qa_selector: 'save_changes_button' }
+  = f.submit _('Save changes'), data: { qa_selector: 'save_changes_button' }, pajamas_button: true
diff --git a/app/views/profiles/gpg_keys/index.html.haml b/app/views/profiles/gpg_keys/index.html.haml
index d9f0c00ffa9..539a0cd1f0e 100644
--- a/app/views/profiles/gpg_keys/index.html.haml
+++ b/app/views/profiles/gpg_keys/index.html.haml
@@ -1,4 +1,5 @@
 - page_title _('GPG Keys')
+- add_page_specific_style 'page_bundles/profile'
 - @content_class = "limit-container-width" unless fluid_layout
 
 .row.gl-mt-3.js-search-settings-section
diff --git a/app/views/profiles/keys/index.html.haml b/app/views/profiles/keys/index.html.haml
index f8bccb0cf8d..69e92b9e508 100644
--- a/app/views/profiles/keys/index.html.haml
+++ b/app/views/profiles/keys/index.html.haml
@@ -1,4 +1,5 @@
 - page_title _('SSH Keys')
+- add_page_specific_style 'page_bundles/profile'
 - @content_class = "limit-container-width" unless fluid_layout
 
 .row.gl-mt-3.js-search-settings-section
diff --git a/config/metrics/counts_28d/20210216184559_ci_templates_total_unique_counts_monthly.yml b/config/metrics/counts_28d/20210216184559_ci_templates_total_unique_counts_monthly.yml
index 2c6b21b0f6f..52840d9fb4a 100755
--- a/config/metrics/counts_28d/20210216184559_ci_templates_total_unique_counts_monthly.yml
+++ b/config/metrics/counts_28d/20210216184559_ci_templates_total_unique_counts_monthly.yml
@@ -46,6 +46,7 @@ options:
   - p_ci_templates_security_secret_detection
   - p_ci_templates_security_license_scanning
   - p_ci_templates_security_coverage_fuzzing
+  - p_ci_templates_security_coverage_fuzzing_latest
   - p_ci_templates_security_api_fuzzing_latest
   - p_ci_templates_security_secure_binaries
   - p_ci_templates_security_dast_api
@@ -163,6 +164,7 @@ options:
   - p_ci_templates_implicit_security_secret_detection
   - p_ci_templates_implicit_security_license_scanning
   - p_ci_templates_implicit_security_coverage_fuzzing
+  - p_ci_templates_implicit_security_coverage_fuzzing_latest
   - p_ci_templates_implicit_security_api_fuzzing_latest
   - p_ci_templates_implicit_security_secure_binaries
   - p_ci_templates_implicit_security_dast_api
diff --git a/config/metrics/counts_28d/20220913225020_p_ci_templates_security_coverage_fuzzing_latest_monthly.yml b/config/metrics/counts_28d/20220913225020_p_ci_templates_security_coverage_fuzzing_latest_monthly.yml
new file mode 100644
index 00000000000..c4fad8d7545
--- /dev/null
+++ b/config/metrics/counts_28d/20220913225020_p_ci_templates_security_coverage_fuzzing_latest_monthly.yml
@@ -0,0 +1,25 @@
+---
+key_path: redis_hll_counters.ci_templates.p_ci_templates_security_coverage_fuzzing_latest_monthly
+description: Monthly counts for Coverage Fuzzing latest CI template
+product_section: sec
+product_stage: secure
+product_group: dynamic_analysis
+product_category: dynamic_application_security_testing
+value_type: number
+status: active
+milestone: "15.5"
+introduced_by_url: 'https://gitlab.com/gitlab-org/gitlab/-/merge_requests/97886'
+time_frame: 28d
+data_source: redis_hll
+data_category: optional
+instrumentation_class: RedisHLLMetric
+distribution:
+- ce
+- ee
+tier:
+- free
+- premium
+- ultimate
+options:
+  events:
+  - p_ci_templates_security_coverage_fuzzing_latest
diff --git a/config/metrics/counts_28d/20220913225303_p_ci_templates_implicit_security_coverage_fuzzing_latest_monthly.yml b/config/metrics/counts_28d/20220913225303_p_ci_templates_implicit_security_coverage_fuzzing_latest_monthly.yml
new file mode 100644
index 00000000000..57a3bb90808
--- /dev/null
+++ b/config/metrics/counts_28d/20220913225303_p_ci_templates_implicit_security_coverage_fuzzing_latest_monthly.yml
@@ -0,0 +1,25 @@
+---
+key_path: redis_hll_counters.ci_templates.p_ci_templates_implicit_security_coverage_fuzzing_latest_monthly
+description: Monthly counts for implicit Coverage Fuzzing latest CI template
+product_section: sec
+product_stage: secure
+product_group: dynamic_analysis
+product_category: dynamic_application_security_testing
+value_type: number
+status: active
+milestone: "15.5"
