Add Dockerfile.fips and FIPS release

What does this MR do?

Adds Dockerfile.fips and links to (TEMP) ci-templates for programmatic pipeline release of patch version.

FIPS image is identical exact drops support for custom certificates which must be further researched within gitlab-org/gitlab#355544 (closed)

diff -u Dockerfile Dockerfile.fips

--- Dockerfile	2022-03-24 11:36:14.000000000 -0700
+++ Dockerfile.fips	2022-03-29 13:14:21.000000000 -0700
@@ -6,7 +6,7 @@
 FROM registry.gitlab.com/security-products/post-analyzers/scripts:${POST_ANALYZER_SCRIPTS_VERSION} AS scripts
 FROM registry.gitlab.com/security-products/post-analyzers/tracking-calculator:${TRACKING_CALCULATOR_VERSION} AS tracking
 
-FROM golang:1.17-alpine AS build
+FROM registry.gitlab.com/gitlab-org/gitlab-runner/go-fips:1.17 AS build
 
 ENV CGO_ENABLED=0 GOOS=linux
 
@@ -18,31 +18,31 @@
         PATH_TO_MODULE=`go list -m` && \
         go build -ldflags="-X '$PATH_TO_MODULE/metadata.AnalyzerVersion=$CHANGELOG_VERSION'" -o /analyzer-semgrep
 
-# Allow the semgrep user to add custom ca certificates to the system.
-RUN addgroup -g 1000 semgrep && \
-    adduser -u 1000 -D -h /home/semgrep -G semgrep semgrep && \
-    touch /ca-cert-additional-gitlab-bundle.pem && \
-    chown root:semgrep /ca-cert-additional-gitlab-bundle.pem && \
-    chmod g+w /ca-cert-additional-gitlab-bundle.pem
-
-FROM python:3.9-alpine
+FROM registry.access.redhat.com/ubi8/python-39
+USER root
 
 ARG SCANNER_VERSION
 ENV SCANNER_VERSION ${SCANNER_VERSION}
 ENV SEMGREP_R2C_INTERNAL_EXPLICIT_SEMGREPIGNORE "/semgrepignore"
 
 COPY --from=build /analyzer-semgrep /analyzer-binary
-COPY --from=build /ca-cert-additional-gitlab-bundle.pem /etc/ssl/certs/ca-cert-additional-gitlab-bundle.pem
 COPY rules /rules
 COPY semgrepignore /semgrepignore
-RUN mkdir /.cache && \
-    chmod -R g+rw /.cache
 
-RUN apk add --no-cache git && \
-    pip install ruamel.yaml==0.16.12 semgrep==$SCANNER_VERSION
+RUN yum -y -q update --disableplugin=subscription-manager && \
+    yum -y -q upgrade --disableplugin=subscription-manager && \
+    yum -y -q install --disableplugin=subscription-manager git wget && \
+    yum -y clean all --enablerepo='*'
+
+RUN pip install ruamel.yaml==0.16.12 semgrep==$SCANNER_VERSION
+
+RUN groupadd -g 1000 gitlab && \
+    useradd -u 1000 -d /home/gitlab -g gitlab gitlab
 
 COPY --from=tracking /analyzer-tracking /analyzer-tracking
 COPY --from=scripts /start.sh /analyzer
 
+USER gitlab
+
 ENTRYPOINT []
 CMD ["/analyzer", "run"]

What are the relevant issue numbers?

gitlab-org/gitlab#354989 (closed)

Does this MR meet the acceptance criteria?

• Changelog entry added
• Documentation created/updated for GitLab EE, if necessary
• Documentation created/updated for this project, if necessary
• Documentation reviewed by technical writer or follow-up review issue created
• Tests added for this feature/bug
• Job definition updated, if necessary
  • Auto-DevOps template
  • Job definition example
  • CI Templates
• Conforms to the code review guidelines
• Conforms to the Go guidelines
• Security reports checked/validated by reviewer