Skip to content

Improve Dependency Scanning support with non-root containers

Everyone can contribute. Help move this issue forward while earning points, leveling up and collecting rewards.

Release notes

Problem to solve

Several users are looking to run CI jobs with a runner configured to use a non-root user.

In this configuration the Dependency Scanning jobs is failing due to git commands executed to download a fresh advisory database:

[DEBU] [Gemnasium] [2023-10-11T23:35:53Z] [/go/src/app/advisory/repo.go:125] ▶ /usr/bin/git -C /gemnasium-db remote set-url origin https://gitlab.com/gitlab-org/security-products/gemnasium-db.git
fatal: detected dubious ownership in repository at '/gemnasium-db'
To add an exception for this directory, call:
	git config --global --add safe.directory /gemnasium-db

The optional task to generate auto-remediation data will fail too for similar reason:

[DEBU] [Gemnasium] [2023-11-14T20:37:07Z] [/go/src/app/cmd/gemnasium/main.go:381] ▶ /usr/bin/git -C /tmp/app status
fatal: detected dubious ownership in repository at '/tmp/app'
To add an exception for this directory, call:

	git config --global --add safe.directory /tmp/app

Great notes and some history are available in this confidential issue: https://gitlab.com/gitlab-org/gitlab/-/issues/423563

More details

We currently offer a manual workaround for this situation, by adding the suggested git config:

before_script:
    - git config --global --add safe.directory '/gemnasium-db'

Our documentation for configuring a runner with a non-root user specifies that the user must be part of the root group (GID=0).

If for any reason the user executing the job is part of another group, there might be additional failures arising during the job execution and the simplest fix would be to change the ownership of the impacted files. Here is an example that overrides the entrypoint to create a new user and change file ownership when running the CI job:

gemnasium-image-with-entrypoint:
  image:
    name: registry.gitlab.com/security-products/gemnasium:latest
    entrypoint: ['sh', '-c', 'adduser -D myuser && chown -R myuser:myuser /gemnasium-db && exec su myuser']
  variables:
    SECURE_LOG_LEVEL: debug
  script:
    - git config --global --add safe.directory $CI_PROJECT_DIR
    - /analyzer run

Proposal

Update the gemnasium analyzer to support non-root user out of the box and without the need for a workaround.

Intended users

Feature Usage Metrics

Does this feature require an audit event?

Edited by 🤖 GitLab Bot 🤖