Run Secure analyzers as non-root users
[ToC] ## Problem to solve We've started to transition some analyzers to run with a non-root user. We've also deprecated a handful of analyzers that are no longer used. The purpose of this issue is to transition any remaining analyzers that runs as root today to support using a non-root user with an [accepted standard](##accepted-standard). Ultimately we'd like to have this be the default behavior, but that might delay the change as it could qualify as a breaking change. We should explore if we can roll out support for a non-root user, and iteratively switch to a non-root user by default in the next breaking change window. ## Proposal ### Accepted standard All analyzers must add a non-default user with the following parameters: 1. username = `gitlab` 2. UID = `1000` 3. GID = `1000` ### Operational - [x] Audit all analyzers and identify any containers that don't conform to the [standard](#accepted-standard) - [x] Have the group responsible for each analyzer review the implementation plan and determine what the level of effort will be: 1. T-shirt size the estimate in the "Effort Needed" column (S,M,L,XL) 3. Estimate which milestone you'd be able to make this change in Q3. - [ ] Update analyzer documentation to include any relevant updates as a part of this effort (user, os, openshift support, etc.) ## Implementation Plan 1. Review the [analyzer guidance for Dockerfiles](https://docs.gitlab.com/ee/development/sec/analyzer_development_guide.html#dockerfile) and determine what is needed to support a non-root user out of the box without the need for a workaround. 2. [Test analyzer](https://docs.gitlab.com/ee/development/sec/analyzer_development_guide.html#how-to-test-the-analyzers) to ensure it's working as intended. 3. Merge and release secure analyzer Docker containers running with support non-root user. If it's a breaking change, schedule and coordinate with PM so they can add it to a breaking change announcement. 4. Document any limitations an analyzer might have when running as a non-root user. ## Analyzers don't conform to [the standard](#accepted-standard) <table> <tr> <th>Analyzer</th> <th>Image</th> <th>Effort Needed</th> <th> Breaking change? (Reason) </th> <th>Issue</th> <th>Target Delivery Milestone</th> <th>Team</th> <th>DRI</th> </tr> <tr> <td> [semgrep](https://gitlab.com/gitlab-org/security-products/analyzers/semgrep) (SAST) </td> <td> `https://registry.gitlab.com/gitlab-org/security-products/analyzers/semgrep:5` </td> <td>S</td> <td> [No](https://gitlab.com/gitlab-org/gitlab/-/issues/474602#note_2019485685 "Use non-root users in SAST analyzers") </td> <td> https://gitlab.com/gitlab-org/gitlab/-/issues/474602+s </td> <td> %"17.5" </td> <td> gitlab~10690740 </td> <td> @julianthome </td> </tr> <tr> <td> [pmd-apex](https://gitlab.com/gitlab-org/security-products/analyzers/pmd-apex) (SAST) </td> <td> `https://registry.gitlab.com/gitlab-org/security-products/analyzers/pmd-apex:5` </td> <td>S</td> <td> [No](https://gitlab.com/gitlab-org/gitlab/-/issues/474602#note_2019485685 "Use non-root users in SAST analyzers") </td> <td> https://gitlab.com/gitlab-org/gitlab/-/issues/474602+s </td> <td> %"17.5" </td> <td> gitlab~10690740 </td> <td> @julianthome </td> </tr> <tr> <td> [spotbugs](https://gitlab.com/gitlab-org/security-products/analyzers/pmd-apex) (SAST) </td> <td> `https://registry.gitlab.com/gitlab-org/security-products/analyzers/spotbugs:5` </td> <td>M</td> <td> [No](https://gitlab.com/gitlab-org/gitlab/-/issues/474602#note_2019485685 "Use non-root users in SAST analyzers") </td> <td> https://gitlab.com/gitlab-org/gitlab/-/issues/474602+s </td> <td> %"17.6" </td> <td> gitlab~10690740 </td> <td> @julianthome </td> </tr> <tr> <td> [sobelow](https://gitlab.com/gitlab-org/security-products/analyzers/sobelow) (SAST) </td> <td> `https://registry.gitlab.com/gitlab-org/security-products/analyzers/sobelow:5` </td> <td>S</td> <td> [No](https://gitlab.com/gitlab-org/gitlab/-/issues/474602#note_2019485685 "Use non-root users in SAST analyzers") </td> <td> https://gitlab.com/gitlab-org/gitlab/-/issues/474602+s </td> <td> %"17.5" </td> <td> gitlab~10690740 </td> <td> @julianthome </td> </tr> <tr> <td> [kics](https://gitlab.com/gitlab-org/security-products/analyzers/kics) (IaC) </td> <td> `https://registry.gitlab.com/gitlab-org/security-products/analyzers/kics:5` </td> <td>S</td> <td> [No](https://gitlab.com/gitlab-org/gitlab/-/issues/474602#note_2019485685 "Use non-root users in SAST analyzers") </td> <td> https://gitlab.com/gitlab-org/gitlab/-/issues/474602+s </td> <td> %"17.6" </td> <td> gitlab~10690740 </td> <td> @julianthome </td> </tr> <tr> <td>gitlab-advanced-sast</td> <td> `https://registry.gitlab.com/gitlab-org/security-products/analyzers/gitlab-advanced-sast:latest` </td> <td>L (there will be a performance impact if using a non-root user)</td> <td>No</td> <td> </td> <td> </td> <td> gitlab~10690740 </td> <td> @rvider </td> </tr> <tr> <td> [secrets](https://gitlab.com/gitlab-org/security-products/analyzers/pmd-apex) (Secret Detection) </td> <td> `https://registry.gitlab.com/gitlab-org/security-products/analyzers/secrets:6` </td> <td>S</td> <td>No</td> <td> https://gitlab.com/gitlab-org/gitlab/-/issues/476160+s </td> <td> %"17.5" </td> <td> gitlab~34839169 </td> <td> @amarpatel </td> </tr> <tr> <td> [gemnasium-maven](https://gitlab.com/gitlab-org/security-products/analyzers/pmd-apex) (Dependency Scanning) </td> <td> `https://registry.gitlab.com/gitlab-org/security-products/analyzers/gemnasium/maven:5` </td> <td>M</td> <td>No</td> <td> https://gitlab.com/gitlab-org/gitlab/-/issues/431945+s </td> <td> 17.5 ([as a new analyzer](https://gitlab.com/gitlab-org/gitlab/-/issues/229817 "Report vulnerable dependency paths for Maven, Gradle (Java)")) </td> <td> gitlab~10690742 </td> <td> @thiagocsf </td> </tr> <tr> <td> [gemnasium-maven-fips](https://gitlab.com/gitlab-org/security-products/analyzers/pmd-apex) (Dependency Scanning) </td> <td> `https://registry.gitlab.com/gitlab-org/security-products/analyzers/gemnasium/maven:5-fips` </td> <td>M</td> <td>No</td> <td> https://gitlab.com/gitlab-org/gitlab/-/issues/431945+s </td> <td> 17.5 ([as a new analyzer](https://gitlab.com/gitlab-org/gitlab/-/issues/229817 "Report vulnerable dependency paths for Maven, Gradle (Java)")) </td> <td> gitlab~10690742 </td> <td> @thiagocsf </td> </tr> </table> ## Deprecated analyzers - [ ] ~~gosec root~~ (Deprecated in %"15.0") - [ ] ~~security-code-scan root~~ (Deprecated in %"16.0"") - [ ] ~~bandit root~~ (Deprecated in %"17.0") - [ ] ~~brakeman root~~ (Deprecated in %"17.0") - [ ] ~~flawfinder root~~ (Deprecated in %"17.0") ## Analyzers that run as a non-root user - [x] bundler-audit root ( https://gitlab.com/gitlab-org/gitlab/-/issues/281816) - [x] gemnasium root ( https://gitlab.com/gitlab-org/gitlab/-/issues/281816) - [x] gemnasium-maven root ( https://gitlab.com/gitlab-org/gitlab/-/issues/281816) - [x] gemnasium-python root ( https://gitlab.com/gitlab-org/gitlab/-/issues/281816) - [x] gcs root ( https://gitlab.com/gitlab-org/gitlab/-/issues/273530) - [x] retire.js root ( https://gitlab.com/gitlab-org/gitlab/-/issues/281816) - [x] DAST ( https://gitlab.com/gitlab-org/gitlab/-/issues/37928) - [x] API Security Testing / API Fuzzing ( https://gitlab.com/gitlab-org/gitlab/-/issues/287702) - [x] API Discovery (does not user Docker) - [x] Coverage Fuzz Testing (does not user Docker) - [x] gitlab-advanced-sast (FIPS image) - [x] secrets (FIPS image) - [x] SAST - semgrep (FIPS image) - [x] IaC (FIPS image)
epic