Rename container scanning variables to remove references to Docker
Proposal
Container scanning currently has several variables which reference Docker. While we may have been dependent on Docker at some point in the past, our scanners are now OCI-compatible and have nothing to do with Docker. There is no dependency on Docker, and we do not care if the images were built with Docker or a different tool. This means that the current variable names are confusing and frequently mislead users into thinking that there is some dependency on Docker / DinD.
I would like to propose that we rename these variables and remove the references to Docker. We may implement this in a three-step plan:
- Update the analyzers to being using the new variable names, in addition to the existing variable names. (Meaning, both
DOCKER_IMAGE
andCS_IMAGE
will work) - Deprecate the old variables and begin using the new variable names in documentation, implementations (CI templates), and communications.
- Remove the old variables (%16.0)
Here is a table of all the variables that be renamed:
Existing Variable Name. | New Variable Name |
---|---|
CS_DOCKER_INSECURE (Remove) |
CS_REGISTRY_INSECURE (Already exists) |
DOCKER_IMAGE |
CS_IMAGE |
DOCKER_PASSWORD |
CS_REGISTRY_PASSWORD |
DOCKER_USER |
CS_REGISTRY_USER |
DOCKERFILE_PATH |
CS_DOCKERFILE_PATH * |
* CS_DOCKERFILE_PATH
will retain the Dockerfile reference since our auto-remediation implamentiation is
specific to Dockerfiles and there is not a generic file format for building images. However, we should
still take the opportunity to add the CS_
prefix to avoid namespace collisions with generic variable names.
Relevant links
Implementation plan
-
backend modify lib/gcs/environment.rb
incontainer-scanning
analyzer to support both variables, update specs, -
documentation modify Available CI/CD variables
section indoc/user/application_security/container_scanning/index.md
to include information about new variables, include information about deprecations, -
issues create new issue for %16.0 to remove support for old variables in the scanner and in the documentation -
documentation modify doc/user/application_security/container_scanning/index.md
to include issue link for the planned variable removal in 16.0