Add UBI-based Image for gemnasium analyzer
Why are we doing this work
From Epic:
For US Government customers to use GitLab's secure analyzers, they need to have them built on a UBI-based image.
Relevant links
- Epic
- Secure section FIPS Compliance Epic
- Dockerfile.ubi in Container Scanning project
- Proposed Dockerfile.ubi changes for secrets analyzer
Non-functional requirements
- [-] Feature flag:
- [-] Performance:
-
Testing: extend integration tests to test both original Dockerfile and UBI-based
Documentation is covered by https://gitlab.com/gitlab-org/gitlab/-/issues/354796+
Implementation plan
-
backend use go-fips
image to build binaries (from https://gitlab.com/gitlab-org/gitlab-runner/-/tree/main/dockerfiles/fips or based on https://gitlab.com/gitlab-org/gitlab/-/issues/354997) -
backend use ubi8/nodejs-14
image as a main image for Dockerfile, or use -
backend verify if mcr.microsoft.com/dotnet/core/sdk:3.1
is FIPS compliant, -
backend in case of any required dependencies, add: RUN yum -y -q update --disableplugin=subscription-manager && \ yum -y -q upgrade --disableplugin=subscription-manager && \ yum -y -q install --disableplugin=subscription-manager git && \ yum -y clean all --enablerepo='*'
-
backend
move certificates to /etc/pki/:(see #354993 (comment 904954897))
Edited by Fabien Catteau