+introduced_by_url: 'https://gitlab.com/gitlab-org/gitlab/-/merge_requests/97886'
+time_frame: 28d
+data_source: redis_hll
+data_category: optional
+instrumentation_class: RedisHLLMetric
+distribution:
+- ce
+- ee
+tier:
+- free
+- premium
+- ultimate
+options:
+  events:
+  - p_ci_templates_implicit_security_coverage_fuzzing_latest
diff --git a/config/metrics/counts_7d/20210216184557_ci_templates_total_unique_counts_weekly.yml b/config/metrics/counts_7d/20210216184557_ci_templates_total_unique_counts_weekly.yml
index 16186a412b8..62b2885b86a 100755
--- a/config/metrics/counts_7d/20210216184557_ci_templates_total_unique_counts_weekly.yml
+++ b/config/metrics/counts_7d/20210216184557_ci_templates_total_unique_counts_weekly.yml
@@ -46,6 +46,7 @@ options:
   - p_ci_templates_security_secret_detection
   - p_ci_templates_security_license_scanning
   - p_ci_templates_security_coverage_fuzzing
+  - p_ci_templates_security_coverage_fuzzing_latest
   - p_ci_templates_security_api_fuzzing_latest
   - p_ci_templates_security_secure_binaries
   - p_ci_templates_security_dast_api
@@ -160,6 +161,7 @@ options:
   - p_ci_templates_implicit_security_secret_detection
   - p_ci_templates_implicit_security_license_scanning
   - p_ci_templates_implicit_security_coverage_fuzzing
+  - p_ci_templates_implicit_security_coverage_fuzzing_latest
   - p_ci_templates_implicit_security_api_fuzzing_latest
   - p_ci_templates_implicit_security_secure_binaries
   - p_ci_templates_implicit_security_dast_api
diff --git a/config/metrics/counts_7d/20220913225013_p_ci_templates_security_coverage_fuzzing_latest_weekly.yml b/config/metrics/counts_7d/20220913225013_p_ci_templates_security_coverage_fuzzing_latest_weekly.yml
new file mode 100644
index 00000000000..768390de49d
--- /dev/null
+++ b/config/metrics/counts_7d/20220913225013_p_ci_templates_security_coverage_fuzzing_latest_weekly.yml
@@ -0,0 +1,25 @@
+---
+key_path: redis_hll_counters.ci_templates.p_ci_templates_security_coverage_fuzzing_latest_weekly
+description: Weekly counts for Coverage Fuzzing latest CI template
+product_section: sec
+product_stage: secure
+product_group: dynamic_analysis
+product_category: dynamic_application_security_testing
+value_type: number
+status: active
+milestone: "15.5"
+introduced_by_url: 'https://gitlab.com/gitlab-org/gitlab/-/merge_requests/97886'
+time_frame: 28d
+data_source: redis_hll
+data_category: optional
+instrumentation_class: RedisHLLMetric
+distribution:
+- ce
+- ee
+tier:
+- free
+- premium
+- ultimate
+options:
+  events:
+  - p_ci_templates_security_coverage_fuzzing_latest
diff --git a/config/metrics/counts_7d/20220913225257_p_ci_templates_implicit_security_coverage_fuzzing_latest_weekly.yml b/config/metrics/counts_7d/20220913225257_p_ci_templates_implicit_security_coverage_fuzzing_latest_weekly.yml
new file mode 100644
index 00000000000..873ac26f057
--- /dev/null
+++ b/config/metrics/counts_7d/20220913225257_p_ci_templates_implicit_security_coverage_fuzzing_latest_weekly.yml
@@ -0,0 +1,25 @@
+---
+key_path: redis_hll_counters.ci_templates.p_ci_templates_implicit_security_coverage_fuzzing_latest_weekly
+description: Weekly counts for implicit Coverage Fuzzing latest CI template
+product_section: sec
+product_stage: secure
+product_group: dynamic_analysis
+product_category: dynamic_application_security_testing
+value_type: number
+status: active
+milestone: "15.5"
+introduced_by_url: 'https://gitlab.com/gitlab-org/gitlab/-/merge_requests/97886'
+time_frame: 28d
+data_source: redis_hll
+data_category: optional
+instrumentation_class: RedisHLLMetric
+distribution:
+- ce
+- ee
+tier:
+- free
+- premium
+- ultimate
+options:
+  events:
+  - p_ci_templates_implicit_security_coverage_fuzzing_latest
diff --git a/db/post_migrate/20220920213504_finalize_task_system_note_renaming.rb b/db/post_migrate/20220920213504_finalize_task_system_note_renaming.rb
index e4829e3a692..d9307c14ccb 100644
--- a/db/post_migrate/20220920213504_finalize_task_system_note_renaming.rb
+++ b/db/post_migrate/20220920213504_finalize_task_system_note_renaming.rb
@@ -1,19 +1,8 @@
 # frozen_string_literal: true
 
