Add latest changes from gitlab-org/gitlab@14-10-stable-eev14.10.0-rc42

16 files changed, 354 insertions, 68 deletions

diff --git a/lib/gitlab/ci/templates/C++.gitlab-ci.yml b/lib/gitlab/ci/templates/C++.gitlab-ci.yml
index bdcd3240380..c078c99f352 100644
--- a/lib/gitlab/ci/templates/C++.gitlab-ci.yml
+++ b/lib/gitlab/ci/templates/C++.gitlab-ci.yml
@@ -4,7 +4,7 @@
 # https://gitlab.com/gitlab-org/gitlab/-/blob/master/lib/gitlab/ci/templates/C++.gitlab-ci.yml
 
 # use the official gcc image, based on debian
-# can use verions as well, like gcc:5.2
+# can use versions as well, like gcc:5.2
 # see https://hub.docker.com/_/gcc/
 
 image: gcc
diff --git a/lib/gitlab/ci/templates/Go.gitlab-ci.yml b/lib/gitlab/ci/templates/Go.gitlab-ci.yml
index 19e4ffdbe1e..bd8e1020c4e 100644
--- a/lib/gitlab/ci/templates/Go.gitlab-ci.yml
+++ b/lib/gitlab/ci/templates/Go.gitlab-ci.yml
@@ -5,21 +5,6 @@
 
 image: golang:latest
 
-variables:
-  # Please edit to your GitLab project
-  REPO_NAME: gitlab.com/namespace/project
-
-# The problem is that to be able to use go get, one needs to put
-# the repository in the $GOPATH. So for example if your gitlab domain
-# is gitlab.com, and that your repository is namespace/project, and
-# the default GOPATH being /go, then you'd need to have your
-# repository in /go/src/gitlab.com/namespace/project
-# Thus, making a symbolic link corrects this.
-before_script:
-  - mkdir -p "$GOPATH/src/$(dirname $REPO_NAME)"
-  - ln -svf "$CI_PROJECT_DIR" "$GOPATH/src/$REPO_NAME"
-  - cd "$GOPATH/src/$REPO_NAME"
-
 stages:
   - test
   - build
@@ -35,7 +20,8 @@ format:
 compile:
   stage: build
   script:
-    - go build -race -ldflags "-extldflags '-static'" -o $CI_PROJECT_DIR/mybinary
+    - mkdir -p mybinaries
+    - go build -o mybinaries ./...
   artifacts:
     paths:
-      - mybinary
+      - mybinaries
diff --git a/lib/gitlab/ci/templates/Jobs/DAST-Default-Branch-Deploy.gitlab-ci.yml b/lib/gitlab/ci/templates/Jobs/DAST-Default-Branch-Deploy.gitlab-ci.yml
index cc204207f84..0cc5090f85e 100644
--- a/lib/gitlab/ci/templates/Jobs/DAST-Default-Branch-Deploy.gitlab-ci.yml
+++ b/lib/gitlab/ci/templates/Jobs/DAST-Default-Branch-Deploy.gitlab-ci.yml
@@ -1,5 +1,5 @@
 variables:
-  DAST_AUTO_DEPLOY_IMAGE_VERSION: 'v2.22.0'
+  DAST_AUTO_DEPLOY_IMAGE_VERSION: 'v2.23.0'
 
