Propagate mounts in SAST and Dependency Scanning
Problem to solve
We want to be able to mount directories and have them available for all analyzers.
Target audience
Sasha, the Software Developer, will enjoy this new feature.
Further details
sast
and dependency_scanning
jobs require docker-in-docker to run:
- https://docs.gitlab.com/ee/ci/examples/sast.html
- https://docs.gitlab.com/ee/ci/examples/dependency_scanning.html Docker-in-Docker is great but doesn't propagate mounts.
A typical need for sast
, is to pass a CA Cert to the analyzers. This can't be done with the current implementation, as we don't mount anything in the analyzers containers (https://gitlab.com/gitlab-org/security-products/analyzers/common/blob/master/orchestrator/analyzer.go#L96).
Proposal
It should be safe to mount everything down to each analyzer, except maybe the docker socket. So instead of a single mount, we should iterate on the host mounts to append: https://gitlab.com/gitlab-org/security-products/analyzers/common/blob/master/orchestrator/analyzer.go#L101. The question now is "how to get these mounts". There's probably an option in Docker to recursively bind volumes.
What does success look like, and how can we measure that?
Sasha is able to provide a CA Cert to sast
, and use gosec (go get
) with his private instance.