Spike: Does building the Brakeman image based on a Distroless image break the scanner
Topic to Evaluate
The goal of this spike is to determine whether or not building the Brakeman image from a distroless base works easily or whether additional development work is required.
Tasks to Evaluate
For the tasks in this evaluation, a good candidate to start with would be Brakeman as its Dockerfile is fairly representative of the average SAST Dockerfile (golang based, needs a package manager to download some tools, etc).
- [-] Determine which distroless image to use as the base (probably
golang:1.15/16
) Won't work with distroless -
Can the Brakeman image be built based on a distroless image? No -
Does the scan work successfully when built from a distroless image? -
If yes then this spike is complete. -
If no, then please estimate the time that would be required to get a working UBI-based image. (#328578 (comment 594656446))
-
-
Determine the size difference from the current image. (#328578 (comment 594666600))
Risks and Implementation Considerations
- Distroless images typically don't use a package manager. If we are using the local package manager at all, then it is likely that we will need to make changes to get the image to work.
- If the image is considerably larger than the existing one, we'll need to evaluate performance impact (i.e. job duration)
- A subset of our analyzers default to building projects because they either work as part of the language's compiler or upon the compiler's output (i.e. gosec, security-code-scan, spotbugs). How do we preserve this ability in a distroless container?
Exit criteria
-
Implementation issues created and attached to to &6069 (closed). (#328578 (comment 594930427)) -
Rough order-of-magnitude estimate of work for the entire epic. (#328578 (comment 594782832)) - Please note this isn't a project duration estimate.
-
Recommendations for how many folks should be in the engineering team to deliver the work. (#328578 (comment 594787451)) -
Best guess at any prerequisite work required before starting this effort. (#328578 (comment 594784735))
Edited by Daniel Paul Searles