FIPS compliant Secret Detection template
Why are we doing this work
FIPS compliance is a requirement for the US Govt to utilize a piece of software. It is required for any FISMA or FedRAMP system, and cannot be waived.
In order for GitLab to be directly usable within the US Govt, we need to be compliant.
Relevant links
- FIPS 140-2 Compliant GitLab
- Sec section FIPS Compliance (Secure and Protect)
- Predefined CI variable to indicate FIPS mode for security analyzers
Non-functional requirements
-
Documentation: -
Testing:
Implementation plan
Template change consensus reached here
When FIPS mode is enabled in GitLab, the template should automatically use the FIPS version of analyzer. This will occur through a new variable _VERSION_TAG. The rules of the job will correctly set _VERSION_TAG to -fips when CI_GITLAB_FIPS_MODE is set to 'true'.