Have Container Scanning Exit when using an Authenticated Repository in FIPS Mode
Release notes
Problem to solve
On a GitLab instance where FIPS is enabled, jobs that scan authenticated registries should not be executed because this communication does not comply with FIPS.
User experience goal
As a user of a GitLab instance where FIPS is enabled, I can no longer use Container Scanning for scanning authenticated registries.
Proposal
Change the Container Scanning analyzer to have it fail and exit if the job is run and CI_GITLAB_FIPS_MODE == true
and either DOCKER_USER
or DOCKER_PASSWORD
is set and not blank. See gitlab-org/security-products/analyzers/license-finder!110 (diffs) for reference and for consistency across analyzers.
Permissions and Security
No change
Documentation
User documentation has already been updated in https://docs.gitlab.com/ee/user/application_security/container_scanning/#fips-enabled-images
Availability & Testing
TBD