Run codequality on shared runners without docker in docker enabled
We want to run the Code Climate scan on gitlab.com shared runners without requiring docker-in-docker. There are several reasons that we want to run the codequality job without using DinD. These include:
- For security reasons, customers on self-hosted instances or on dot com with their own runners may disable the privileged option on their runners
- The code quality job startup time can be slow, when using DinD (#233001)
- (Potentially) The code quality job is difficult to configure for runners that are spun up in Kubernetes (#29976 (comment 421638881))
- Users who use Kubernetes runners may no longer have access to Docker-in-Docker due to the Kubernetes community's move toward CRI-O and containerd. For example, Amazon EKS no longer supports Docker in Kubernetes v1.22 and above.
- Delaney (Development Team Lead)
- Sasha (Software Developer)
- Devon (DevOps Engineer)
- Sidney (Systems Administrator)
- Priyanka (Platform Engineer)
User experience goal
The default code quality template should be widely usable in more situations than it is now, including where:
- Running a privileged runner is undesirable
- Speed of pipeline is important
- Runners are spun up in Kubernetes
The SAST job has previously been through this conversion (#10796 (closed)), we may be able to leverage the work that was done there in order to convert the codequality job. However, we may not be able to, since the code climate scan is distributed as an image as mentioned here.
Some number of gitlab.com runners should be setup to run code quality jobs without utilizing DinD.
CodeQuality documentation would need to be revised to remove mentions of DinD workflow.
Availability & Testing
What does success look like, and how can we measure that?
What is the type of buyer?
Is this a cross-stage feature?
Links / references
Problem to solve
For security reason, my company disabled the privileged option (https://docs.gitlab.com/runner/configuration/advanced-configuration.html#the-runnersdocker-section).
Cound you please add a way to run codequality and
sast without using docker in docker (and without private runner).
Links / references
DinD requirement for SAST was removed with completion of #10796 (closed)