Support Scanning FIPS-enabled Images

Release notes

Problem to solve

Customers are unable to use the container scanner image (klar) on hosts that have FIPS enabled.

This is because the clar image doesn't support FIPS.

Intended users

• Delaney (Development Team Lead)
• Sasha (Software Developer)
• Devon (DevOps Engineer)
• Alex (Security Operations Engineer)

User experience goal

Proposal

Change the Klar base image to one that supports FIPS. The recommendation is to use an UBI-based image (e.g.: CentOS).

1. Container scanning using Klar will succeed when run against containers that are running with FIPS-140-2 support enabled

Proposal

• Use Adams Patch to switch the base image to a RHEL based distro. gitlab-org/security-products/analyzers/klar!68 (closed)
• Register gitlab-runner from FIPS enabled host and attach to the container_scanning project.

Nice to haves

• Update clair to 2.1.6
• Replace https://github.com/coreos/clair with https://github.com/quay/clair here and here

Further details

Permissions and Security

Documentation

Availability & Testing

1. An automated test will be added to verify that Container Scanning works for FIPS-enabled images

What does success look like, and how can we measure that?

What is the type of buyer?

Is this a cross-stage feature?

Links / references