Propagate mounts in SAST and Dependency Scanning
Problem to solve
We want to be able to mount directories and have them available for all analyzers.
Sasha, the Software Developer, will enjoy this new feature.
dependency_scanning jobs require docker-in-docker to run:
- https://docs.gitlab.com/ee/ci/examples/dependency_scanning.html Docker-in-Docker is great but doesn't propagate mounts.
A typical need for
sast, is to pass a CA Cert to the analyzers. This can't be done with the current implementation, as we don't mount anything in the analyzers containers (https://gitlab.com/gitlab-org/security-products/analyzers/common/blob/master/orchestrator/analyzer.go#L96).
It should be safe to mount everything down to each analyzer, except maybe the docker socket. So instead of a single mount, we should iterate on the host mounts to append: https://gitlab.com/gitlab-org/security-products/analyzers/common/blob/master/orchestrator/analyzer.go#L101. The question now is "how to get these mounts". There's probably an option in Docker to recursively bind volumes.
What does success look like, and how can we measure that?
Sasha is able to provide a CA Cert to
sast, and use gosec (
go get) with his private instance.