Install iptables on non-root scanner containers, or otherwise airgap after pre-requisites
The following scanner images were found to use non-root users in the Dockerfile.
This prevented using iptables to airgap
them as part of https://gitlab.com/gitlab-org/quality/team-tasks/-/issues/611
eslint - https://gitlab.com/gitlab-org/security-products/analyzers/eslint/-/blob/master/Dockerfile#L13
dast - https://gitlab.com/gitlab-org/security-products/dast/-/blob/master/Dockerfile#L67
phpcs-security-audit - https://gitlab.com/gitlab-org/security-products/analyzers/phpcs-security-audit/-/blob/master/Dockerfile#L17
Figure out a way of running these
Options
- Build a custom image to run against. Requires using DinD.
- Use an
internal
docker network if possible. - Future - airgapped environment.
Edited by Will Meek