Report gitlab-runner job activity
Release notes
A new GitLab Runner executor has been introduced to provide you with insights on the system behavior of your jobs.
Problem to solve
We already have Package Hunter to monitor system behvior when installing dependencies.
This issue is to discuss the extension of the idea behind Package Hunter to the GitLab Runner: We don't have any insights about the network connections, filesystem activity, ..., generated by CI jobs.
Network connectivity can be filtered on self-hosted instances, because the runners are generally running in an isolated (possibly offline) environment, with firewalls to restrict traffic. This is not available on gitlab.com, where the users have no choice other than accepting all traffic in an out. This is obviously a security issue for our customers.
Intended users
User experience goal
The user should be to use the UI or the API to get information about the system activity generated by a CI job.
Proposal
Users would select a new type of runners (or should it be the new default for the docker executor?), with augmented capabilities to record system activity.
Further details
Package Hunter is runner on specific runners, because they need some specific Linux kernel to run Falco under the hood. If we had runners with this kernel, we could report activity every job running, not only to check dependencies. This would allow our users to check themselves what network activity was done during any kind of job, and detect data exfiltration. This could have been useful for the recent Codecov security incident where the jobs would have had a trace of the malicious upload.