Add Dockerfile.fips and FIPS release
What does this MR do?
Adds Dockerfile.fips
and links to (TEMP) ci-templates for programmatic pipeline release of patch version.
FIPS image is identical exact drops support for custom certificates which must be further researched within gitlab-org/gitlab#355544 (closed)
diff -u Dockerfile Dockerfile.fips
--- Dockerfile 2022-03-24 11:36:14.000000000 -0700
+++ Dockerfile.fips 2022-03-29 13:14:21.000000000 -0700
@@ -6,7 +6,7 @@
FROM registry.gitlab.com/security-products/post-analyzers/scripts:${POST_ANALYZER_SCRIPTS_VERSION} AS scripts
FROM registry.gitlab.com/security-products/post-analyzers/tracking-calculator:${TRACKING_CALCULATOR_VERSION} AS tracking
-FROM golang:1.17-alpine AS build
+FROM registry.gitlab.com/gitlab-org/gitlab-runner/go-fips:1.17 AS build
ENV CGO_ENABLED=0 GOOS=linux
@@ -18,31 +18,31 @@
PATH_TO_MODULE=`go list -m` && \
go build -ldflags="-X '$PATH_TO_MODULE/metadata.AnalyzerVersion=$CHANGELOG_VERSION'" -o /analyzer-semgrep
-# Allow the semgrep user to add custom ca certificates to the system.
-RUN addgroup -g 1000 semgrep && \
- adduser -u 1000 -D -h /home/semgrep -G semgrep semgrep && \
- touch /ca-cert-additional-gitlab-bundle.pem && \
- chown root:semgrep /ca-cert-additional-gitlab-bundle.pem && \
- chmod g+w /ca-cert-additional-gitlab-bundle.pem
-
-FROM python:3.9-alpine
+FROM registry.access.redhat.com/ubi8/python-39
+USER root
ARG SCANNER_VERSION
ENV SCANNER_VERSION ${SCANNER_VERSION}
ENV SEMGREP_R2C_INTERNAL_EXPLICIT_SEMGREPIGNORE "/semgrepignore"
COPY --from=build /analyzer-semgrep /analyzer-binary
-COPY --from=build /ca-cert-additional-gitlab-bundle.pem /etc/ssl/certs/ca-cert-additional-gitlab-bundle.pem
COPY rules /rules
COPY semgrepignore /semgrepignore
-RUN mkdir /.cache && \
- chmod -R g+rw /.cache
-RUN apk add --no-cache git && \
- pip install ruamel.yaml==0.16.12 semgrep==$SCANNER_VERSION
+RUN yum -y -q update --disableplugin=subscription-manager && \
+ yum -y -q upgrade --disableplugin=subscription-manager && \
+ yum -y -q install --disableplugin=subscription-manager git wget && \
+ yum -y clean all --enablerepo='*'
+
+RUN pip install ruamel.yaml==0.16.12 semgrep==$SCANNER_VERSION
+
+RUN groupadd -g 1000 gitlab && \
+ useradd -u 1000 -d /home/gitlab -g gitlab gitlab
COPY --from=tracking /analyzer-tracking /analyzer-tracking
COPY --from=scripts /start.sh /analyzer
+USER gitlab
+
ENTRYPOINT []
CMD ["/analyzer", "run"]
What are the relevant issue numbers?
gitlab-org/gitlab#354989 (closed)
Does this MR meet the acceptance criteria?
-
Changelog entry added -
Documentation created/updated for GitLab EE, if necessary -
Documentation created/updated for this project, if necessary -
Documentation reviewed by technical writer or follow-up review issue created -
Tests added for this feature/bug -
Job definition updated, if necessary -
Conforms to the code review guidelines -
Conforms to the Go guidelines -
Security reports checked/validated by reviewer
Edited by Zach Rice