Merge branch 'container-scanning-upgrade' into 'main'

Upgrade to latest container scanning component

See merge request components/opentofu!31

.gitlab-ci.yml

@@ -27,21 +27,11 @@ include:
           - tests/terraform/**.tf
           - backports/*.gitlab-ci.yml
           - backports/OpenTofu/*.gitlab-ciyml
-  - component: gitlab.com/components/container-scanning/container-scanning@1.0
+  - component: gitlab.com/components/container-scanning/container-scanning@2.0
     inputs:
       stage: quality
-      # FIXME: why is this not the default?
-      analyzer_image: "$CI_TEMPLATE_REGISTRY_HOST/security-products/container-scanning:6"
-      # FIXME: why do I have to set this, this is weird ...
-      force_run: true
-    # FIXME: doesn't work
-    # rules:
-    #   - changes:
-    #       - Dockerfile
-    #       - .gitlab-ci.yml
-    #       - src/gitlab-tofu.sh
-    #   - if: $CI_COMMIT_TAG
-    #   - if: $CI_COMMIT_BRANCH == $CI_DEFAULT_BRANCH
+      cs_image: $GITLAB_OPENTOFU_IMAGE_NAME
+      git_strategy: fetch
 
 stages:
   - build
@@ -123,20 +113,13 @@ check-backports:
 
 container_scanning:
   extends: .opentofu-versions
-  needs: ['gitlab-opentofu-image:build']
-  variables:
-    CS_IMAGE: $GITLAB_OPENTOFU_IMAGE_NAME
-    CS_SCHEMA_MODEL: 15
-    # Used for remediation
-    GIT_STRATEGY: fetch
-  # FIXME: because we are using rules with the include, but override here, we also have to have the same rules here
-  # rules:
-  #   - changes:
-  #       - Dockerfile
-  #       - .gitlab-ci.yml
-  #       - src/gitlab-tofu.sh
-  #   - if: $CI_COMMIT_TAG
-  #   - if: $CI_COMMIT_BRANCH == $CI_DEFAULT_BRANCH
+  rules:
+    - changes:
+        - src/gitlab-tofu.sh
+        - Dockerfile
+        - .gitlab-ci.yml
+    - if: $CI_COMMIT_TAG
+    - if: $CI_COMMIT_BRANCH == $CI_DEFAULT_BRANCH
 
 gitlab-opentofu-image:deploy:with-opentofu-version:
   extends: .opentofu-versions