Skip to content

Disable DS auto-remediate when FIPS mode

Fabien Catteau requested to merge fips-disable-ds-remediate into master

What does this MR do and why?

Disable Dependency Scanning Auto-remediation by setting DS_REMEDIATE to "false" when FIPS mode is enabled.

This implements https://gitlab.com/gitlab-org/gitlab/-/issues/366773+.

Auto-remediation uses yarn upgrade, which is not compatible with FIPS.

Screenshots or screen recordings

When CI_GITLAB_FIPS_MODE is true, DS_REMEDIATE is false, and there's no auto-remediation: https://gitlab.com/gitlab-org/security-products/tests/js-yarn/-/jobs/2676405227#L22

When CI_GITLAB_FIPS_MODE isn't set, there is auto-remediation: https://gitlab.com/gitlab-org/security-products/tests/js-yarn/-/jobs/2676405226#L24

How to set up and validate locally

On a GitLab instance where FIPS is enabled,

  1. Create a yarn project that depends on vulnerable packages.
  2. Include the CI template for Dependency Scanning.
  3. Trigger a pipeline.

The pipeline should have a gemnasium-dependency_scanning job, and the analyzer doesn't attempt auto-remediation. There's no failure for yarn upgrade in the log messages of the job.

MR acceptance checklist

This checklist encourages us to confirm any changes have been analyzed to reduce risks in quality, performance, reliability, security, and maintainability.

Edited by Fabien Catteau

Merge request reports

Loading