 class FinalizeTaskSystemNoteRenaming < Gitlab::Database::Migration[2.0]
-  disable_ddl_transaction!
-
-  restrict_gitlab_migration gitlab_schema: :gitlab_main
-
-  MIGRATION = 'RenameTaskSystemNoteToChecklistItem'
-
   def up
-    ensure_batched_background_migration_is_finished(
-      job_class_name: MIGRATION,
-      table_name: :system_note_metadata,
-      column_name: :id,
-      job_arguments: []
-    )
+    # no-op
   end
 
   def down
diff --git a/db/post_migrate/20220920214524_remove_task_system_note_rename_temp_index.rb b/db/post_migrate/20220920214524_remove_task_system_note_rename_temp_index.rb
index 54277aaa0cc..d3671d24578 100644
--- a/db/post_migrate/20220920214524_remove_task_system_note_rename_temp_index.rb
+++ b/db/post_migrate/20220920214524_remove_task_system_note_rename_temp_index.rb
@@ -1,15 +1,11 @@
 # frozen_string_literal: true
 
 class RemoveTaskSystemNoteRenameTempIndex < Gitlab::Database::Migration[2.0]
-  disable_ddl_transaction!
-
-  INDEX_NAME = 'tmp_index_system_note_metadata_on_id_where_task'
-
   def up
-    remove_concurrent_index_by_name :system_note_metadata, INDEX_NAME
+    # no-op
   end
 
   def down
-    add_concurrent_index :system_note_metadata, [:id, :action], where: "action = 'task'", name: INDEX_NAME
+    # no-op
   end
 end
diff --git a/db/post_migrate/20220923060226_remove_tmp_index_system_note_metadata_on_attention_request_actions.rb b/db/post_migrate/20220923060226_remove_tmp_index_system_note_metadata_on_attention_request_actions.rb
new file mode 100644
index 00000000000..40e8c1cfdb5
--- /dev/null
+++ b/db/post_migrate/20220923060226_remove_tmp_index_system_note_metadata_on_attention_request_actions.rb
@@ -0,0 +1,17 @@
+# frozen_string_literal: true
+
+class RemoveTmpIndexSystemNoteMetadataOnAttentionRequestActions < Gitlab::Database::Migration[2.0]
+  INDEX_NAME = "tmp_index_system_note_metadata_on_attention_request_actions"
+
+  disable_ddl_transaction!
+
+  def up
+    remove_concurrent_index_by_name :system_note_metadata, INDEX_NAME
+  end
+
+  def down
+    add_concurrent_index :system_note_metadata, [:id],
+      where: "action IN ('attention_requested', 'attention_request_removed')",
+      name: INDEX_NAME
+  end
+end
diff --git a/db/schema_migrations/20220923060226 b/db/schema_migrations/20220923060226
new file mode 100644
index 00000000000..daaf2407607
--- /dev/null
+++ b/db/schema_migrations/20220923060226
@@ -0,0 +1 @@
+19799d51a2b9acc7b1642edebea85ca8a19d2dd8368c4f0814c6c7a4c529ef98
\ No newline at end of file
diff --git a/db/structure.sql b/db/structure.sql
index 5a4b23dee0d..88b767dab77 100644
--- a/db/structure.sql
+++ b/db/structure.sql
@@ -30883,7 +30883,7 @@ CREATE INDEX tmp_index_on_vulnerabilities_non_dismissed ON vulnerabilities USING
 
