Provide alternative UBI image for container scanning image
Why are we doing this work
From Epic:
For US Government customers to use GitLab's container scanning analyzer, they need to have it built on a UBI-based image.
As a part of #327785 (closed) we have investigated if we can build container-scanning image with trivy with UBI image.
In this issue we want to implement this change in https://gitlab.com/gitlab-org/security-products/analyzers/container-scanning repository.
New image must be available in as .../container-scanning/ubi/trivy:4
, .../container-scanning/ubi/gripe:4
in GitLab Container Registry and customers should be able to choose it by providing variable in GitLab CI/CD YAML file, like: CS_ANALYZER_IMAGE
with full analyzer image path.
In scope of this task we also need to ensure that we are not using sudo
or privileged user to perform scan.
Relevant links
Non-functional requirements
-
Documentation: this change and option has to be documented in https://docs.gitlab.com/ee/user/application_security/container_scanning/ - [-] Feature flag: no need for feature flag, as this is an option that customer will enable manually
-
Performance: -
Verify and compare the image size between UBI and Alpine -
Verify and compare the container scanning job duration between UBI and Alpine
-
-
Testing: -
Ensure that all unit tests are passing for both UBI and Alpine image, -
Ensure that all integration tests are passing for both UBI and Alpine image, -
Test distribution-specific code with additional unit tests
-
Implementation plan
-
documentation add additional section to https://docs.gitlab.com/ee/user/application_security/container_scanning/ with explanation how to use UBI Image in CI/CD, -
backend add new Dockerfile.ubi file that will build UBI image with container scanning analyzer, -
backend ensure that it is not using sudo
or additional privileges,
-
-
backend modify .gitlab-ci.yml
file to build image for UBI and to run all unit/integration tests for both images, -
backend modify lib/gcs/shell.rb
to useupdate-ca-trust extract
instead ofupdate-ca-certificates
when operating in UBI image, -
backend modify script/setup.sh
to use directory frommktemp -d
instead of/tmp
-
backend configure spec/fixtures/haproxy.cfg
to support both versions of haproxy (from UBI and Alpine), -
backend modify spec/support/proxy_server.rb
to support both Alpine and UBI images,