Replace x-y-stable docker images with major tag for Security Products
Problem to solve
For some of our tools (SAST, Dependency Scanning, License Management) the current process implies to release a new x-y-stable
docker image tag every month when there is a new version of GitLab. All these x-y-stable
images are actually using a Major tag under the hood.
This process has a maintenance cost with no particular benefit now that we have the vendored templates shipping within the GitLab rails application. So we want to get rid of it.
Intended users
Further details
Currently, when we release a new version of a tool:
- we publish a new semantic version with a git tag:
1.2.4
- we publish a corresponding docker image:
sast:1.2.4
- we override the corresponding major docker image:
sast:1
- we override the existing
x-y-stable
images that are (supposed to be) compatible with that major version:11-6-stable
,11-7-stable
, etc.
And when there is a new monthly release of GitLab we update the CI config to add a new job to publish a corresponding x-y-stable
.
For the Analyzers, we have quite a similar process but stop at step #3
and use the major tag that is matching the major version of the tool (SAST, DS). Though, this is also being replaced with the non-DinD approach by now having a dedicated job per analyzer that can directly use their own versions.
Proposal
For DS and SAST, the DinD mode requires to sync the major version of the tool with the major version of the analyzers. With the removal of Dind, this is no longer necessary and each analyzer could then follow their own semantic versioning and have independent Major versions too.
Ask customers to override the job definition to change the version they want to use.
Dependency Scanning
- deprecate
DS_MAJOR_VERSION
and directly use the major number here.
SAST
Template: https://gitlab.com/gitlab-org/gitlab/blob/master/lib/gitlab/ci/templates/Security/SAST.gitlab-ci.yml
- deprecate
SAST_ANALYZER_IMAGE_TAG
and directly use the major number here.
Container Scanning
- deprecate
CS_MAJOR_VERSION
and directly use the major number here.
License Compliance
Template: https://gitlab.com/gitlab-org/gitlab/blob/master/lib/gitlab/ci/templates/Security/License-Scanning.gitlab-ci.yml (and the deprecated https://gitlab.com/gitlab-org/gitlab/blob/master/lib/gitlab/ci/templates/Security/License-Management.gitlab-ci.yml)
- replace
$CI_SERVER_VERSION_MAJOR-$CI_SERVER_VERSION_MINOR-stable
and directly use the major number here.
Permissions and Security
Documentation
-
ensure documentation states the deprecation of x-y-stable
docker images and related env variables and that support will be dropped in %13.0. -
update the release process doc in https://gitlab.com/gitlab-org/security-products/release
Availability & Testing
This will need thorough testing and make sure that the automated QA is kept compatible.
What does success look like, and how can we measure that?
We publish docker images matching semantic versions of our tools (and just keep pushing x-y-stable
images too until we officially drop support for them in %13.0).