 .dast-auto-deploy:
   image: "registry.gitlab.com/gitlab-org/cluster-integration/auto-deploy-image:${DAST_AUTO_DEPLOY_IMAGE_VERSION}"
diff --git a/lib/gitlab/ci/templates/Jobs/Dependency-Scanning.gitlab-ci.yml b/lib/gitlab/ci/templates/Jobs/Dependency-Scanning.gitlab-ci.yml
index 1a99db67441..d41182ec9be 100644
--- a/lib/gitlab/ci/templates/Jobs/Dependency-Scanning.gitlab-ci.yml
+++ b/lib/gitlab/ci/templates/Jobs/Dependency-Scanning.gitlab-ci.yml
@@ -32,6 +32,16 @@ dependency_scanning:
 .ds-analyzer:
   extends: dependency_scanning
   allow_failure: true
+  variables:
+    # DS_ANALYZER_IMAGE is an undocumented variable used internally to allow QA to
+    # override the analyzer image with a custom value. This may be subject to change or
+    # breakage across GitLab releases.
+    DS_ANALYZER_IMAGE: "$SECURE_ANALYZERS_PREFIX/$DS_ANALYZER_NAME:$DS_MAJOR_VERSION"
+    # DS_ANALYZER_NAME is an undocumented variable used in job definitions
+    # to inject the analyzer name in the image name.
+    DS_ANALYZER_NAME: ""
+  image:
+    name: "$DS_ANALYZER_IMAGE$DS_IMAGE_SUFFIX"
   # `rules` must be overridden explicitly by each child job
   # see https://gitlab.com/gitlab-org/gitlab/-/issues/218444
   script:
@@ -46,13 +56,8 @@ gemnasium-dependency_scanning:
   extends:
     - .ds-analyzer
     - .cyclone-dx-reports
-  image:
-    name: "$DS_ANALYZER_IMAGE"
   variables:
-    # DS_ANALYZER_IMAGE is an undocumented variable used internally to allow QA to
-    # override the analyzer image with a custom value. This may be subject to change or
-    # breakage across GitLab releases.
-    DS_ANALYZER_IMAGE: "$SECURE_ANALYZERS_PREFIX/gemnasium:$DS_MAJOR_VERSION"
+    DS_ANALYZER_NAME: "gemnasium"
     GEMNASIUM_LIBRARY_SCAN_ENABLED: "true"
   rules:
     - if: $DEPENDENCY_SCANNING_DISABLED
@@ -77,13 +82,8 @@ gemnasium-maven-dependency_scanning:
   extends:
     - .ds-analyzer
     - .cyclone-dx-reports
-  image:
-    name: "$DS_ANALYZER_IMAGE"
   variables:
-    # DS_ANALYZER_IMAGE is an undocumented variable used internally to allow QA to
-    # override the analyzer image with a custom value. This may be subject to change or
-    # breakage across GitLab releases.
-    DS_ANALYZER_IMAGE: "$SECURE_ANALYZERS_PREFIX/gemnasium-maven:$DS_MAJOR_VERSION"
+    DS_ANALYZER_NAME: "gemnasium-maven"
     # Stop reporting Gradle as "maven".
     # See https://gitlab.com/gitlab-org/gitlab/-/issues/338252
     DS_REPORT_PACKAGE_MANAGER_MAVEN_WHEN_JAVA: "false"
@@ -105,13 +105,8 @@ gemnasium-python-dependency_scanning:
   extends:
     - .ds-analyzer
     - .cyclone-dx-reports
-  image:
-    name: "$DS_ANALYZER_IMAGE"
   variables:
-    # DS_ANALYZER_IMAGE is an undocumented variable used internally to allow QA to
-    # override the analyzer image with a custom value. This may be subject to change or
-    # breakage across GitLab releases.
-    DS_ANALYZER_IMAGE: "$SECURE_ANALYZERS_PREFIX/gemnasium-python:$DS_MAJOR_VERSION"
+    DS_ANALYZER_NAME: "gemnasium-python"
     # Stop reporting Pipenv and Setuptools as "pip".
     # See https://gitlab.com/gitlab-org/gitlab/-/issues/338252
     DS_REPORT_PACKAGE_MANAGER_PIP_WHEN_PYTHON: "false"
@@ -138,13 +133,8 @@ gemnasium-python-dependency_scanning:
 
 bundler-audit-dependency_scanning:
   extends: .ds-analyzer
-  image:
-    name: "$DS_ANALYZER_IMAGE"
   variables:
-    # DS_ANALYZER_IMAGE is an undocumented variable used internally to allow QA to
-    # override the analyzer image with a custom value. This may be subject to change or
-    # breakage across GitLab releases.
-    DS_ANALYZER_IMAGE: "$SECURE_ANALYZERS_PREFIX/bundler-audit:$DS_MAJOR_VERSION"
+    DS_ANALYZER_NAME: "bundler-audit"
   rules:
     - if: $DEPENDENCY_SCANNING_DISABLED
       when: never
@@ -158,13 +148,8 @@ bundler-audit-dependency_scanning:
 
 retire-js-dependency_scanning:
   extends: .ds-analyzer
-  image:
-    name: "$DS_ANALYZER_IMAGE"
   variables:
-    # DS_ANALYZER_IMAGE is an undocumented variable used internally to allow QA to
-    # override the analyzer image with a custom value. This may be subject to change or
-    # breakage across GitLab releases.
-    DS_ANALYZER_IMAGE: "$SECURE_ANALYZERS_PREFIX/retire.js:$DS_MAJOR_VERSION"
+    DS_ANALYZER_NAME: "retire.js"
   rules:
     - if: $DEPENDENCY_SCANNING_DISABLED
       when: never
diff --git a/lib/gitlab/ci/templates/Jobs/Deploy.gitlab-ci.yml b/lib/gitlab/ci/templates/Jobs/Deploy.gitlab-ci.yml
index bc4f2099d94..89eb91c981f 100644
--- a/lib/gitlab/ci/templates/Jobs/Deploy.gitlab-ci.yml
+++ b/lib/gitlab/ci/templates/Jobs/Deploy.gitlab-ci.yml
@@ -1,5 +1,5 @@
 variables:
-  AUTO_DEPLOY_IMAGE_VERSION: 'v2.22.0'
+  AUTO_DEPLOY_IMAGE_VERSION: 'v2.23.0'
 
