1 files changed, 19 insertions, 11 deletions

diff --git a/doc/user/application_security/container_scanning/index.md b/doc/user/application_security/container_scanning/index.md
index f2d6cef669d..64566e458ee 100644
--- a/doc/user/application_security/container_scanning/index.md
+++ b/doc/user/application_security/container_scanning/index.md
@@ -186,7 +186,7 @@ The `CS_DISABLE_LANGUAGE_VULNERABILITY_SCAN` CI/CD variable controls whether the
 findings related to programming languages. The languages supported depend on the
 [scanner used](#change-scanners):
 
-- [Trivy](https://aquasecurity.github.io/trivy/latest/vulnerability/detection/language/).
+- [Trivy](https://aquasecurity.github.io/trivy/latest/docs/vulnerability/detection/language/).
 - [Grype](https://github.com/anchore/grype#features).
 
 By default, the report only includes packages managed by the Operating System (OS) package manager
@@ -222,6 +222,7 @@ You can [configure](#customizing-the-container-scanning-settings) analyzers by u
 | `CS_DISABLE_DEPENDENCY_LIST`   | `"false"`      | Disable Dependency Scanning for packages installed in the scanned image. [Introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/345434) in GitLab 14.6. | All |
 | `CS_DISABLE_LANGUAGE_VULNERABILITY_SCAN` | `"true"` | Disable scanning for language-specific packages installed in the scanned image. [Introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/345434) in GitLab 14.6. | All |
 | `CS_DOCKER_INSECURE`           | `"false"`     | Allow access to secure Docker registries using HTTPS without validating the certificates. | All |
+| `CS_IMAGE_SUFFIX`              | `""`          | Suffix added to `CS_ANALYZER_IMAGE`. If set to `-fips`, `FIPS-enabled` image is used for scan. See [FIPS-enabled images](#fips-enabled-images) for more details. [Introduced](https://gitlab.com/groups/gitlab-org/-/epics/7630) in GitLab 14.10. | All |
 | `CS_IGNORE_UNFIXED`            | `"false"`     | Ignore vulnerabilities that are not fixed. | All |
 | `CS_REGISTRY_INSECURE`         | `"false"`     | Allow access to insecure registries (HTTP only). Should only be set to `true` when testing the image locally. Works with all scanners, but the registry must listen on port `80/tcp` for Trivy to work. | All |
 | `CS_SEVERITY_THRESHOLD`        | `UNKNOWN`     | Severity level threshold. The scanner outputs vulnerabilities with severity level higher than or equal to this threshold. Supported levels are Unknown, Low, Medium, High, and Critical. | Trivy |
@@ -236,22 +237,29 @@ You can [configure](#customizing-the-container-scanning-settings) analyzers by u
 Support depends on the scanner:
 
 - [Grype](https://github.com/anchore/grype#grype)
-- [Trivy](https://aquasecurity.github.io/trivy/latest/vulnerability/detection/os/) (Default).
+- [Trivy](https://aquasecurity.github.io/trivy/latest/docs/vulnerability/detection/os/) (Default).
 
-#### UBI-based images
+#### FIPS-enabled images
 
 > [Introduced](https://gitlab.com/groups/gitlab-org/-/epics/5775) in GitLab 14.1.
 
-GitLab also offers [Red Hat UBI](https://www.redhat.com/en/blog/introducing-red-hat-universal-base-image)
-versions of the container-scanning images. You can therefore replace standard images with UBI-based
-images. To configure the images, set the `CS_ANALYZER_IMAGE` variable to the standard tag plus the
-`-ubi` extension.
+GitLab also offers [FIPS-enabled Red Hat UBI](https://www.redhat.com/en/blog/introducing-red-hat-universal-base-image)
+versions of the container-scanning images. You can therefore replace standard images with FIPS-enabled
+images. To configure the images, set the `CS_IMAGE_SUFFIX` to `-fips` or modify the `CS_ANALYZER_IMAGE` variable to the
+standard tag plus the `-fips` extension.
 
 | Scanner name    | `CS_ANALYZER_IMAGE` |
 | --------------- | ------------------- |
-| Default (Trivy) | `registry.gitlab.com/security-products/container-scanning:4-ubi` |
-| Grype           | `registry.gitlab.com/security-products/container-scanning/grype:4-ubi` |
-| Trivy           | `registry.gitlab.com/security-products/container-scanning/trivy:4-ubi` |
+| Default (Trivy) | `registry.gitlab.com/security-products/container-scanning:4-fips` |
+| Grype           | `registry.gitlab.com/security-products/container-scanning/grype:4-fips` |
+| Trivy           | `registry.gitlab.com/security-products/container-scanning/trivy:4-fips` |
+
+NOTE:
+Prior to GitLab 15.0, the `-ubi` image extension is also available. GitLab 15.0 and later only
+support `-fips`.
+
+Starting with GitLab 14.10, `-fips` is automatically added to `CS_ANALYZER_IMAGE` when FIPS mode is
+enabled in the GitLab instance.
 
 ### Enable Container Scanning through an automatic merge request
 
@@ -753,7 +761,7 @@ The images include the latest advisory database available for their respective s
 scanner includes data from multiple sources:
 
 - [Grype](https://github.com/anchore/grype#grypes-database).
-- [Trivy](https://aquasecurity.github.io/trivy/latest/vulnerability/detection/data-source/).
+- [Trivy](https://aquasecurity.github.io/trivy/latest/docs/vulnerability/detection/data-source/).
 
 Database update information for other analyzers is available in the
 [maintenance table](../index.md#vulnerability-scanner-maintenance).