From 9f7129eea484293eb25044b9ee81b4d67192f30a Mon Sep 17 00:00:00 2001
From: Nick Ilieskou <nilieskou@gitlab.com>
Date: Wed, 22 Oct 2025 10:15:34 +0200
Subject: [PATCH 1/5] Update DS template to v2

---
 .gitlab/ci/reports.gitlab-ci.yml | 3 +--
 1 file changed, 1 insertion(+), 2 deletions(-)

diff --git a/.gitlab/ci/reports.gitlab-ci.yml b/.gitlab/ci/reports.gitlab-ci.yml
index 9f371e0089292e..c8405d5b0a2dad 100644
--- a/.gitlab/ci/reports.gitlab-ci.yml
+++ b/.gitlab/ci/reports.gitlab-ci.yml
@@ -1,7 +1,7 @@
 include:
   - template: Jobs/SAST.gitlab-ci.yml
   - template: Jobs/Secret-Detection.gitlab-ci.yml
-  - template: Jobs/Dependency-Scanning.latest.gitlab-ci.yml
+  - template: Jobs/Dependency-Scanning.v2.gitlab-ci.yml
 
 .sast-analyzer:
   # We need to re-`extends` from `sast` as the `extends` here overrides the one from the template.
@@ -45,7 +45,6 @@ secret_detection:
   needs: []
   variables:
     DS_EXCLUDED_PATHS: "qa/qa/ee/fixtures/secure_premade_reports, spec, ee/spec, tmp, storybook"  # GitLab-specific
-    DS_ENFORCE_NEW_ANALYZER: "true"
     DS_STATIC_REACHABILITY_ENABLED: "false"
   artifacts:
     paths:
-- 
GitLab


From ea42c06a9ae234609a04891ad9fd3a50c4f4abb0 Mon Sep 17 00:00:00 2001
From: Nick Ilieskou <nilieskou@gitlab.com>
Date: Wed, 22 Oct 2025 10:36:00 +0200
Subject: [PATCH 2/5] Update ds job

---
 .gitlab/ci/reports.gitlab-ci.yml | 30 +++++++++++-------------------
 1 file changed, 11 insertions(+), 19 deletions(-)

diff --git a/.gitlab/ci/reports.gitlab-ci.yml b/.gitlab/ci/reports.gitlab-ci.yml
index c8405d5b0a2dad..57b88226043831 100644
--- a/.gitlab/ci/reports.gitlab-ci.yml
+++ b/.gitlab/ci/reports.gitlab-ci.yml
@@ -2,6 +2,8 @@ include:
   - template: Jobs/SAST.gitlab-ci.yml
   - template: Jobs/Secret-Detection.gitlab-ci.yml
   - template: Jobs/Dependency-Scanning.v2.gitlab-ci.yml
+    inputs: 
+      stage: "lint"
 
 .sast-analyzer:
   # We need to re-`extends` from `sast` as the `extends` here overrides the one from the template.
@@ -35,32 +37,22 @@ semgrep-sast:
 
 secret_detection:
   rules: !reference [".reports:rules:secret_detection", rules]
-
-.ds-analyzer:
-  # We need to re-`extends` from `dependency_scanning` as the `extends` here overrides the one from the template.
+    
+dependency-scanning:
   extends:
-    - .default-retry
-    - dependency_scanning
-  stage: lint
-  needs: []
+    - .default-retry  
   variables:
     DS_EXCLUDED_PATHS: "qa/qa/ee/fixtures/secure_premade_reports, spec, ee/spec, tmp, storybook"  # GitLab-specific
-    DS_STATIC_REACHABILITY_ENABLED: "false"
+    DS_STATIC_REACHABILITY_ENABLED: "false"    
   artifacts:
-    paths:
-      - gl-dependency-scanning-report.json  # GitLab-specific
-    access: 'developer'
-    expire_in: 1 week  # GitLab-specific
-  after_script:
-    # Remove sboms in test fixtures so that they are not ingested and scanned.
-    - find spec ee/spec qa -path '**/fixtures/**/gl-sbom*.cdx.json' -delete
-
-dependency-scanning:
-  extends:
-    - .ds-analyzer
+    expire_in: 1 week
+  needs: []  
   rules:
     # Use !reference to prevent rule merging issues with template's dependency-scanning job
     - !reference [.reports:rules:dependency_scanning, rules]
+  after_script:
+    # Remove sboms in test fixtures so that they are not ingested and scanned.
+    - find spec ee/spec qa -path '**/fixtures/**/gl-sbom*.cdx.json' -delete
 
 # Analyze dependencies for malicious behavior
 # See https://gitlab.com/gitlab-com/gl-security/security-research/package-hunter
-- 
GitLab


