Skip to content

Use Gemnasium FIPS-enabled images automatically

Fabien Catteau requested to merge 357922-FIPS-add-rule-to-set-DS_IMAGE_SUFFIX into master

What does this MR do and why?

Automatically use FIPS-enabled Docker images of Gemnasium (Dependency Scanning) when FIPS mode is enabled in the GitLab instance.

Job rules are added to the Gemnasium CI jobs to set DS_IMAGE_SUFFIX to "-fips" when predefined CI_GITLAB_FIPS_MODE is set.

See #357922 (closed)

This depends on !86704 (merged) and sits on top of remove-deprecated-ds-analyzers.

Right now the target branch is remove-deprecated-ds-analyzers to make the diff readable.

Testing

These two following contexts become RSpec shared_examples:

  • language detection, as-is
  • when PIP_REQUIREMENTS_FILE is defined, as PIP_REQUIREMENTS_FILE support

This makes possible to uses these shared examples to cover two contexts:

  • default, which already existed prior to this MR
  • when FIPS mode is enabled, which is a new context

Also, langage detection and PIP_REQUIREMENTS_FILE support now both depend include new shared examples named predefined image suffix. This ensures that the Docker image has the expected suffix:

  • By default there is no suffix.
  • when FIPS mode is enabled, the suffix is "-fips".

Because CI variables aren't expanded in the job parameter image:name when running the spec, predefined image suffix performs the following checks:

  • The image name ends with $DS_IMAGE_SUFFIX.
  • $DS_IMAGE_SUFFIX is set to the expected_image_suffix.

Screenshots or screen recordings

These are strongly recommended to assist reviewers and reduce the time to merge your change.

How to set up and validate locally

  • Create a project compatible with Dependency Scanning.
  • Add Dependency Scanning to CI pipeline.
  • Run a new pipeline where CI_GITLAB_FIPS_MODE is set to "true".
    • Compatible Gemnasium scanning jobs are triggered
    • These jobs use FIPS-enabled images, like gemnasium:2-fips.
  • Run a pipeline where CI_GITLAB_FIPS_MODE is "false" or not set.
    • Compatible Gemnasium scanning jobs are triggered
    • These jobs use default images, like gemnasium:2.

MR acceptance checklist

This checklist encourages us to confirm any changes have been analyzed to reduce risks in quality, performance, reliability, security, and maintainability.

Edited by Fabien Catteau

Merge request reports