 CREATE INDEX tmp_index_project_statistics_cont_registry_size ON project_statistics USING btree (project_id) WHERE (container_registry_size = 0);
 
-CREATE INDEX tmp_index_system_note_metadata_on_attention_request_actions ON system_note_metadata USING btree (id) WHERE ((action)::text = ANY ((ARRAY['attention_requested'::character varying, 'attention_request_removed'::character varying])::text[]));
+CREATE INDEX tmp_index_system_note_metadata_on_id_where_task ON system_note_metadata USING btree (id, action) WHERE ((action)::text = 'task'::text);
 
 CREATE INDEX tmp_index_vulnerability_occurrences_on_id_and_scanner_id ON vulnerability_occurrences USING btree (id, scanner_id) WHERE (report_type = ANY (ARRAY[7, 99]));
 
diff --git a/doc/administration/clusters/kas.md b/doc/administration/clusters/kas.md
index 1c8e3240c22..d7e1c9af1de 100644
--- a/doc/administration/clusters/kas.md
+++ b/doc/administration/clusters/kas.md
@@ -28,9 +28,13 @@ Or, you can [use an external agent server](#use-an-external-installation).
 
 ### For Omnibus
 
-For [Omnibus](https://docs.gitlab.com/omnibus/) package installations:
+You can enable the agent server for [Omnibus](https://docs.gitlab.com/omnibus/) package installations on a single node, or on multiple nodes at once.
 
-1. To enable the agent server, edit `/etc/gitlab/gitlab.rb`:
+#### Enable on a single node
+
+To enable the agent server on a single node:
+
+1. Edit `/etc/gitlab/gitlab.rb`:
 
    ```ruby
    gitlab_kas['enable'] = true
@@ -41,6 +45,33 @@ For [Omnibus](https://docs.gitlab.com/omnibus/) package installations:
 For additional configuration options, see the **Enable GitLab KAS** section of the
 [`gitlab.rb.template`](https://gitlab.com/gitlab-org/omnibus-gitlab/-/blob/master/files/gitlab-config-template/gitlab.rb.template).
 
+#### Enable on multiple nodes
+
+To enable the agent server on multiple nodes:
+
+1. For each agent server node, edit `/etc/gitlab/gitlab.rb`:
+
+   ```ruby
+   gitlab_kas['enable'] = true
+   gitlab_kas['api_secret_key'] = '<32_bytes_long_base64_encoded_value>'
+   gitlab_kas['private_api_secret_key'] = '<32_bytes_long_base64_encoded_value>'
+   gitlab_kas['private_api_listen_address'] = '0.0.0.0:8155'
+   gitlab_kas['env'] = {
+     'SSL_CERT_DIR' => "/opt/gitlab/embedded/ssl/certs/",
+     'OWN_PRIVATE_API_URL' => 'grpc://<ip_or_hostname_of_this_host>:8155'
+   }
+   ```
+
+   In this configuration:
+
+   - `gitlab_kas['private_api_listen_address']` is the address the agent server listens on. You can set it to `0.0.0.0` or an IP address reachable by other nodes in the cluster.
+   - `OWN_PRIVATE_API_URL` is the environment variable used by the KAS process for service discovery. You can set it to a hostname or IP address of the node you're configuring. The node must be reachable by other nodes in the cluster.
+   - `gitlab_kas['api_secret_key']` is the shared secret used for authentication between KAS and GitLab. This value must be Base64-encoded and exactly 32 bytes long.
+   - `gitlab_kas['private_api_secret_key']` is the shared secret used for authentication between different KAS instances. This value must be Base64-encoded and exactly 32 bytes long.
+
+1. For each application node, follow the steps in: [Use an external installation](../clusters/kas.md#use-an-external-installation).
+1. [Reconfigure GitLab](../restart_gitlab.md#omnibus-gitlab-reconfigure).
+
 ### For GitLab Helm Chart
 