 .auto-deploy:
   image: "registry.gitlab.com/gitlab-org/cluster-integration/auto-deploy-image:${AUTO_DEPLOY_IMAGE_VERSION}"
diff --git a/lib/gitlab/ci/templates/Jobs/Deploy.latest.gitlab-ci.yml b/lib/gitlab/ci/templates/Jobs/Deploy.latest.gitlab-ci.yml
index ce584091eab..78f28b59aa5 100644
--- a/lib/gitlab/ci/templates/Jobs/Deploy.latest.gitlab-ci.yml
+++ b/lib/gitlab/ci/templates/Jobs/Deploy.latest.gitlab-ci.yml
@@ -1,5 +1,5 @@
 variables:
-  AUTO_DEPLOY_IMAGE_VERSION: 'v2.22.0'
+  AUTO_DEPLOY_IMAGE_VERSION: 'v2.23.0'
 
 .auto-deploy:
   image: "registry.gitlab.com/gitlab-org/cluster-integration/auto-deploy-image:${AUTO_DEPLOY_IMAGE_VERSION}"
diff --git a/lib/gitlab/ci/templates/Jobs/SAST-IaC.latest.gitlab-ci.yml b/lib/gitlab/ci/templates/Jobs/SAST-IaC.latest.gitlab-ci.yml
index 5ddfb2a54be..488e7ec72fd 100644
--- a/lib/gitlab/ci/templates/Jobs/SAST-IaC.latest.gitlab-ci.yml
+++ b/lib/gitlab/ci/templates/Jobs/SAST-IaC.latest.gitlab-ci.yml
@@ -1,7 +1,14 @@
+# Read more about this feature here: https://docs.gitlab.com/ee/user/application_security/iac_scanning/
+#
+# Configure SAST with CI/CD variables (https://docs.gitlab.com/ee/ci/variables/index.html).
+# List of available variables: https://docs.gitlab.com/ee/user/application_security/iac_scanning/index.html
+
 variables:
   # Setting this variable will affect all Security templates
   # (SAST, Dependency Scanning, ...)
   SECURE_ANALYZERS_PREFIX: "registry.gitlab.com/security-products"
+  SAST_IMAGE_SUFFIX: ""
+
   SAST_EXCLUDED_PATHS: "spec, test, tests, tmp"
 
 iac-sast:
@@ -25,7 +32,7 @@ kics-iac-sast:
     name: "$SAST_ANALYZER_IMAGE"
   variables:
     SAST_ANALYZER_IMAGE_TAG: 1
-    SAST_ANALYZER_IMAGE: "$SECURE_ANALYZERS_PREFIX/kics:$SAST_ANALYZER_IMAGE_TAG"
+    SAST_ANALYZER_IMAGE: "$SECURE_ANALYZERS_PREFIX/kics:$SAST_ANALYZER_IMAGE_TAG$SAST_IMAGE_SUFFIX"
   rules:
     - if: $SAST_DISABLED
       when: never
diff --git a/lib/gitlab/ci/templates/Jobs/SAST.gitlab-ci.yml b/lib/gitlab/ci/templates/Jobs/SAST.gitlab-ci.yml
index 8cc9ea0200c..7415fa3104c 100644
--- a/lib/gitlab/ci/templates/Jobs/SAST.gitlab-ci.yml
+++ b/lib/gitlab/ci/templates/Jobs/SAST.gitlab-ci.yml
@@ -7,6 +7,7 @@ variables:
   # Setting this variable will affect all Security templates
   # (SAST, Dependency Scanning, ...)
   SECURE_ANALYZERS_PREFIX: "registry.gitlab.com/security-products"
+  SAST_IMAGE_SUFFIX: ""
 
