Use Dependency Scanning FIPS-enabled images automatically
Release notes
Dependency Scanning now switches to FIPS-enabled images automatically when running on FIPS compliant GitLab Runner. Users no longer need to set the CI variable DS_IMAGE_SUFFIX
to use FIPS-enabled images of Dependency Scanning, and they can now remove this variable from CI configurations.
Problem to solve
Dependency Scanning CI jobs executed on FIPS compliant GitLab Runners should automatically use FIPS-enabled Docker images. Users shouldn't need to set CI variables to explicit use these images.
Proposal
Leverage the predefined CI variable CI_GITLAB_FIPS_MODE
to automatically switch to FIPS-enabled images when the scanning job is running on a FIPS compliant GitLab Runner.
Technically, a solution is to add a rule to all Gemnasium jobs:
gemnasium-dependency_scanning
gemnasium-maven-dependency_scanning
gemnasium-python-dependency_scanning
The additional is the same as the existing one but:
- It has an extra condition to be triggered when
CI_GITLAB_FIPS_MODE
is true. - It sets
DS_IMAGE_SUFFIX
to-fips
.
See #357922 (comment 916752164)
There are no FIPS-enabled images for bundler-audit
and retire.js
, but we assume that bundler-audit-dependency_scanning
and retire.js-dependency_scanning
are removed from the CI template in %15.0.
Intended users
Documentation
https://docs.gitlab.com/ee/user/application_security/dependency_scanning/#fips-enabled-images needs to be updated, saying that starting from 15.0 FIPS-enabled are used automatically.
Testing
The tests should ensure that:
- Default images are used when
CI_GITLAB_FIPS_MODE
is false. - Default images are also used when
CI_GITLAB_FIPS_MODE
is not set. - FIPS images are used when
CI_GITLAB_FIPS_MODE
is true.
Feature Usage Metrics
Implementation plan
-
Update CI template to use FIPS-enabled images, and provide integration tests -
Update documentation