 For GitLab [Helm Chart](https://docs.gitlab.com/charts/) installations:
diff --git a/doc/user/application_security/dependency_scanning/index.md b/doc/user/application_security/dependency_scanning/index.md
index 3b57abecc51..67c138f5573 100644
--- a/doc/user/application_security/dependency_scanning/index.md
+++ b/doc/user/application_security/dependency_scanning/index.md
@@ -1269,6 +1269,6 @@ gemnasium-python-dependency_scanning:
     - apt-get update && apt-get install -y libpq-dev
 ```
 
-### Error: Project has <number> unresolved dependencies
+### Error: Project has `<number>` unresolved dependencies
 
 The error message `Project has <number> unresolved dependencies` indicates a dependency resolution problem caused by your `gradle.build` or `gradle.build.kts` file. In the current release, `gemnasium-maven` cannot continue processing when an unresolved dependency is encountered. However, There is an [open issue](https://gitlab.com/gitlab-org/gitlab/-/issues/337083) to allow `gemnasium-maven` to recover from unresolved dependency errors and produce a dependency graph. Until this issue has been resolved, you'll need to consult the [Gradle dependency resolution docs](https://docs.gradle.org/current/userguide/dependency_resolution.html) for details on how to fix your `gradle.build` file.
diff --git a/lib/gitlab/ci/templates/Security/API-Fuzzing.latest.gitlab-ci.yml b/lib/gitlab/ci/templates/Security/API-Fuzzing.latest.gitlab-ci.yml
index 8d6c191edc4..f12efa1db34 100644
--- a/lib/gitlab/ci/templates/Security/API-Fuzzing.latest.gitlab-ci.yml
+++ b/lib/gitlab/ci/templates/Security/API-Fuzzing.latest.gitlab-ci.yml
@@ -40,6 +40,19 @@ apifuzzer_fuzz:
         - if: $API_FUZZING_DISABLED_FOR_DEFAULT_BRANCH &&
                 $CI_DEFAULT_BRANCH == $CI_COMMIT_REF_NAME
           when: never
+
+        # Add the job to merge request pipelines if there's an open merge request.
+        - if: $CI_PIPELINE_SOURCE == "merge_request_event" &&
+              $CI_GITLAB_FIPS_MODE == "true"
+          variables:
+              DAST_API_IMAGE_SUFFIX: "-fips"
+        - if: $CI_PIPELINE_SOURCE == "merge_request_event"
+
+        # Don't add it to a *branch* pipeline if it's already in a merge request pipeline.
+        - if: $CI_OPEN_MERGE_REQUESTS
+          when: never
+
+        # Add the job to branch pipelines.
         - if: $CI_COMMIT_BRANCH &&
               $CI_GITLAB_FIPS_MODE == "true"
           variables:
@@ -55,5 +68,3 @@ apifuzzer_fuzz:
             - gl-*.log
         reports:
             api_fuzzing: gl-api-fuzzing-report.json
-
-# end
diff --git a/lib/gitlab/ci/templates/Security/Coverage-Fuzzing.latest.gitlab-ci.yml b/lib/gitlab/ci/templates/Security/Coverage-Fuzzing.latest.gitlab-ci.yml
new file mode 100644
index 00000000000..76a85d461f7
--- /dev/null
+++ b/lib/gitlab/ci/templates/Security/Coverage-Fuzzing.latest.gitlab-ci.yml
@@ -0,0 +1,64 @@
+# To contribute improvements to CI/CD templates, please follow the Development guide at:
+# https://docs.gitlab.com/ee/development/cicd/templates.html
+# This specific template is located at:
+# https://gitlab.com/gitlab-org/gitlab/-/blob/master/lib/gitlab/ci/templates/Security/Coverage-Fuzzing.gitlab-ci.yml
+
+# Read more about this feature https://docs.gitlab.com/ee/user/application_security/coverage_fuzzing
+#
+# Configure coverage fuzzing with CI/CD variables (https://docs.gitlab.com/ee/ci/variables/index.html).
+# List of available variables: https://docs.gitlab.com/ee/user/application_security/coverage_fuzzing/#available-cicd-variables
+
+variables:
