Skip to content

GitLab

Why GitLab
Pricing
Contact Sales
Explore

Sign in
Get free trial

Provide alternative UBI image for container scanning image

Why are we doing this work

From Epic:

For US Government customers to use GitLab's container scanning analyzer, they need to have it built on a UBI-based image.

As a part of #327785 (closed) we have investigated if we can build container-scanning image with trivy with UBI image.

In this issue we want to implement this change in https://gitlab.com/gitlab-org/security-products/analyzers/container-scanning repository.

New image must be available in as .../container-scanning/ubi/trivy:4, .../container-scanning/ubi/gripe:4 in GitLab Container Registry and customers should be able to choose it by providing variable in GitLab CI/CD YAML file, like: CS_ANALYZER_IMAGE with full analyzer image path.

In scope of this task we also need to ensure that we are not using sudo or privileged user to perform scan.

Relevant links

Epic
MVC MR

Non-functional requirements

Documentation: this change and option has to be documented in https://docs.gitlab.com/ee/user/application_security/container_scanning/
[-] Feature flag: no need for feature flag, as this is an option that customer will enable manually
Performance:
- Verify and compare the image size between UBI and Alpine
- Verify and compare the container scanning job duration between UBI and Alpine
Testing:
- Ensure that all unit tests are passing for both UBI and Alpine image,
- Ensure that all integration tests are passing for both UBI and Alpine image,
- Test distribution-specific code with additional unit tests

Implementation plan

documentation add additional section to https://docs.gitlab.com/ee/user/application_security/container_scanning/ with explanation how to use UBI Image in CI/CD,
backend add new Dockerfile.ubi file that will build UBI image with container scanning analyzer,
- backend ensure that it is not using sudo or additional privileges,
backend modify .gitlab-ci.yml file to build image for UBI and to run all unit/integration tests for both images,
backend modify lib/gcs/shell.rb to use update-ca-trust extract instead of update-ca-certificates when operating in UBI image,
backend modify script/setup.sh to use directory from mktemp -d instead of /tmp
backend configure spec/fixtures/haproxy.cfg to support both versions of haproxy (from UBI and Alpine),
backend modify spec/support/proxy_server.rb to support both Alpine and UBI images,

Edited Jul 12, 2021 by Sashi Kumar Kumaresan

Assignee Loading

Time tracking Loading