## Problem Gitlab-agent works in `-fips` mode. `Operational Container Scanning (OCS)` prior to %"16.9" was enabled by default. However, OCS uses the [trivy-k8s-wrapper](https://gitlab.com/gitlab-org/security-products/analyzers/trivy-k8s-wrapper) that is not `-fips` compliant. When gitlab-agent runs in `fips` mode, we must disable `OCS` so that the agent can run (see https://gitlab.com/gitlab-org/gitlab/-/issues/439441). This causes impact on users and prevents them from using `OCS`. ## Goal Make `trivy-k8s-wrapper` fips compliant. ## How to ensure we are FIPS compliant? - Follow the [development guidelines](https://docs.gitlab.com/development/fips_gitlab/#development-guidelines). - Our specific cryptographic standards are outlined in [this handbook article](https://handbook.gitlab.com/handbook/security/cryptographic-standard/#standard) for reference. - All cryptography within the container has to use active FIPS validated cryptographic modules. active and historical modules are listed on the [NIST CMVP page](https://csrc.nist.gov/Projects/cryptographic-module-validation-program/validated-modules/search). - During audits we need to be able to point to specific FIPS cipher certificate number(s) from the CMVP that is in use within the container. - Demonstrating FIPS compliance is dependent on what module you are checking. Here are some examples that you can run within your container to check for FIPS compliance. You will have to run your container on a host that is in FIPS mode and running FIPS ciphers. (`cat /proc/sys/crypto/fips_enabled`) * `dpkg -l | grep fips` * `cat /proc/sys/crypto/fips_enabled` * `openssl version` * `ssh -Q cipher localhost` * `sshd -T | grep fips` - If you have other ciphers you need to check, Claude is pretty good at generating those checks. - Make sure that we use the [UBI OpenSSL module](https://docs.gitlab.com/development/fips_gitlab/#go) ## Implementation Plan ## Implementation Plan - [x] Create a new Docker image for FIPS. This image should use a Redhat image similar to Gemnasium instead of an `alpine`. - [x] Go through the list in the section `How to ensure we are FIPS compliant?` and make sure we are FIPs compliant. - [x] Move Dockerfiles in a build dir and update building scripts - [ ] ~~Make sure we build fips image for both `arm64` and `amd64` architectures.~~ _- will be done in a follow-up issue_ - [x] Update all build jobs so that they build also the FIPS images - [x] Update the release jobs so that a release is built also for FIPS - [ ] ~~Update OCS documentation on how to use a FIPS-compliant image. This could be done through the gitlab-agent configuration where we specify the `repository`. [Example](https://docs.gitlab.com/user/clusters/agent/vulnerabilities/#custom-repository-for-trivy-k8s-wrapper).~~ _- will be done in a follow-up issue_. Consider if we need to release fips images in a different path so that we can just refer to them by repository without specifying tag.