+  # Which branch we want to run full fledged long running fuzzing jobs.
+  # All others will run fuzzing regression
+  COVFUZZ_BRANCH: "$CI_DEFAULT_BRANCH"
+  # This is using semantic version and will always download latest v3 gitlab-cov-fuzz release
+  COVFUZZ_VERSION: v3
+  # This is for users who have an offline environment and will have to replicate gitlab-cov-fuzz release binaries
+  # to their own servers
+  COVFUZZ_URL_PREFIX: "https://gitlab.com/gitlab-org/security-products/analyzers/gitlab-cov-fuzz/-/raw"
+
+
+coverage_fuzzing_unlicensed:
+  stage: .pre
+  allow_failure: true
+  rules:
+    - if: $GITLAB_FEATURES !~ /\bcoverage_fuzzing\b/ && $COVFUZZ_DISABLED == null
+  script:
+    - echo "ERROR Your GitLab project is missing licensing for Coverage Fuzzing" && exit 1
+
+.fuzz_base:
+  stage: fuzz
+  allow_failure: true
+  before_script:
+    - export COVFUZZ_JOB_TOKEN=$CI_JOB_TOKEN
+    - export COVFUZZ_PRIVATE_TOKEN=$CI_PRIVATE_TOKEN
+    - export COVFUZZ_PROJECT_PATH=$CI_PROJECT_PATH
+    - export COVFUZZ_PROJECT_ID=$CI_PROJECT_ID
+    - if [ -x "$(command -v apt-get)" ] ; then apt-get update && apt-get install -y wget; fi
+    - wget -O gitlab-cov-fuzz "${COVFUZZ_URL_PREFIX}"/"${COVFUZZ_VERSION}"/binaries/gitlab-cov-fuzz_Linux_x86_64
+    - chmod a+x gitlab-cov-fuzz
+    - export REGRESSION=true
+    - if [[ $CI_COMMIT_BRANCH = $COVFUZZ_BRANCH ]]; then REGRESSION=false; fi;
+  artifacts:
+    paths:
+      - corpus
+      - crashes
+      - gl-coverage-fuzzing-report.json
+    reports:
+      coverage_fuzzing: gl-coverage-fuzzing-report.json
+    when: always
+  rules:
+    - if: $COVFUZZ_DISABLED
+      when: never
+
+    # Add the job to merge request pipelines if there's an open merge request.
+    - if: $CI_PIPELINE_SOURCE == "merge_request_event" &&
+          $GITLAB_FEATURES =~ /\bcoverage_fuzzing\b/
+
+    # Don't add it to a *branch* pipeline if it's already in a merge request pipeline.
+    - if: $CI_OPEN_MERGE_REQUESTS
+      when: never
+
+    # Add the job to branch pipelines.
+    - if: $CI_COMMIT_BRANCH && $GITLAB_FEATURES =~ /\bcoverage_fuzzing\b/
diff --git a/lib/gitlab/ci/templates/Security/DAST-API.latest.gitlab-ci.yml b/lib/gitlab/ci/templates/Security/DAST-API.latest.gitlab-ci.yml
index 8aabf20c5df..a28914d082f 100644
--- a/lib/gitlab/ci/templates/Security/DAST-API.latest.gitlab-ci.yml
+++ b/lib/gitlab/ci/templates/Security/DAST-API.latest.gitlab-ci.yml
@@ -40,6 +40,19 @@ dast_api:
     - if: $DAST_API_DISABLED_FOR_DEFAULT_BRANCH &&
           $CI_DEFAULT_BRANCH == $CI_COMMIT_REF_NAME
       when: never
+
+    # Add the job to merge request pipelines if there's an open merge request.
+    - if: $CI_PIPELINE_SOURCE == "merge_request_event" &&
+          $CI_GITLAB_FIPS_MODE == "true"
+      variables:
+        DAST_API_IMAGE_SUFFIX: "-fips"
+    - if: $CI_PIPELINE_SOURCE == "merge_request_event"
+
+    # Don't add it to a *branch* pipeline if it's already in a merge request pipeline.
+    - if: $CI_OPEN_MERGE_REQUESTS
+      when: never
+
+    # Add the job to branch pipelines.
     - if: $CI_COMMIT_BRANCH &&
           $CI_GITLAB_FIPS_MODE == "true"
       variables:
diff --git a/lib/gitlab/ci/templates/Security/DAST.latest.gitlab-ci.yml b/lib/gitlab/ci/templates/Security/DAST.latest.gitlab-ci.yml
index 9d3b1f4316e..50e9bb5431d 100644
--- a/lib/gitlab/ci/templates/Security/DAST.latest.gitlab-ci.yml
+++ b/lib/gitlab/ci/templates/Security/DAST.latest.gitlab-ci.yml
@@ -52,6 +52,19 @@ dast:
     - if: $CI_DEFAULT_BRANCH != $CI_COMMIT_REF_NAME &&
