Modify CS_SEVERITY_THRESHOLD config
What does this MR do?
The CS_SEVERITY_THRESHOLD: medium
config was set in global scope which causes 2 problems:
-
this is applied to CS scans for both fips and non fips images. Though, FedRAMP compliance requires to report findings for all severity levels. Example:
Scanning container from registry registry.gitlab.com/security-products/container-scanning/grype:6-fips for vulnerabilities with severity level MEDIUM or higher, with gcs 6.6.0 and Trivy Version: 0.44.1, advisories updated at 2023-12-17T04:20:21+00:00
-
this was passed through the context of integration tests. While not causing issue for now this is not itentional and could cause issues down the road. Example:
[INFO] [2023-12-22 16:32:42 +0000] [container-scanning] > Scanning container from registry alpine:3.12.0 for vulnerabilities with severity level MEDIUM or higher, with gcs 6.6.0 and Trivy Version: 0.44.1, advisories updated at 2023-12-22T04:23:58+00:00
This MRs move the variable into the scope of the Container Scanning job and limits its usage to non fips images.
What are the relevant issue numbers?
Does this MR meet the acceptance criteria?
-
Changelog trailer added -
Documentation created/updated for GitLab EE, if necessary -
Documentation created/updated for this project, if necessary -
Documentation reviewed by technical writer or follow-up review issue created -
Tests added for this feature/bug -
Job definition updated, if necessary -
Conforms to the code review guidelines -
Conforms to the Go guidelines -
Security reports checked/validated by reviewer