Run rpm_verify_fips against FIPS images

Hannes Hörlrequested to merge
hhoerl/37985-ubi-scanning into main

What does this MR do?

Run rpm_verify_fips against FIPS images

Using the tool/image from https://gitlab.com/gitlab-org/cloud-native/container-dependencies-finder we check our ubi-fips images as soon as they are ready.

We use

  • skopeo to convert the image from an oci archive to a docker archive
  • crane to export the rootfs from the docker archive
  • rpm_verify_fips to scan the exported rootfs

The logs of the verification are uploaded as an artifact.

Why was this MR needed?

To implement some controls on cryptographic modules used within the ubi/fips containers.

What's the best way to test this MR?

  • run the pipeline
  • see that the job succeeded
  • inspect the created artifacts

What are the relevant issue numbers?

closes https://gitlab.com/gitlab-org/gitlab-runner/-/issues/37985

Edited by Hannes Hörl

Merge request reports