           $REVIEW_DISABLED
       when: never
+
+    # Add the job to merge request pipelines if there's an open merge request.
+    - if: $CI_PIPELINE_SOURCE == "merge_request_event" &&
+          ($CI_KUBERNETES_ACTIVE || $KUBECONFIG) &&
+          $GITLAB_FEATURES =~ /\bdast\b/
+    - if: $CI_PIPELINE_SOURCE == "merge_request_event" &&
+          $GITLAB_FEATURES =~ /\bdast\b/
+
+    # Don't add it to a *branch* pipeline if it's already in a merge request pipeline.
+    - if: $CI_OPEN_MERGE_REQUESTS
+      when: never
+
+    # Add the job to branch pipelines.
     - if: $CI_COMMIT_BRANCH &&
           ($CI_KUBERNETES_ACTIVE || $KUBECONFIG) &&
           $GITLAB_FEATURES =~ /\bdast\b/
diff --git a/lib/gitlab/usage_data_counters/known_events/ci_templates.yml b/lib/gitlab/usage_data_counters/known_events/ci_templates.yml
index 10e36a75a3a..80aab929373 100644
--- a/lib/gitlab/usage_data_counters/known_events/ci_templates.yml
+++ b/lib/gitlab/usage_data_counters/known_events/ci_templates.yml
@@ -99,6 +99,10 @@
   category: ci_templates
   redis_slot: ci_templates
   aggregation: weekly
+- name: p_ci_templates_security_coverage_fuzzing_latest
+  category: ci_templates
+  redis_slot: ci_templates
+  aggregation: weekly
 - name: p_ci_templates_security_dast_on_demand_api_scan
   category: ci_templates
   redis_slot: ci_templates
@@ -619,6 +623,10 @@
   category: ci_templates
   redis_slot: ci_templates
   aggregation: weekly
+- name: p_ci_templates_implicit_security_coverage_fuzzing_latest
+  category: ci_templates
+  redis_slot: ci_templates
+  aggregation: weekly
 - name: p_ci_templates_implicit_security_dast_on_demand_api_scan
   category: ci_templates
   redis_slot: ci_templates
diff --git a/spec/support/shared_examples/lib/gitlab/template/template_shared_examples.rb b/spec/support/shared_examples/lib/gitlab/template/template_shared_examples.rb
index 6b6e25ca1dd..4b4a7f4ce9d 100644
--- a/spec/support/shared_examples/lib/gitlab/template/template_shared_examples.rb
+++ b/spec/support/shared_examples/lib/gitlab/template/template_shared_examples.rb
@@ -47,3 +47,47 @@ RSpec.shared_examples 'file template shared examples' do |filename, file_extensi
     end
   end
 end
+
+RSpec.shared_examples 'acts as branch pipeline' do |jobs|
+  context 'when branch pipeline' do
+    let(:pipeline_branch) { default_branch }
+    let(:service) { Ci::CreatePipelineService.new(project, user, ref: pipeline_branch) }
+    let(:pipeline) { service.execute!(:push).payload }
+
+    it 'includes a job' do
+      expect(pipeline.builds.pluck(:name)).to match_array(jobs)
+    end
+  end
+end
+
+RSpec.shared_examples 'acts as MR pipeline' do |jobs, files|
+  context 'when MR pipeline' do
+    let(:pipeline_branch) { 'patch-1' }
+    let(:service) { MergeRequests::CreatePipelineService.new(project: project, current_user: user) }
+    let(:pipeline) { service.execute(merge_request).payload }
+
+    let(:merge_request) do
+      create(:merge_request,
+        source_project: project,
+        source_branch: pipeline_branch,
+        target_project: project,
+        target_branch: default_branch)
+    end
+
+    before do
+      files.each do |filename, contents|
+        project.repository.create_file(
+          project.creator,
+          filename,
+          contents,
+          message: "Add #{filename}",
+          branch_name: pipeline_branch)
+      end
+    end
+
+    it 'includes a job' do
+      expect(pipeline).to be_merge_request_event
+      expect(pipeline.builds.pluck(:name)).to match_array(jobs)
+    end
+  end
+end