   SAST_EXCLUDED_ANALYZERS: ""
   SAST_EXCLUDED_PATHS: "spec, test, tests, tmp"
@@ -101,7 +102,11 @@ flawfinder-sast:
     - if: $CI_COMMIT_BRANCH
       exists:
         - '**/*.c'
+        - '**/*.cc'
         - '**/*.cpp'
+        - '**/*.c++'
+        - '**/*.cp'
+        - '**/*.cxx'
 
 kubesec-sast:
   extends: .sast-analyzer
@@ -246,8 +251,9 @@ semgrep-sast:
   image:
     name: "$SAST_ANALYZER_IMAGE"
   variables:
+    SEARCH_MAX_DEPTH: 20
     SAST_ANALYZER_IMAGE_TAG: 2
-    SAST_ANALYZER_IMAGE: "$SECURE_ANALYZERS_PREFIX/semgrep:$SAST_ANALYZER_IMAGE_TAG"
+    SAST_ANALYZER_IMAGE: "$SECURE_ANALYZERS_PREFIX/semgrep:$SAST_ANALYZER_IMAGE_TAG$SAST_IMAGE_SUFFIX"
   rules:
     - if: $SAST_DISABLED
       when: never
@@ -262,6 +268,7 @@ semgrep-sast:
         - '**/*.tsx'
         - '**/*.c'
         - '**/*.go'
+        - '**/*.java'
 
 sobelow-sast:
   extends: .sast-analyzer
diff --git a/lib/gitlab/ci/templates/Jobs/Secret-Detection.gitlab-ci.yml b/lib/gitlab/ci/templates/Jobs/Secret-Detection.gitlab-ci.yml
index 0ef6f63bb94..6aacd082fd7 100644
--- a/lib/gitlab/ci/templates/Jobs/Secret-Detection.gitlab-ci.yml
+++ b/lib/gitlab/ci/templates/Jobs/Secret-Detection.gitlab-ci.yml
@@ -6,12 +6,14 @@
 
 variables:
   SECURE_ANALYZERS_PREFIX: "registry.gitlab.com/security-products"
+  SECRET_DETECTION_IMAGE_SUFFIX: ""
+
   SECRETS_ANALYZER_VERSION: "3"
   SECRET_DETECTION_EXCLUDED_PATHS: ""
 
