Add latest changes from gitlab-org/gitlab@master

2 files changed, 23 insertions, 12 deletions

diff --git a/doc/update/deprecations.md b/doc/update/deprecations.md
index 9a852536c9b..e30782c70a3 100644
--- a/doc/update/deprecations.md
+++ b/doc/update/deprecations.md
@@ -989,19 +989,10 @@ When using the native HashiCorp Vault integration, CI/CD jobs will fail when no
 - To discuss this change or learn more, see the [deprecation issue](https://gitlab.com/gitlab-org/gitlab/-/issues/408396).
 </div>
 
-We'll change how the MobSF-based analyzer in GitLab SAST handles multi-module Android projects.
-This analyzer only runs if you [enable Experimental features](https://docs.gitlab.com/ee/user/application_security/sast/#experimental-features) for SAST.
+**Update:** We previously announced a change to how the MobSF-based GitLab SAST analyzer would scan multi-module Android projects.
+We've cancelled that change, and no action is required.
 
-The analyzer currently searches for `AndroidManifest.xml` files and scans only the first one it finds.
-This manifest often is not the main manifest for the app, so the scan checks less of the app's source code for vulnerabilities.
-
-Starting in GitLab 16.0, the analyzer will always use `app/src/main/AndroidManifest.xml` as the manifest, and use `app/src/main/` as the project root directory.
-The new behavior matches standard Android project layouts and addresses bug reports from customers, so we expect it will improve scan coverage for most apps.
-
-If you relied on the previous behavior, you can [pin the MobSF analyzer](https://docs.gitlab.com/ee/user/application_security/sast/#pinning-to-minor-image-version) to version 4.0.0, which uses the old behavior.
-Then, please comment on [the deprecation issue](https://gitlab.com/gitlab-org/gitlab/-/issues/408396) so we can consider new configuration options to accommodate your use case.
-
-This change doesn't affect scans you run in GitLab 15.11 or previous versions, since this change is only included in the [new major version](#secure-analyzers-major-version-update) of the MobSF-based analyzer.
+Instead of changing which single module would be scanned, we [improved multi-module support](https://gitlab.com/gitlab-org/security-products/analyzers/mobsf/-/merge_requests/73).
 
 </div>
 
diff --git a/doc/update/removals.md b/doc/update/removals.md
index a2dddbfaa44..7359d74c6f5 100644
--- a/doc/update/removals.md
+++ b/doc/update/removals.md
@@ -552,6 +552,26 @@ GitLab 15.7 and is removed in 16.0.
 The Phabricator project hasn't been actively maintained since June 1, 2021. We haven't observed imports using this
 tool. There has been no activity on the open related issues on GitLab.
 
+### The Security Code Scan-based GitLab SAST analyzer is now removed
+
+WARNING:
+This is a [breaking change](https://docs.gitlab.com/ee/development/deprecation_guidelines/).
+Review the details carefully before upgrading.
+
+GitLab SAST uses various [analyzers](https://docs.gitlab.com/ee/user/application_security/sast/analyzers/) to scan code for vulnerabilities.
+We've reduced the number of supported analyzers used by default in GitLab SAST.
+This is part of our long-term strategy to deliver a faster, more consistent user experience across different programming languages.
+
+As of GitLab 16.0, the [SAST CI/CD template](https://gitlab.com/gitlab-org/gitlab/-/blob/master/lib/gitlab/ci/templates/Security/SAST.gitlab-ci.yml) no longer uses the [Security Code Scan](https://gitlab.com/gitlab-org/security-products/analyzers/security-code-scan)-based analyzer for .NET.
+We've removed this analyzer from the SAST CI/CD template and replaced it with GitLab-supported detection rules for C# in the [Semgrep-based analyzer](https://gitlab.com/gitlab-org/security-products/analyzers/semgrep).
+
+Because this analyzer has reached End of Support in GitLab 16.0, we won't provide further updates to it.
+However, we won't delete any container images we previously published for this analyzer or remove the ability to run it by using a [custom CI/CD pipeline job](https://docs.gitlab.com/ee/ci/yaml/artifacts_reports.html#artifactsreportssast).
+
+If you've already dismissed a vulnerability finding from the deprecated analyzer, the replacement attempts to respect your previous dismissal. See [Vulnerability translation documentation](https://docs.gitlab.com/ee/user/application_security/sast/analyzers.html#vulnerability-translation) for further details.
+
+If you customize the behavior of GitLab SAST by disabling the Semgrep-based analyzer or depending on specific SAST jobs in your pipelines, you must take action as detailed in the [deprecation issue for this change](https://gitlab.com/gitlab-org/gitlab/-/issues/390416#actions-required).
+
 ### The stable Terraform CI/CD template has been replaced with the latest template
 
 WARNING: