Add way to specify a custom certificate chain in the gemnasium-python analyzer
Problem to solve
Users with custom pypi repositories and custom ca chains currently need to use a workaround in getting Dependency Scanning to work.
Instead of being able to add their certificate to the analyzer via the CI > Variables
section, users must instead add trusted-host
entries and inject a pip.conf
into the analyzer docker image at scan time (documentation).
The current state of using this analyzer with custom certificates is cumbersome and requires the editing of the ci template. It would be much better if users could simply supply a variable to the analyzer.
Intended users
Personas are described at https://about.gitlab.com/handbook/marketing/product-marketing/roles-personas/
Proposal
Allow the gemnasium-python
analyzer to pick up the ADDITIONAL_CA_CERT_BUNDLE
variable at scan time and pass into pip's PIP_CERT
environment variable during pip
and pipenv
build phases.
Using this variable and PIP_INDEX_URL
, users will be able to use private repos and custom ca certificates chains without modifying the template or making scan-time additions to the analyzer.
Implementation plan
-
pass the certificate specified in ADDITIONAL_CA_CERT_BUNDLE
topip install
andpipenv install
asPIP_CERT
(orPIP_CLIENT_CERT
?)
Documentation
-
update offline documentation
Availability & Testing
-
test in python-pip
andpython-pipenv
test projects with a custom pypi registry
What does success look like, and how can we measure that?
Users will be able to pass in a custom pypi repo with a self-signed certificate and have the analyzer scan without certificate errors.
Is this a cross-stage feature?
No.
Links / references
Related: #214398 (closed)