Provide alternative UBI image for container scanning image

Why are we doing this work

From Epic:

For US Government customers to use GitLab's container scanning analyzer, they need to have it built on a UBI-based image.

As a part of #327785 (closed) we have investigated if we can build container-scanning image with trivy with UBI image.

In this issue we want to implement this change in https://gitlab.com/gitlab-org/security-products/analyzers/container-scanning repository.

New image must be available in as .../container-scanning/ubi/trivy:4, .../container-scanning/ubi/gripe:4 in GitLab Container Registry and customers should be able to choose it by providing variable in GitLab CI/CD YAML file, like: CS_ANALYZER_IMAGE with full analyzer image path.

In scope of this task we also need to ensure that we are not using sudo or privileged user to perform scan.

Non-functional requirements

  • Documentation: this change and option has to be documented in https://docs.gitlab.com/ee/user/application_security/container_scanning/
  • [-] Feature flag: no need for feature flag, as this is an option that customer will enable manually
  • Performance:
    • Verify and compare the image size between UBI and Alpine
    • Verify and compare the container scanning job duration between UBI and Alpine
  • Testing:
    • Ensure that all unit tests are passing for both UBI and Alpine image,
    • Ensure that all integration tests are passing for both UBI and Alpine image,
    • Test distribution-specific code with additional unit tests

Implementation plan

  • documentation add additional section to https://docs.gitlab.com/ee/user/application_security/container_scanning/ with explanation how to use UBI Image in CI/CD,
  • backend add new Dockerfile.ubi file that will build UBI image with container scanning analyzer,
    • backend ensure that it is not using sudo or additional privileges,
  • backend modify .gitlab-ci.yml file to build image for UBI and to run all unit/integration tests for both images,
  • backend modify lib/gcs/shell.rb to use update-ca-trust extract instead of update-ca-certificates when operating in UBI image,
  • backend modify script/setup.sh to use directory from mktemp -d instead of /tmp
  • backend configure spec/fixtures/haproxy.cfg to support both versions of haproxy (from UBI and Alpine),
  • backend modify spec/support/proxy_server.rb to support both Alpine and UBI images,
Edited by Sashi Kumar Kumaresan