 .secret-analyzer:
   stage: test
-  image: "$SECURE_ANALYZERS_PREFIX/secrets:$SECRETS_ANALYZER_VERSION"
+  image: "$SECURE_ANALYZERS_PREFIX/secrets:$SECRETS_ANALYZER_VERSION$SECRET_DETECTION_IMAGE_SUFFIX"
   services: []
   allow_failure: true
   variables:
@@ -31,14 +33,7 @@ secret_detection:
   script:
     - if [ -n "$CI_COMMIT_TAG" ]; then echo "Skipping Secret Detection for tags. No code changes have occurred."; exit 0; fi
     # Historic scan
-    - |
-      if [ "$SECRET_DETECTION_HISTORIC_SCAN" == "true" ]
-      then
-        echo "historic scan"
-        git fetch --unshallow origin $CI_COMMIT_REF_NAME
-        /analyzer run
-        exit
-      fi
+    - if [ "$SECRET_DETECTION_HISTORIC_SCAN" == "true" ]; then echo "Running Secret Detection Historic Scan"; /analyzer run; exit; fi
     # Default branch scan
     - if [ "$CI_COMMIT_BRANCH" == "$CI_DEFAULT_BRANCH" ]; then echo "Running Secret Detection on default branch."; /analyzer run; exit; fi
     # Push event
diff --git a/lib/gitlab/ci/templates/MATLAB.gitlab-ci.yml b/lib/gitlab/ci/templates/MATLAB.gitlab-ci.yml
new file mode 100644
index 00000000000..67c69115948
--- /dev/null
+++ b/lib/gitlab/ci/templates/MATLAB.gitlab-ci.yml
@@ -0,0 +1,96 @@
+# To contribute improvements to CI/CD templates, please follow the Development guide at:
+# https://docs.gitlab.com/ee/development/cicd/templates.html
+# This specific template is located at:
+# https://gitlab.com/gitlab-org/gitlab/-/blob/master/lib/gitlab/ci/templates/MATLAB.gitlab-ci.yml
+
+# Use this template to run MATLAB and Simulink as part of your CI/CD pipeline. The template has three jobs:
+# - `command`: Run MATLAB scripts, functions, and statements.
+# - `test`: Run tests authored using the MATLAB unit testing framework or Simulink Test.
+# - `test_artifacts_job`: Run MATLAB and Simulink tests, and generate test and coverage artifacts.
+#
+# You can copy and paste one or more jobs in this template into your `.gitlab-ci.yml` file.
+# You should not add this template to an existing `.gitlab-ci.yml` file by using the `include:` keyword.
+#
+# - To run MATLAB and Simulink, MATLAB must be installed on the runner that will run the jobs.
+#   The runner will use the topmost MATLAB version on the system path.
+#   The build fails if the operating system cannot find MATLAB on the path.
+# - The jobs in this template use the `matlab -batch` syntax to start MATLAB. The `-batch` option is supported
+#   in MATLAB R2019a and later.
+
+# The `command` runs MATLAB scripts, functions, and statements. To use the job in your pipeline,
+# substitute `command` with the code you want to run.
+#
+command:
+  script: matlab -batch command
+
+# If the value of `command` is the name of a MATLAB script or function, do not specify the file extension.
+# For example, to run a script named `myscript.m` in the root of your repository, specify the `command` like this:
+#
+# "myscript"
+#
+# If you specify more than one script, function, or statement, use a comma or semicolon to separate them.
+# For example, to run `myscript.m` in a folder named `myfolder` located in the root of the repository,
+# you can specify the `command` like this:
+#
+# "addpath('myfolder'), myscript"
+#
+# MATLAB exits with exit code 0 if the specified script, function, or statement executes successfully without
+# error. Otherwise, MATLAB terminates with a nonzero exit code, which causes the job to fail. To have the
+# job fail in certain conditions, use the [`assert`][1] or [`error`][2] functions.
+#
+# [1] https://www.mathworks.com/help/matlab/ref/assert.html
+# [2] https://www.mathworks.com/help/matlab/ref/error.html
+
+# The `test` runs the MATLAB and Simulink tests in your project. It calls the [`runtests`][3] function
+# to run the tests and then the [`assertSuccess`][4] method to fail the job if any of the tests fail.
+#
+test:
+  script: matlab -batch "results = runtests('IncludeSubfolders',true), assertSuccess(results);"
+
+# By default, the job includes any files in your [MATLAB Project][5] that have a `Test` label. If your repository
+# does not have a MATLAB project, then the job includes all tests in the root of your repository or in any of
+# its subfolders.
+#
+# [3] https://www.mathworks.com/help/matlab/ref/runtests.html
+# [4] https://www.mathworks.com/help/matlab/ref/matlab.unittest.testresult.assertsuccess.html
+# [5] https://www.mathworks.com/help/matlab/projects.html
+
+# The `test_artifacts_job` runs your tests and additionally generates test and coverage artifacts.
+# It uses the plugin classes in the [`matlab.unittest.plugins`][6] package to generate a JUnit test results
+# report and a Cobertura code coverage report. Like the `run_tests` job, this job runs all the tests in your
+# project and fails the build if any of the tests fail.
+#
+test_artifacts_job:
+  script: |
+    matlab -batch "
+    import matlab.unittest.TestRunner
+    import matlab.unittest.Verbosity
+    import matlab.unittest.plugins.CodeCoveragePlugin
+    import matlab.unittest.plugins.XMLPlugin
+    import matlab.unittest.plugins.codecoverage.CoberturaFormat
+
+    suite = testsuite(pwd,'IncludeSubfolders',true);
+
+    [~,~] = mkdir('artifacts');
+
+    runner = TestRunner.withTextOutput('OutputDetail',Verbosity.Detailed);
+    runner.addPlugin(XMLPlugin.producingJUnitFormat('artifacts/results.xml'))
+    runner.addPlugin(CodeCoveragePlugin.forFolder(pwd,'IncludingSubfolders',true, ...
+        'Producing',CoberturaFormat('artifacts/cobertura.xml')))
+
+    results = runner.run(suite)
+    assertSuccess(results);"
+
+  artifacts:
+    reports:
+      junit: "./artifacts/results.xml"
+      cobertura: "./artifacts/cobertura.xml"
+    paths:
+      - "./artifacts"
+
+# You can modify the contents of the `test_artifacts_job` depending on your goals. For more
+# information on how to customize the test runner and generate various test and coverage artifacts,
+# see [Generate Artifacts Using MATLAB Unit Test Plugins][7].
+#
+# [6] https://www.mathworks.com/help/matlab/ref/matlab.unittest.plugins-package.html
+# [7] https://www.mathworks.com/help/matlab/matlab_prog/generate-artifacts-using-matlab-unit-test-plugins.html
diff --git a/lib/gitlab/ci/templates/Python.gitlab-ci.yml b/lib/gitlab/ci/templates/Python.gitlab-ci.yml
index 6ed5e05ed4c..191d5b6b11c 100644
--- a/lib/gitlab/ci/templates/Python.gitlab-ci.yml
+++ b/lib/gitlab/ci/templates/Python.gitlab-ci.yml
@@ -13,7 +13,7 @@ variables:
   PIP_CACHE_DIR: "$CI_PROJECT_DIR/.cache/pip"
 
