Secret and SAST analyzer support for OpenShift
Proposal
The analyzers that are maintained by groupstatic analysis should support OpenShift deployments. We can follow an implementation plan similar to how groupcomposition analysis updated their analyzers and tests to support Openshift deployments
Tasks
Verify
- Ensure you can log in to the Red Hat Open Shift instance using the credentials from the
Secure Openshiftin the GitLab engineering 1Password vault - Import the analyzer QA test projects into the previously mentioned Open Shift instance
- In the Open Shift instance, run the test project's pipeline to see if any errors occur. If no errors have occurred you can skip the Update set of tasks.
Update
- Make the necessary changes to your analyzer (most likely a Dockerfile change) to support Open Shift.
- Push the changes to a branch.
- Copy the tmp image built from your commit with the changes to support Open Shift
- In your analyzers' test project(s) run a pipeline w/
SAST_ANALYZER_IMAGEset to the tmp image that was copied in the step above.
- If no errors have occurred then move onto Report, otherwise repeat Step 1-5 until you have a working pipeline.
Report
- Mark the assigned analyzer as done and update the bullet point with this template:
- [ ] analyzer | link-to-passing-open-shift-job | {no changes needed, or link to MR}
Assignments
-
brakeman | http://gitlab.apps.secure-stage-openshift-test.k8s-ft.win/root/ruby-bundler-rails/-/jobs/940 | no changes needed -
phpcs-security-audit | http://gitlab.apps.secure-stage-openshift-test.k8s-ft.win/root/php-composer/-/jobs/963 | no changes needed -
security-code-scan | http://gitlab.apps.secure-stage-openshift-test.k8s-ft.win/root/csharp-dotnetcore-multiproject/-/pipelines/311 | gitlab-org/security-products/analyzers/security-code-scan!79 (merged) -
bandit | http://gitlab.apps.secure-stage-openshift-test.k8s-ft.win/root/python-pipenv/-/jobs/978 | no changes needed -
eslint | http://gitlab.apps.secure-stage-openshift-test.k8s-ft.win/root/js/-/jobs/982 | no changes needed
-
flawfinder| http://gitlab.apps.secure-stage-openshift-test.k8s-ft.win/root/c/-/jobs/831 | http://gitlab.apps.secure-stage-openshift-test.k8s-ft.win/root/cplusplus/-/jobs/833 | no changes needed -
gosec | gitlab-org/security-products/analyzers/gosec!97 (merged) -
sobelow | gitlab-org/security-products/analyzers/sobelow!54 (merged) -
pmd-apex | http://gitlab.apps.secure-stage-openshift-test.k8s-ft.win/root/apex-salesforce/-/jobs/870 | no changes needed
-
kubesec | http://gitlab.apps.secure-stage-openshift-test.k8s-ft.win/root/kubernetes/-/jobs/792 | no changes needed -
nodejs-scan | http://gitlab.apps.secure-stage-openshift-test.k8s-ft.win/root/nodejs/-/jobs/713 | no changes needed -
secrets | http://gitlab.apps.secure-stage-openshift-test.k8s-ft.win/root/secrets/-/jobs/711 | no changes needed -
❌ mobSF | http://gitlab.apps.secure-stage-openshift-test.k8s-ft.win/root/java-android/-/jobs/907 | unable to get this working, see #323118 (comment 547058938) for discussion -
spotbugs | http://gitlab.apps.secure-stage-openshift-test.k8s-ft.win/root/java-maven/-/jobs/874 | gitlab-org/security-products/analyzers/spotbugs!95 (merged)
Documentation
-
Document OpenShift constraints for SAST analyzers requiring they work for SELinux. https://docs.gitlab.com/ee/user/application_security/sast/analyzers.html#sast-analyzer-features seems like the right place to include this information.
Edited by Zach Rice