Add Docker image size QA check for Analyzers
Problem to solve
We don't track the size of the generated Docker images and could drastically increase it without being aware of that.
Intended users
devopssecure team members
Proposal
To make sure we don't increase these Docker images size unintentionally after an update, we need to track them and ensure they stay within a given threshold.
-
add an expected size + accepted variation in the Analyzer projects (see below for progress) -
add a docker image size comparison logic in the Analyzer pipeline -
make the Analyzer pipeline fail when size increase by more than X
percent orX
Kb. To be determined
We can get the size of the image with
docker image inspect <image> --format {{.Size}}
Documentation
This should be added as part of our analyzer documentation: https://gitlab.com/gitlab-org/security-products/analyzers/common#analyzers-common-library
Testing
Try to make the QA fail by generating a docker image that gets over the threshold.
What does success look like, and how can we measure that?
Analyzer Pipeline fails when the Docker image size increases more than the allowed variation.
Projects required to be updated
-
Kubesec -
Retire.js -
Sobelow -
Spotbugs -
Secrets -
Tslint -
eslint -
Gemnasium-maven -
gemnasium-python -
bundler-audit -
go-sec -
node-js-scan -
secure-code-scan -
phpsc-security-audit -
brakeman -
flaw finder -
klar -
gemnasium -
dast -
pmd-apex
Links / references
Edited by Can Eldem