 # Pip's cache doesn't store the python packages
-# https://pip.pypa.io/en/stable/reference/pip_install/#caching
+# https://pip.pypa.io/en/stable/topics/caching/
 #
 # If you want to also cache the installed packages, you have to install
 # them in a virtualenv and cache it as well.
diff --git a/lib/gitlab/ci/templates/Security/API-Fuzzing.latest.gitlab-ci.yml b/lib/gitlab/ci/templates/Security/API-Fuzzing.latest.gitlab-ci.yml
index bd8ba71effe..b6e811aa84f 100644
--- a/lib/gitlab/ci/templates/Security/API-Fuzzing.latest.gitlab-ci.yml
+++ b/lib/gitlab/ci/templates/Security/API-Fuzzing.latest.gitlab-ci.yml
@@ -3,19 +3,36 @@
 # This specific template is located at:
 # https://gitlab.com/gitlab-org/gitlab/-/blob/master/lib/gitlab/ci/templates/Security/API-Fuzzing.latest.gitlab-ci.yml
 
+# To use this template, add the following to your .gitlab-ci.yml file:
+#
+# include:
+#   template: API-Fuzzing.latest.gitlab-ci.yml
+#
+# You also need to add a `fuzz` stage to your `stages:` configuration. A sample configuration for API Fuzzing:
+#
+# stages:
+#   - build
+#   - test
+#   - deploy
+#   - fuzz
+
 # Read more about this feature here: https://docs.gitlab.com/ee/user/application_security/api_fuzzing/
 #
-# Configure API fuzzing with CI/CD variables (https://docs.gitlab.com/ee/ci/variables/index.html).
+# Configure API Fuzzing with CI/CD variables (https://docs.gitlab.com/ee/ci/variables/index.html).
 # List of available variables: https://docs.gitlab.com/ee/user/application_security/api_fuzzing/#available-cicd-variables
 
 variables:
-    FUZZAPI_VERSION: "1"
+    # Setting this variable affects all Security templates
+    # (SAST, Dependency Scanning, ...)
     SECURE_ANALYZERS_PREFIX: "registry.gitlab.com/security-products"
+    #
+    FUZZAPI_VERSION: "1"
+    FUZZAPI_IMAGE_SUFFIX: ""
     FUZZAPI_IMAGE: api-fuzzing
 
 apifuzzer_fuzz:
     stage: fuzz
-    image: $SECURE_ANALYZERS_PREFIX/$FUZZAPI_IMAGE:$FUZZAPI_VERSION
+    image: $SECURE_ANALYZERS_PREFIX/$FUZZAPI_IMAGE:$FUZZAPI_VERSION$FUZZAPI_IMAGE_SUFFIX
     allow_failure: true
     rules:
         - if: $API_FUZZING_DISABLED
@@ -23,6 +40,10 @@ apifuzzer_fuzz:
         - if: $API_FUZZING_DISABLED_FOR_DEFAULT_BRANCH &&
                 $CI_DEFAULT_BRANCH == $CI_COMMIT_REF_NAME
           when: never
+        - if: $CI_COMMIT_BRANCH &&
+              $CI_GITLAB_FIPS_MODE == "true"
+          variables:
+              FUZZAPI_IMAGE_SUFFIX: "-fips"
         - if: $CI_COMMIT_BRANCH
     script:
         - /peach/analyzer-fuzz-api
diff --git a/lib/gitlab/ci/templates/Security/Container-Scanning.gitlab-ci.yml b/lib/gitlab/ci/templates/Security/Container-Scanning.gitlab-ci.yml
index 65a2b20d5c0..66db311f897 100644
--- a/lib/gitlab/ci/templates/Security/Container-Scanning.gitlab-ci.yml
+++ b/lib/gitlab/ci/templates/Security/Container-Scanning.gitlab-ci.yml
@@ -25,7 +25,7 @@ variables:
   CS_ANALYZER_IMAGE: registry.gitlab.com/security-products/container-scanning:4
 
 container_scanning:
-  image: "$CS_ANALYZER_IMAGE"
+  image: "$CS_ANALYZER_IMAGE$CS_IMAGE_SUFFIX"
   stage: test
   variables:
     # To provide a `vulnerability-allowlist.yml` file, override the GIT_STRATEGY variable in your
@@ -47,4 +47,10 @@ container_scanning:
     - if: $CONTAINER_SCANNING_DISABLED
       when: never
     - if: $CI_COMMIT_BRANCH &&
+          $GITLAB_FEATURES =~ /\bcontainer_scanning\b/ &&
+          $CI_GITLAB_FIPS_MODE == "true" &&
+          $CS_ANALYZER_IMAGE !~ /-(fips|ubi)\z/
+      variables:
+        CS_IMAGE_SUFFIX: -fips
+    - if: $CI_COMMIT_BRANCH &&
           $GITLAB_FEATURES =~ /\bcontainer_scanning\b/
diff --git a/lib/gitlab/ci/templates/Security/DAST-API.latest.gitlab-ci.yml b/lib/gitlab/ci/templates/Security/DAST-API.latest.gitlab-ci.yml
index 0e0afa489a3..b491b3e3c0c 100644
--- a/lib/gitlab/ci/templates/Security/DAST-API.latest.gitlab-ci.yml
+++ b/lib/gitlab/ci/templates/Security/DAST-API.latest.gitlab-ci.yml
@@ -27,11 +27,12 @@ variables:
   SECURE_ANALYZERS_PREFIX: "registry.gitlab.com/security-products"
   #
   DAST_API_VERSION: "1"
+  DAST_API_IMAGE_SUFFIX: ""
   DAST_API_IMAGE: api-fuzzing
 
