Make Trivy-K8s-Wrapper project ready for production
In order to make Trivy-K8s-Wrapper project ready for production we need to go through a list of things as described by Olivier:
-
move the project under the security-products/analyzers subgroup: This is the common subgroup for our analyzers which helps for discoverability and group level actions and permissions. -
follow steps in https://about.gitlab.com/handbook/engineering/gitlab-repositories/#creating-a-new-project as highlighed by Thiago -
see how close we can get to https://docs.gitlab.com/ee/development/sec/analyzer_development_guide.html. OCS is obviously different than our usual CI job based analyzers but there might be interesting things to look at in this doc and we should try to apply what's relevant. -
follow the release and versioning scheme for image tags? https://docs.gitlab.com/ee/development/sec/analyzer_development_guide.html#versioning-and-release-process -
publish these images under the canonical location that is the top level namespace security-product: https://docs.gitlab.com/ee/development/sec/analyzer_development_guide.html#location-of-container-images -
[ ] add this project and images into our various processes in CA (e.g. reaction rotation, security automations, etc.). (Company level processes should be listed in hanbook page of step 2)NA -
verify if we need to provide a -fips
variant of that image that complies with FIPS requirements, and ensure this image is used when gitlab-agent is configured for FIPS mode (does it suppport it?) -
since we're now relying on a separate docker image instead of bundled code, we need to consider how it will hold compatibility over time and if the usual versioning scheme we use will be adapted for our various environments (gitlab.com, dedicated, self-managed). What is the consequence in terms of maintenance policy for this image? (e.g. can we maintain a single major per year like we do for other analyzers?) -
what are the implications for offline environments? -
update linked docs as much as possible with what's specific to this particular project
Edited by Nick Ilieskou