Use non-root users in SAST analyzers

• Problem to solve
• Proposal
  • Implementation plan
• Intended users

Problem to solve

At the moment most of our analyzers use the default user per default. As outlined in Run Secure analyzers as non-root users (#197239 - closed) • Amar Patel, Tal Kopel • 17.4 we are planning to use non-root user per default to provide an increased level of permission control.

Proposal

Conform the following analyzers to the accepted standard for users

1. semgrep
   • Creates a gitlab non-root user (gitlab-org/security-products/analyzers/semgrep!507 - merged) • Tal Kopel • 17.5
2. pmd-apex
   • Support for non-root user (gitlab-org/security-products/analyzers/pmd-apex!142 - merged) • Julian Thome • 17.5
3. spotbugs
   • Include non-root user for spotbugs (gitlab-org/security-products/analyzers/spotbugs!224 - merged) • Julian Thome • 17.6
4. sobelow
   • Adding support for non-root user (gitlab-org/security-products/analyzers/sobelow!125 - merged) • Julian Thome • 17.6
5. kics
   • Adding gitlab user (gitlab-org/security-products/analyzers/kics!132 - merged) • Tal Kopel • 17.5
6. kubesec
   • Running with gitlab user (gitlab-org/security-products/analyzers/kubesec!113 - merged) • Tal Kopel • 17.5

Implementation plan

Follow Creates a gitlab non-root user (gitlab-org/security-products/analyzers/semgrep!507 - merged) • Tal Kopel • 17.5

Intended users

Personas are described at https://handbook.gitlab.com/handbook/product/personas/

• Alex (Security Operations Engineer)
• Cameron (Compliance Manager)