Skip to content

Design: Lock down write access to Secure's container registry

Proposal

The Secure templates pull analyzer images from a container registry to which all GitLab team members have write access. It's safe to assume that these templates are executed in many CI pipelines on gitlab.com and self-hosted installations. Consequently, if an attacker would manage to manipulate these images, the CI pipelines of many projects would be compromised. To make such a scenario less likely we should lock down write access to Secure's container registry to a small group of team members that actually need write access.

Due to how permission inheritance for subgroups works in GitLab, I think the best option for locking down write access is to move the container registry to a group outside of gitlab-org.

This issue is a spin-off from a discussion in https://gitlab.com/gitlab-org/gitlab/-/issues/290103#note_458948651.

Details

  1. Each Docker image currently published under https://gitlab.com/gitlab-org/security-products/ is to be published under the new location.
  2. All references to the images are to be updated with the new location (including but not limited to CI templates and documentation).
  3. Setup monitoring for use of the new and old locations.
  4. Announce deprecation of old locations.
  5. Stop publishing images to old locations.

Responsiblities

Each group in the Sec Section is responsible for:

  1. Managing the deprecation and removal schedule for their artifacts, and creating issues for this purpose.
  2. Creating and configuring the projects under the new location.
  3. Configuring their builds to push release artifacts to the new location.
  4. Removing or keeping images in old locations according to their own support agreements.

Group and project settings

  • New group: https://gitlab.com/security-products/
  • Project path: https://gitlab.com/security-products/<PROJECT>, where PROJECT maps to a given feature category (example). It's been decided to group analyzers per feature category as it's easier to manage and provide an acceptable level of security.
    • Old registry address: registry.gitlab.com/gitlab-org/security-products/analyzers/<PROJECT>/<IMAGE_NAME>:[TAG]
    • New registry address: registry.gitlab.com/security-products/<PROJECT>/<IMAGE_NAME>:[TAG]
  • Permissions
    • Top-level group
      • Maintainer: @gitlab-org/secure/managers, @gitlab-org/protect/managers
    • Project level
      • A deploy token with read_registry and write_registry access is used to push images.
      • The token will be entered by its creator as a secret variable for protected branches on the originating project (i.e. the project under https://gitlab.com/gitlab-org/security-products/)
  • Project Settings
    • Visibility, project features, permissions
      • Public; uncheck "Users can request access"
      • Disable: Issues, Merge requests, Forks, Git LFS, Packages, CI/CD, Requirements, Wiki, Snippets, Pages, Operations.
    • Service Desk: disable

Other

It would be nice to have a script that uses the API to create projects using the required settings above.

cc @tstadelhofer @twoodham

Edited by Olivier Gonzalez