Run Secure analyzers as non-root users
Problem to solve
We've started to transition some analyzers to run with a non-root user. We've also deprecated a handful of analyzers that are no longer used. The purpose of this issue is to transition any remaining analyzers that runs as root today to support using a non-root user. Ultimately we'd like to have this be the default behavior, but that might delay the change as it could qualify as a breaking change. We should explore if we can roll out support for a non-root user, and iteratively switch to a non-root user by default in the next breaking change window.
Proposal
-
Audit all analyzers and identify any containers that still run as a root user -
Have the group responsible for each analyzer review the implementation plan and determine what the level of effort will be: - T-shirt size the estimate in the "Effort Needed" column (S,M,L,XL)
- Determine if it would be a breaking change. If yes, provide the reason.
- Estimate which milestone you'd be able to make this change. We're looking to have this completed by %18.0 at the latest, but would prefer earlier if it is not considered a breaking change.
-
Schedule and coordinate releases for analyzers that require a breaking change (Collaborate with PM on this) -
Update analyzer documentation to include any relevant updates as a part of this effort (user, os, openshift support, etc.)
Implementation Plan
- Review the analyzer guidance for Dockerfiles and determine what is needed to support a non-root user out of the box without the need for a workaround.
- Test analyzer to ensure it's working as intended.
- Merge and release secure analyzer Docker containers running with support non-root user. If it's a breaking change, schedule and coordinate with PM so they can add it to a breaking change announcement.
- Document any limitations an analyzer might have when running as a non-root user.
Analyzers that run as root
| Analyzer | Image | Effort Needed |
Breaking change? (Reason) |
Issue | Target Delivery Milestone | Team | DRI |
|---|---|---|---|---|---|---|---|
|
semgrep (SAST) |
|
S |
Use non-root users in SAST analyzers (#474602 - closed) • Julian Thome • 17.6 • On track |
||||
|
pmd-apex (SAST) |
|
S |
Use non-root users in SAST analyzers (#474602 - closed) • Julian Thome • 17.6 • On track |
||||
|
spotbugs (SAST) |
|
M |
Use non-root users in SAST analyzers (#474602 - closed) • Julian Thome • 17.6 • On track |
||||
|
sobelow (SAST) |
|
S |
Use non-root users in SAST analyzers (#474602 - closed) • Julian Thome • 17.6 • On track |
||||
|
(IaC) |
|
S |
Use non-root users in SAST analyzers (#474602 - closed) • Julian Thome • 17.6 • On track |
||||
| gitlab-advanced-sast |
|
L (there will be a performance impact if using a non-root user) | No | ||||
|
secrets (Secret Detection) |
|
S | No |
Use non-root user by default in Secret Detectio... (#476160) • Unassigned • Backlog |
|||
|
gemnasium-maven (Dependency Scanning) |
|
M | No |
Improve Dependency Scanning support with non-ro... (#431945) • Unassigned • Backlog |
17.5 (as a new analyzer) |
||
|
(Dependency Scanning) |
|
M | No |
Improve Dependency Scanning support with non-ro... (#431945) • Unassigned • Backlog |
17.5 (as a new analyzer) |
Deprecated analyzers
-
gosec root(Deprecated in %15.0) -
security-code-scan root(Deprecated in %16.0") -
bandit root(Deprecated in %17.0) -
brakeman root(Deprecated in %17.0) -
flawfinder root(Deprecated in %17.0)
Analyzers that run as a non-root user
-
bundler-audit root ( #281816 (closed)) -
gemnasium root ( #281816 (closed)) -
gemnasium-maven root ( #281816 (closed)) -
gemnasium-python root ( #281816 (closed)) -
gcs root ( #273530 (closed)) -
retire.js root ( #281816 (closed)) -
DAST ( #37928 (closed)) -
API Security Testing / API Fuzzing ( #287702 (closed)) -
API Discovery (does not user Docker) -
Coverage Fuzz Testing (does not user Docker) -
gitlab-advanced-sast (FIPS image) -
secrets (FIPS image) -
SAST - semgrep (FIPS image) -
IaC (FIPS image)