From bbe8d2fd3a2b15d082f8c8a4acf1f4c6e0eca904 Mon Sep 17 00:00:00 2001
From: Nick Ilieskou <nilieskou@gitlab.com>
Date: Wed, 22 Oct 2025 11:18:12 +0200
Subject: [PATCH 3/5] Enable SR

---
 .gitlab/ci/reports.gitlab-ci.yml | 10 +++++-----
 1 file changed, 5 insertions(+), 5 deletions(-)

diff --git a/.gitlab/ci/reports.gitlab-ci.yml b/.gitlab/ci/reports.gitlab-ci.yml
index 57b88226043831..c653d93ba5c512 100644
--- a/.gitlab/ci/reports.gitlab-ci.yml
+++ b/.gitlab/ci/reports.gitlab-ci.yml
@@ -2,7 +2,7 @@ include:
   - template: Jobs/SAST.gitlab-ci.yml
   - template: Jobs/Secret-Detection.gitlab-ci.yml
   - template: Jobs/Dependency-Scanning.v2.gitlab-ci.yml
-    inputs: 
+    inputs:
       stage: "lint"
 
 .sast-analyzer:
@@ -37,16 +37,16 @@ semgrep-sast:
 
 secret_detection:
   rules: !reference [".reports:rules:secret_detection", rules]
-    
+
 dependency-scanning:
   extends:
-    - .default-retry  
+    - .default-retry
   variables:
     DS_EXCLUDED_PATHS: "qa/qa/ee/fixtures/secure_premade_reports, spec, ee/spec, tmp, storybook"  # GitLab-specific
-    DS_STATIC_REACHABILITY_ENABLED: "false"    
+    DS_STATIC_REACHABILITY_ENABLED: "true"
   artifacts:
     expire_in: 1 week
-  needs: []  
+  needs: []
   rules:
     # Use !reference to prevent rule merging issues with template's dependency-scanning job
     - !reference [.reports:rules:dependency_scanning, rules]
-- 
GitLab


From 1f71ed2f144cf6a5e3e4ae374f10a8a43ae30541 Mon Sep 17 00:00:00 2001
From: Nick Ilieskou <nilieskou@gitlab.com>
Date: Wed, 22 Oct 2025 15:16:42 +0200
Subject: [PATCH 4/5] Apply 1 suggestion(s) to 1 file(s)

Co-authored-by: Olivier Gonzalez <ogonzalez@gitlab.com>
---
 .gitlab/ci/reports.gitlab-ci.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/.gitlab/ci/reports.gitlab-ci.yml b/.gitlab/ci/reports.gitlab-ci.yml
index c653d93ba5c512..faf5713098d6a0 100644
--- a/.gitlab/ci/reports.gitlab-ci.yml
+++ b/.gitlab/ci/reports.gitlab-ci.yml
@@ -50,7 +50,7 @@ dependency-scanning:
   rules:
     # Use !reference to prevent rule merging issues with template's dependency-scanning job
     - !reference [.reports:rules:dependency_scanning, rules]
-  after_script:
+  before_script:
     # Remove sboms in test fixtures so that they are not ingested and scanned.
     - find spec ee/spec qa -path '**/fixtures/**/gl-sbom*.cdx.json' -delete
 
-- 
GitLab


From f5f6f5146bd8c6c0db421cf9d640a4f0d8ad8598 Mon Sep 17 00:00:00 2001
From: Nick Ilieskou <nilieskou@gitlab.com>
Date: Wed, 22 Oct 2025 15:19:44 +0200
Subject: [PATCH 5/5] Use spec inputs

---
 .gitlab/ci/reports.gitlab-ci.yml | 5 ++---
 1 file changed, 2 insertions(+), 3 deletions(-)

diff --git a/.gitlab/ci/reports.gitlab-ci.yml b/.gitlab/ci/reports.gitlab-ci.yml
index faf5713098d6a0..7b87ceaf875349 100644
--- a/.gitlab/ci/reports.gitlab-ci.yml
+++ b/.gitlab/ci/reports.gitlab-ci.yml
@@ -4,6 +4,8 @@ include:
   - template: Jobs/Dependency-Scanning.v2.gitlab-ci.yml
     inputs:
       stage: "lint"
+      enable_static_reachability: true
+      excluded_paths: "qa/qa/ee/fixtures/secure_premade_reports, spec, ee/spec, tmp, storybook"
 
 .sast-analyzer:
   # We need to re-`extends` from `sast` as the `extends` here overrides the one from the template.
@@ -41,9 +43,6 @@ secret_detection:
 dependency-scanning:
   extends:
     - .default-retry
-  variables:
-    DS_EXCLUDED_PATHS: "qa/qa/ee/fixtures/secure_premade_reports, spec, ee/spec, tmp, storybook"  # GitLab-specific
-    DS_STATIC_REACHABILITY_ENABLED: "true"
   artifacts:
     expire_in: 1 week
   needs: []
-- 
GitLab