Add UBI-based Image for semgrep analyzer
Why are we doing this work
From Epic:
For US Government customers to use GitLab's secure analyzers, they need to have them built on a UBI-based image.
Relevant links
- Epic
- Secure section FIPS Compliance Epic
- Dockerfile.ubi in Container Scanning project
- Proposed Dockerfile.ubi changes for secrets analyzer
Non-functional requirements
-
Documentation: document how to configure security job to use UBI-based image - [-] Feature flag:
- [-] Performance:
-
Testing: extend integration tests to test both original Dockerfile and UBI-based
Implementation plan
-
backend use go-fips
image to build binaries (from https://gitlab.com/gitlab-org/gitlab-runner/-/tree/main/dockerfiles/fips or based on https://gitlab.com/gitlab-org/gitlab/-/issues/354997) -
backend use ubi8
image as secondaryubi8
image with additional Dockerfile{.ubi,.fips} -
backend in case of any required dependencies, add: RUN yum -y -q update --disableplugin=subscription-manager && \ yum -y -q upgrade --disableplugin=subscription-manager && \ yum -y -q install --disableplugin=subscription-manager git && \ yum -y clean all --enablerepo='*'
Edited by Lucas Charles