Stop using root in container scanning analyzer
Why are we doing this work
- Follow container security best practice
- Enable our analyzer to run on OpenShift
Relevant links
Non-functional requirements
[ ] Documentation:[ ] Feature flag:[ ] Performance:-
Testing:
Implementation plan
There should be no use-cases where dependencies need to be installed on the gitlab-klar/gcs container. This is different to other analyzers where, sometimes, the project needs to be built before it's analyzed. Klar/gcs downloads and scans a docker image which, by definition, is already built.
gcs
-
Add non root user to the container -
ADDITIONAL_CA_CERT_BUNDLE
content gets written to/usr/local/share/ca-certificates/custom.crt
which a non-root user would not have permission to read/write. It has to be changed to a directory that the non-root user has permission to read/write. Maybe something similar to how its done in eslint analyzer? -
WORKDIR
points to the root directory which a non-root user would not have permission to read/write. It has to be changed to a directory that the non-root user have permission to read/write. -
Test the analyzer running as non-root user in OpenShift environment
Edited by Sashi Kumar Kumaresan