Replace x-y-stable docker images with major tag for Security Products

Problem to solve

For some of our tools (SAST, Dependency Scanning, License Management) the current process implies to release a new x-y-stable docker image tag every month when there is a new version of GitLab. All these x-y-stable images are actually using a Major tag under the hood.

This process has a maintenance cost with no particular benefit now that we have the vendored templates shipping within the GitLab rails application. So we want to get rid of it.

Intended users

• Delaney (Development Team Lead)
• Sasha (Software Developer)
• Devon (DevOps Engineer)

Further details

Currently, when we release a new version of a tool:

1. we publish a new semantic version with a git tag: 1.2.4
2. we publish a corresponding docker image: sast:1.2.4
3. we override the corresponding major docker image: sast:1
4. we override the existing x-y-stable images that are (supposed to be) compatible with that major version: 11-6-stable, 11-7-stable, etc.

And when there is a new monthly release of GitLab we update the CI config to add a new job to publish a corresponding x-y-stable.

For the Analyzers, we have quite a similar process but stop at step #3 and use the major tag that is matching the major version of the tool (SAST, DS). Though, this is also being replaced with the non-DinD approach by now having a dedicated job per analyzer that can directly use their own versions.

Proposal

For DS and SAST, the DinD mode requires to sync the major version of the tool with the major version of the analyzers. With the removal of Dind, this is no longer necessary and each analyzer could then follow their own semantic versioning and have independent Major versions too.

Ask customers to override the job definition to change the version they want to use.

Dependency Scanning

Template: https://gitlab.com/gitlab-org/gitlab/blob/master/lib/gitlab/ci/templates/Security/Dependency-Scanning.gitlab-ci.yml

• deprecate DS_MAJOR_VERSION and directly use the major number here.

SAST

Template: https://gitlab.com/gitlab-org/gitlab/blob/master/lib/gitlab/ci/templates/Security/SAST.gitlab-ci.yml

• deprecate SAST_ANALYZER_IMAGE_TAG and directly use the major number here.

Container Scanning

Template: https://gitlab.com/gitlab-org/gitlab/blob/master/lib/gitlab/ci/templates/Security/Container-Scanning.gitlab-ci.yml

• deprecate CS_MAJOR_VERSION and directly use the major number here.

License Compliance

Template: https://gitlab.com/gitlab-org/gitlab/blob/master/lib/gitlab/ci/templates/Security/License-Scanning.gitlab-ci.yml (and the deprecated https://gitlab.com/gitlab-org/gitlab/blob/master/lib/gitlab/ci/templates/Security/License-Management.gitlab-ci.yml)

• replace $CI_SERVER_VERSION_MAJOR-$CI_SERVER_VERSION_MINOR-stable and directly use the major number here.

Permissions and Security

Documentation

• ensure documentation states the deprecation of x-y-stable docker images and related env variables and that support will be dropped in %13.0.
• update the release process doc in https://gitlab.com/gitlab-org/security-products/release

Availability & Testing

This will need thorough testing and make sure that the automated QA is kept compatible.

What does success look like, and how can we measure that?

We publish docker images matching semantic versions of our tools (and just keep pushing x-y-stable images too until we officially drop support for them in %13.0).

What is the type of buyer?

GitLab Ultimate

Links / references

Release post deprecation