Run Secure analyzers as non-root users
[ToC]
## Problem to solve
We've started to transition some analyzers to run with a non-root user. We've also deprecated a handful of analyzers that are no longer used. The purpose of this issue is to transition any remaining analyzers that runs as root today to support using a non-root user with an [accepted standard](##accepted-standard). Ultimately we'd like to have this be the default behavior, but that might delay the change as it could qualify as a breaking change. We should explore if we can roll out support for a non-root user, and iteratively switch to a non-root user by default in the next breaking change window.
## Proposal
### Accepted standard
All analyzers must add a non-default user with the following parameters:
1. username = `gitlab`
2. UID = `1000`
3. GID = `1000`
### Operational
- [x] Audit all analyzers and identify any containers that don't conform to the [standard](#accepted-standard)
- [x] Have the group responsible for each analyzer review the implementation plan and determine what the level of effort will be:
1. T-shirt size the estimate in the "Effort Needed" column (S,M,L,XL)
3. Estimate which milestone you'd be able to make this change in Q3.
- [ ] Update analyzer documentation to include any relevant updates as a part of this effort (user, os, openshift support, etc.)
## Implementation Plan
1. Review the [analyzer guidance for Dockerfiles](https://docs.gitlab.com/ee/development/sec/analyzer_development_guide.html#dockerfile) and determine what is needed to support a non-root user out of the box without the need for a workaround.
2. [Test analyzer](https://docs.gitlab.com/ee/development/sec/analyzer_development_guide.html#how-to-test-the-analyzers) to ensure it's working as intended.
3. Merge and release secure analyzer Docker containers running with support non-root user. If it's a breaking change, schedule and coordinate with PM so they can add it to a breaking change announcement.
4. Document any limitations an analyzer might have when running as a non-root user.
## Analyzers don't conform to [the standard](#accepted-standard)
<table>
<tr>
<th>Analyzer</th>
<th>Image</th>
<th>Effort Needed</th>
<th>
Breaking change?
(Reason)
</th>
<th>Issue</th>
<th>Target Delivery Milestone</th>
<th>Team</th>
<th>DRI</th>
</tr>
<tr>
<td>
[semgrep](https://gitlab.com/gitlab-org/security-products/analyzers/semgrep) (SAST)
</td>
<td>
`https://registry.gitlab.com/gitlab-org/security-products/analyzers/semgrep:5`
</td>
<td>S</td>
<td>
[No](https://gitlab.com/gitlab-org/gitlab/-/issues/474602#note_2019485685 "Use non-root users in SAST analyzers")
</td>
<td>
https://gitlab.com/gitlab-org/gitlab/-/issues/474602+s
</td>
<td>
%"17.5"
</td>
<td>
gitlab~10690740
</td>
<td>
@julianthome
</td>
</tr>
<tr>
<td>
[pmd-apex](https://gitlab.com/gitlab-org/security-products/analyzers/pmd-apex) (SAST)
</td>
<td>
`https://registry.gitlab.com/gitlab-org/security-products/analyzers/pmd-apex:5`
</td>
<td>S</td>
<td>
[No](https://gitlab.com/gitlab-org/gitlab/-/issues/474602#note_2019485685 "Use non-root users in SAST analyzers")
</td>
<td>
https://gitlab.com/gitlab-org/gitlab/-/issues/474602+s
</td>
<td>
%"17.5"
</td>
<td>
gitlab~10690740
</td>
<td>
@julianthome
</td>
</tr>
<tr>
<td>
[spotbugs](https://gitlab.com/gitlab-org/security-products/analyzers/pmd-apex) (SAST)
</td>
<td>
`https://registry.gitlab.com/gitlab-org/security-products/analyzers/spotbugs:5`
</td>
<td>M</td>
<td>
[No](https://gitlab.com/gitlab-org/gitlab/-/issues/474602#note_2019485685 "Use non-root users in SAST analyzers")
</td>
<td>
https://gitlab.com/gitlab-org/gitlab/-/issues/474602+s
</td>
<td>
%"17.6"
</td>
<td>
gitlab~10690740
</td>
<td>
@julianthome
</td>
</tr>
<tr>
<td>
[sobelow](https://gitlab.com/gitlab-org/security-products/analyzers/sobelow) (SAST)
</td>
<td>
`https://registry.gitlab.com/gitlab-org/security-products/analyzers/sobelow:5`
</td>
<td>S</td>
<td>
[No](https://gitlab.com/gitlab-org/gitlab/-/issues/474602#note_2019485685 "Use non-root users in SAST analyzers")
</td>
<td>
https://gitlab.com/gitlab-org/gitlab/-/issues/474602+s
</td>
<td>
%"17.5"
</td>
<td>
gitlab~10690740
</td>
<td>
@julianthome
</td>
</tr>
<tr>
<td>
[kics](https://gitlab.com/gitlab-org/security-products/analyzers/kics)
(IaC)
</td>
<td>
`https://registry.gitlab.com/gitlab-org/security-products/analyzers/kics:5`
</td>
<td>S</td>
<td>
[No](https://gitlab.com/gitlab-org/gitlab/-/issues/474602#note_2019485685 "Use non-root users in SAST analyzers")
</td>
<td>
https://gitlab.com/gitlab-org/gitlab/-/issues/474602+s
</td>
<td>
%"17.6"
</td>
<td>
gitlab~10690740
</td>
<td>
@julianthome
</td>
</tr>
<tr>
<td>gitlab-advanced-sast</td>
<td>
`https://registry.gitlab.com/gitlab-org/security-products/analyzers/gitlab-advanced-sast:latest`
</td>
<td>L (there will be a performance impact if using a non-root user)</td>
<td>No</td>
<td>
</td>
<td>
</td>
<td>
gitlab~10690740
</td>
<td>
@rvider
</td>
</tr>
<tr>
<td>
[secrets](https://gitlab.com/gitlab-org/security-products/analyzers/pmd-apex) (Secret Detection)
</td>
<td>
`https://registry.gitlab.com/gitlab-org/security-products/analyzers/secrets:6`
</td>
<td>S</td>
<td>No</td>
<td>
https://gitlab.com/gitlab-org/gitlab/-/issues/476160+s
</td>
<td>
%"17.5"
</td>
<td>
gitlab~34839169
</td>
<td>
@amarpatel
</td>
</tr>
<tr>
<td>
[gemnasium-maven](https://gitlab.com/gitlab-org/security-products/analyzers/pmd-apex) (Dependency Scanning)
</td>
<td>
`https://registry.gitlab.com/gitlab-org/security-products/analyzers/gemnasium/maven:5`
</td>
<td>M</td>
<td>No</td>
<td>
https://gitlab.com/gitlab-org/gitlab/-/issues/431945+s
</td>
<td>
17.5 ([as a new analyzer](https://gitlab.com/gitlab-org/gitlab/-/issues/229817 "Report vulnerable dependency paths for Maven, Gradle (Java)"))
</td>
<td>
gitlab~10690742
</td>
<td>
@thiagocsf
</td>
</tr>
<tr>
<td>
[gemnasium-maven-fips](https://gitlab.com/gitlab-org/security-products/analyzers/pmd-apex)
(Dependency Scanning)
</td>
<td>
`https://registry.gitlab.com/gitlab-org/security-products/analyzers/gemnasium/maven:5-fips`
</td>
<td>M</td>
<td>No</td>
<td>
https://gitlab.com/gitlab-org/gitlab/-/issues/431945+s
</td>
<td>
17.5 ([as a new analyzer](https://gitlab.com/gitlab-org/gitlab/-/issues/229817 "Report vulnerable dependency paths for Maven, Gradle (Java)"))
</td>
<td>
gitlab~10690742
</td>
<td>
@thiagocsf
</td>
</tr>
</table>
## Deprecated analyzers
- [ ] ~~gosec root~~ (Deprecated in %"15.0")
- [ ] ~~security-code-scan root~~ (Deprecated in %"16.0"")
- [ ] ~~bandit root~~ (Deprecated in %"17.0")
- [ ] ~~brakeman root~~ (Deprecated in %"17.0")
- [ ] ~~flawfinder root~~ (Deprecated in %"17.0")
## Analyzers that run as a non-root user
- [x] bundler-audit root ( https://gitlab.com/gitlab-org/gitlab/-/issues/281816)
- [x] gemnasium root ( https://gitlab.com/gitlab-org/gitlab/-/issues/281816)
- [x] gemnasium-maven root ( https://gitlab.com/gitlab-org/gitlab/-/issues/281816)
- [x] gemnasium-python root ( https://gitlab.com/gitlab-org/gitlab/-/issues/281816)
- [x] gcs root ( https://gitlab.com/gitlab-org/gitlab/-/issues/273530)
- [x] retire.js root ( https://gitlab.com/gitlab-org/gitlab/-/issues/281816)
- [x] DAST ( https://gitlab.com/gitlab-org/gitlab/-/issues/37928)
- [x] API Security Testing / API Fuzzing ( https://gitlab.com/gitlab-org/gitlab/-/issues/287702)
- [x] API Discovery (does not user Docker)
- [x] Coverage Fuzz Testing (does not user Docker)
- [x] gitlab-advanced-sast (FIPS image)
- [x] secrets (FIPS image)
- [x] SAST - semgrep (FIPS image)
- [x] IaC (FIPS image)
epic