Use Gemnasium FIPS-enabled images automatically
What does this MR do and why?
Automatically use FIPS-enabled Docker images of Gemnasium (Dependency Scanning) when FIPS mode is enabled in the GitLab instance.
Job rules are added to the Gemnasium CI jobs
to set DS_IMAGE_SUFFIX
to "-fips"
when predefined CI_GITLAB_FIPS_MODE
is set.
See #357922 (closed)
This depends on !86704 (merged) and sits on top of remove-deprecated-ds-analyzers
.
Right now the target branch is remove-deprecated-ds-analyzers
to make the diff readable.
Testing
These two following contexts become RSpec shared_examples
:
-
language detection
, as-is -
when PIP_REQUIREMENTS_FILE is defined
, asPIP_REQUIREMENTS_FILE support
This makes possible to uses these shared examples to cover two contexts:
-
default
, which already existed prior to this MR -
when FIPS mode is enabled
, which is a new context
Also, langage detection
and PIP_REQUIREMENTS_FILE support
now both depend include new shared examples named predefined image suffix
. This ensures that the Docker image has the expected suffix:
- By
default
there is no suffix. -
when FIPS mode is enabled
, the suffix is"-fips"
.
Because CI variables aren't expanded in the job parameter image:name
when running the spec, predefined image suffix
performs the following checks:
- The image name ends with
$DS_IMAGE_SUFFIX
. -
$DS_IMAGE_SUFFIX
is set to theexpected_image_suffix
.
Screenshots or screen recordings
These are strongly recommended to assist reviewers and reduce the time to merge your change.
How to set up and validate locally
- Create a project compatible with Dependency Scanning.
- Add Dependency Scanning to CI pipeline.
- Run a new pipeline where
CI_GITLAB_FIPS_MODE
is set to"true"
.- Compatible Gemnasium scanning jobs are triggered
- These jobs use FIPS-enabled images, like
gemnasium:2-fips
.
- Run a pipeline where
CI_GITLAB_FIPS_MODE
is"false"
or not set.- Compatible Gemnasium scanning jobs are triggered
- These jobs use default images, like
gemnasium:2
.
MR acceptance checklist
This checklist encourages us to confirm any changes have been analyzed to reduce risks in quality, performance, reliability, security, and maintainability.
-
I have evaluated the MR acceptance checklist for this MR.