Skip to content

Add DS_IMAGE_SUFFIX to enable Gemnasium FIPS

Fabien Catteau requested to merge 354796-DS_IMAGE_SUFFIX-FIPS into master

What does this MR do and why?

Add CI variable DS_IMAGE_SUFFIX to the Dependency Scanning CI template, and document how to use it to use the FIPS-enabled Docker images of Gemnasium.

Since DS_IMAGE_SUFFIX applies to all Dependency Scanning images,

See #354796

Screenshots or screen recordings

These are strongly recommended to assist reviewers and reduce the time to merge your change.

How to set up and validate locally

Numbered steps to set up and validate the change are strongly suggested.

MR acceptance checklist

This checklist encourages us to confirm any changes have been analyzed to reduce risks in quality, performance, reliability, security, and maintainability.

Testing

Tested by using the CI template in gitlab-org/security-products/tests/go-modules!76 (closed)

  • When DS_IMAGE_SUFFIX is not set, the image gemnasium:2 is used. See job.
  • When DS_IMAGE_SUFFIX is set to -fips, gemnasium:2-fips is used. See job.
  • When we follow the instructions, FIPS-enabled images are used, and the analyzer that are incompatible are skipped.
    • MR with documented variables.
    • pipeline where gemnasium runs but retire.js is skipped, as expected.
    • job that uses gemnasium:2-fips, as expected.
Edited by Fabien Catteau

Merge request reports

Loading