Predefined CI variable to indicate FIPS mode for security analyzers
Problem
As part of FIPS compliance, alternative analyzer docker images will be published. These images are larger and may not be appropriate for all customers. The vendored templates for analyzers need to know whether a customer wants a FIPS image or not.
Proposal
Introduce GITLAB_FIPS_MODE='true' as a GitLab predefined CI variable. This variable will be available in the templates and to the analyzers, and can be used in the vendored templates to switch which image a customer gets. This will allow GitLab to maintain a single vendored template, and also address the need for customers to get a FIPS docker image for each analyzer.
When FIPS mode is not enabled, the variable is missing rather than 'false' (as matches existing CI variable paradigms)
Detecting FIPS mode
This is developing, but other FIPS work can show current methods: