Skip to content

Use Dependency Scanning FIPS-enabled images automatically

Release notes

Dependency Scanning now switches to FIPS-enabled images automatically when running on FIPS compliant GitLab Runner. Users no longer need to set the CI variable DS_IMAGE_SUFFIX to use FIPS-enabled images of Dependency Scanning, and they can now remove this variable from CI configurations.

Problem to solve

Dependency Scanning CI jobs executed on FIPS compliant GitLab Runners should automatically use FIPS-enabled Docker images. Users shouldn't need to set CI variables to explicit use these images.

Proposal

Leverage the predefined CI variable CI_GITLAB_FIPS_MODE to automatically switch to FIPS-enabled images when the scanning job is running on a FIPS compliant GitLab Runner.

Technically, a solution is to add a rule to all Gemnasium jobs:

  • gemnasium-dependency_scanning
  • gemnasium-maven-dependency_scanning
  • gemnasium-python-dependency_scanning

The additional is the same as the existing one but:

  • It has an extra condition to be triggered when CI_GITLAB_FIPS_MODE is true.
  • It sets DS_IMAGE_SUFFIX to -fips.

See #357922 (comment 916752164)

There are no FIPS-enabled images for bundler-audit and retire.js, but we assume that bundler-audit-dependency_scanning and retire.js-dependency_scanning are removed from the CI template in %15.0.

Intended users

Documentation

https://docs.gitlab.com/ee/user/application_security/dependency_scanning/#fips-enabled-images needs to be updated, saying that starting from 15.0 FIPS-enabled are used automatically.

Testing

The tests should ensure that:

  • Default images are used when CI_GITLAB_FIPS_MODE is false.
  • Default images are also used when CI_GITLAB_FIPS_MODE is not set.
  • FIPS images are used when CI_GITLAB_FIPS_MODE is true.

Feature Usage Metrics

Implementation plan

Edited by Fabien Catteau