 dast_api:
   stage: dast
-  image: $SECURE_ANALYZERS_PREFIX/$DAST_API_IMAGE:$DAST_API_VERSION
+  image: $SECURE_ANALYZERS_PREFIX/$DAST_API_IMAGE:$DAST_API_VERSION$DAST_API_IMAGE_SUFFIX
   allow_failure: true
   rules:
     - if: $DAST_API_DISABLED
@@ -39,6 +40,10 @@ dast_api:
     - if: $DAST_API_DISABLED_FOR_DEFAULT_BRANCH &&
           $CI_DEFAULT_BRANCH == $CI_COMMIT_REF_NAME
       when: never
+    - if: $CI_COMMIT_BRANCH &&
+          $CI_GITLAB_FIPS_MODE == "true"
+      variables:
+        DAST_API_IMAGE_SUFFIX: "-fips"
     - if: $CI_COMMIT_BRANCH
   script:
     - /peach/analyzer-dast-api
@@ -50,3 +55,5 @@ dast_api:
       - gl-*.log
     reports:
       dast: gl-dast-api-report.json
+
+# end
diff --git a/lib/gitlab/ci/templates/ThemeKit.gitlab-ci.yml b/lib/gitlab/ci/templates/ThemeKit.gitlab-ci.yml
new file mode 100644
index 00000000000..8a0913e8f66
--- /dev/null
+++ b/lib/gitlab/ci/templates/ThemeKit.gitlab-ci.yml
@@ -0,0 +1,27 @@
+# Shopify Theme Kit is a CLI tool for Shopify Themes: https://shopify.github.io/themekit/
+# See the full usage of this template described in: https://medium.com/@gogl.alex/how-to-deploy-shopify-themes-automatically-1ac17ee1229c
+
+image: python:2
+
+stages:
+  - deploy:staging
+  - deploy:production
+
+staging:
+  image: python:2
+  stage: deploy:staging
+  script:
+    - curl -s https://shopify.github.io/themekit/scripts/install.py | python
+    - theme deploy --env=staging
+  only:
+    variables:
+      - $CI_DEFAULT_BRANCH == $CI_COMMIT_BRANCH
+
+production:
+  image: python:2
+  stage: deploy:production
+  script:
+    - curl -s https://shopify.github.io/themekit/scripts/install.py | python
+    - theme deploy --env=production --allow-live
+  only:
+    - tags
diff --git a/lib/gitlab/ci/templates/liquibase.gitlab-ci.yml b/lib/gitlab/ci/templates/liquibase.gitlab-ci.yml
new file mode 100644
index 00000000000..18d59035b78
--- /dev/null
+++ b/lib/gitlab/ci/templates/liquibase.gitlab-ci.yml
@@ -0,0 +1,149 @@
+# This file is a template, and might need editing before it works on your project.
+# Here is a live project example that is using this template:
+# https://gitlab.com/szandany/h2
+
+# To contribute improvements to CI/CD templates, please follow the Development guide at:
+# https://docs.gitlab.com/ee/development/cicd/templates.html
+# This specific template is located at:
+# https://gitlab.com/gitlab-org/gitlab/-/blob/master/lib/gitlab/ci/templates/liquibase.gitlab-ci.yml
+
+# This template must be configured with CI/CD variables before it will work.
+# See https://www.liquibase.com/blog/secure-database-developer-flow-using-gitlab-pipelines
+# to learn how to configure the Liquibase template by using variables.
+# Be sure to add the variables before running pipelines with this template.
+# You may not want to run all the jobs in this template. You can comment out or delete the jobs you don't wish to use.
+
+# List of stages for jobs and their order of execution.
+stages:
+  - build
+  - test
+  - deploy
+  - compare
+
+
+# Helper functions to determine if the database is ready for deployments (function isUpToDate) or rollbacks (function isRollback) when tag is applied.
+.functions: &functions |
+  function isUpToDate(){
+    status=$(liquibase status --verbose)
+    if [[ $status == *'is up to date'* ]]; then
+      echo "database is already up to date" & exit 0
+    fi;
+  }
+
+  function isRollback(){
+    if [ -z "$TAG" ]; then
+      echo "No TAG provided, running any pending changes"
+    elif [[ "$(liquibase rollbackSQL $TAG)" ]]; then
+      liquibase --logLevel=info --logFile=${CI_JOB_NAME}_${CI_PIPELINE_ID}.log rollback $TAG && exit 0
+    else exit 0
+    fi;
+  }
+
+
+# This is a series of Liquibase commands that can be run while doing database migrations from Liquibase docs at https://docs.liquibase.com/commands/home.html
+.liquibase_job:
+  image: liquibase/liquibase:latest      # Using the Liquibase Docker Image at - https://hub.docker.com/r/liquibase/liquibase
+  before_script:
+    - liquibase --version
+    - *functions
+    - isRollback
+    - isUpToDate
+    - liquibase checks run
+    - liquibase update
+    - liquibase rollbackOneUpdate --force      # This is a Pro command. Try Pro free trial here - https://liquibase.org/try-liquibase-pro-free
+    - liquibase tag $CI_PIPELINE_ID
+    - liquibase --logFile=${CI_JOB_NAME}_${CI_PIPELINE_ID}.log --logLevel=info update
+    - liquibase history
+  artifacts:
+    paths:
+      - ${CI_JOB_NAME}_${CI_PIPELINE_ID}.log
+    expire_in: 1 week
+
+
+# This job runs in the build stage, which runs first.
+build-job:
+  extends: .liquibase_job
+  stage: build
+  environment:
+    name: DEV
+  script:
+    - echo "This job tested successfully with liquibase in DEV environment"
+  rules:
+    - if: '$CI_COMMIT_BRANCH == $CI_DEFAULT_BRANCH'
+
+
+# This job runs in the test stage. It only starts when the job in the build stage completes successfully.
+test-job:
+  extends: .liquibase_job
+  stage: test
+  environment:
+    name: TEST
+  script:
+    - echo "This job testsed successfully with liquibase in TEST environment"
+  rules:
+    - if: '$CI_COMMIT_BRANCH == $CI_DEFAULT_BRANCH'
+
+
+# This job runs in the deploy stage. It only starts when the jobs in the test stage completes successfully.
+deploy-prod:
+  extends: .liquibase_job
+  stage: deploy
+  environment:
+    name: PROD
+  script:
+    - echo "This job deployed successfully Liquibase in a production environment from the $CI_COMMIT_BRANCH branch."
+  rules:
+    - if: '$CI_COMMIT_BRANCH == $CI_DEFAULT_BRANCH'
+
+
+# This job compares dev database with test database to detect any drifts in the pipeline. Learn more about comparing database with Liquibase here https://docs.liquibase.com/commands/diff.html
+DEV->TEST:
+  image: liquibase/liquibase:latest      # Using the Liquibase Docker Image
+  stage: compare
+  environment:
+    name: TEST
+  script:
+    - echo "Comparing databases DEV --> TEST"
+    - liquibase diff
+    - liquibase --outputFile=diff_between_DEV_TEST.json diff --format=json
+  rules:
+    - if: '$CI_COMMIT_BRANCH == $CI_DEFAULT_BRANCH'
+  artifacts:
+    paths:
+      - diff_between_DEV_TEST.json
+    expire_in: 1 week
+
+
+# This job compares test database with prod database to detect any drifts in the pipeline.
+TEST->PROD:
+  image: liquibase/liquibase:latest      # Using the Liquibase Docker Image
+  stage: compare
+  environment:
+    name: PROD
+  script:
+    - echo "Comparing databases TEST --> PROD"
+    - liquibase diff
+    - liquibase --outputFile=diff_between_TEST_PROD.json diff --format=json
+  rules:
+    - if: '$CI_COMMIT_BRANCH == $CI_DEFAULT_BRANCH'
+  artifacts:
+    paths:
+      - diff_between_TEST_PROD.json
+    expire_in: 1 week
+
+
+# This job creates a snapshot of prod database. You can use the snapshot file to run comparisons with the production database to investigate for any potential issues. https://www.liquibase.com/devsecops
+snapshot PROD:
+  image: liquibase/liquibase:latest      # Using the Liquibase Docker Image
+  stage: .post
+  environment:
+    name: PROD
+  script:
+    - echo "Snapshotting database PROD"
+    - liquibase --outputFile=snapshot_PROD_${CI_PIPELINE_ID}.json snapshot --snapshotFormat=json --log-level debug
+  rules:
+    - if: '$CI_COMMIT_BRANCH == $CI_DEFAULT_BRANCH'
+  artifacts:
+    paths:
+      - snapshot_PROD_${CI_PIPELINE_ID}.json
+    expire_in: 1 week