Commit 8b198935 authored by Lucas Charles's avatar Lucas Charles Committed by Marcel Amirault

feat: Add SAST/SD template support for FIPS images

Adds support to SAST and SD templates
to use FIPS UBI images

Relates to
https://gitlab.com/gitlab-org/gitlab/-/issues/355518
 and https://gitlab.com/gitlab-org/gitlab/-/issues/355519

Changelog: added
parent 17429700
...@@ -46,6 +46,27 @@ GitLab IaC scanning supports a variety of IaC configuration files. Our IaC secur ...@@ -46,6 +46,27 @@ GitLab IaC scanning supports a variety of IaC configuration files. Our IaC secur
1. IaC scanning can analyze Azure Resource Manager templates in JSON format. If you write templates in the [Bicep](https://docs.microsoft.com/en-us/azure/azure-resource-manager/bicep/overview) language, you must use [the bicep CLI](https://docs.microsoft.com/en-us/azure/azure-resource-manager/bicep/bicep-cli) to convert your Bicep files into JSON before GitLab IaC scanning can analyze them. 1. IaC scanning can analyze Azure Resource Manager templates in JSON format. If you write templates in the [Bicep](https://docs.microsoft.com/en-us/azure/azure-resource-manager/bicep/overview) language, you must use [the bicep CLI](https://docs.microsoft.com/en-us/azure/azure-resource-manager/bicep/bicep-cli) to convert your Bicep files into JSON before GitLab IaC scanning can analyze them.
1. Terraform modules in a custom registry are not scanned for vulnerabilities. You can follow [this issue](https://gitlab.com/gitlab-org/gitlab/-/issues/357004) for the proposed feature. 1. Terraform modules in a custom registry are not scanned for vulnerabilities. You can follow [this issue](https://gitlab.com/gitlab-org/gitlab/-/issues/357004) for the proposed feature.
### Supported distributions
GitLab scanners are provided with a base alpine image for size and maintainability.
#### FIPS-enabled images
> [Introduced](https://gitlab.com/groups/gitlab-org/-/epics/6479) in GitLab 14.10.
GitLab also offers [FIPS-enabled Red Hat UBI](https://www.redhat.com/en/blog/introducing-red-hat-universal-base-image)
versions of the images. You can therefore replace standard images with FIPS-enabled
images. To configure the images, set the `SAST_IMAGE_SUFFIX` to `-fips` or modify the
standard tag plus the `-fips` extension.
```yaml
variables:
SAST_IMAGE_SUFFIX: '-fips'
include:
- template: Security/SAST-IaC.latest.gitlab-ci.yml
```
### Making IaC analyzers available to all GitLab tiers ### Making IaC analyzers available to all GitLab tiers
All open source (OSS) analyzers are available with the GitLab Free tier. Future proprietary analyzers may be restricted to higher tiers. All open source (OSS) analyzers are available with the GitLab Free tier. Future proprietary analyzers may be restricted to higher tiers.
......
...@@ -132,6 +132,30 @@ The following analyzers have multi-project support: ...@@ -132,6 +132,30 @@ The following analyzers have multi-project support:
Multi-project support in the Security Code Scan requires a Solution (`.sln`) file in the root of Multi-project support in the Security Code Scan requires a Solution (`.sln`) file in the root of
the repository. For details on the Solution format, see the Microsoft reference [Solution (`.sln`) file](https://docs.microsoft.com/en-us/visualstudio/extensibility/internals/solution-dot-sln-file?view=vs-2019). the repository. For details on the Solution format, see the Microsoft reference [Solution (`.sln`) file](https://docs.microsoft.com/en-us/visualstudio/extensibility/internals/solution-dot-sln-file?view=vs-2019).
### Supported distributions
The default scanner images are build off a base Alpine image for size and maintainability.
#### FIPS-enabled images
> [Introduced](https://gitlab.com/groups/gitlab-org/-/epics/6479) in GitLab 14.10.
GitLab offers [Red Hat UBI](https://www.redhat.com/en/blog/introducing-red-hat-universal-base-image)
versions of the images that are FIPS-enabled. To use the FIPS-enabled images, you can either:
- Set the `SAST_IMAGE_SUFFIX` to `-fips`.
- Add the `-fips` extension to the default image name.
For example:
```yaml
variables:
SAST_IMAGE_SUFFIX: '-fips'
include:
- template: Security/SAST.gitlab-ci.yml
```
### Making SAST analyzers available to all GitLab tiers ### Making SAST analyzers available to all GitLab tiers
All open source (OSS) analyzers have been moved to the GitLab Free tier as of GitLab 13.3. All open source (OSS) analyzers have been moved to the GitLab Free tier as of GitLab 13.3.
......
...@@ -108,6 +108,30 @@ The results are saved as a ...@@ -108,6 +108,30 @@ The results are saved as a
that you can later download and analyze. Due to implementation limitations, we that you can later download and analyze. Due to implementation limitations, we
always take the latest Secret Detection artifact available. always take the latest Secret Detection artifact available.
### Supported distributions
The default scanner images are build off a base Alpine image for size and maintainability.
#### FIPS-enabled images
> [Introduced](https://gitlab.com/groups/gitlab-org/-/epics/6479) in GitLab 14.10.
GitLab offers [Red Hat UBI](https://www.redhat.com/en/blog/introducing-red-hat-universal-base-image)
versions of the images that are FIPS-enabled. To use the FIPS-enabled images, you can either:
- Set the `SAST_IMAGE_SUFFIX` to `-fips`.
- Add the `-fips` extension to the default image name.
For example:
```yaml
variables:
SECRET_DETECTION_IMAGE_SUFFIX: '-fips'
include:
- template: Security/Secret-Detection.gitlab-ci.yml
```
### Enable Secret Detection via an automatic merge request ### Enable Secret Detection via an automatic merge request
> - [Introduced](https://gitlab.com/groups/gitlab-org/-/epics/4496) in GitLab 13.11, deployed behind a feature flag, enabled by default. > - [Introduced](https://gitlab.com/groups/gitlab-org/-/epics/4496) in GitLab 13.11, deployed behind a feature flag, enabled by default.
......
...@@ -161,7 +161,7 @@ RSpec.describe Gitlab::Ci::Config::SecurityOrchestrationPolicies::Processor do ...@@ -161,7 +161,7 @@ RSpec.describe Gitlab::Ci::Config::SecurityOrchestrationPolicies::Processor do
'secret-detection-0': hash_including( 'secret-detection-0': hash_including(
rules: [{ if: '$SECRET_DETECTION_DISABLED', when: 'never' }, { if: '$CI_COMMIT_BRANCH' }], rules: [{ if: '$SECRET_DETECTION_DISABLED', when: 'never' }, { if: '$CI_COMMIT_BRANCH' }],
stage: 'test', stage: 'test',
image: '$SECURE_ANALYZERS_PREFIX/secrets:$SECRETS_ANALYZER_VERSION', image: '$SECURE_ANALYZERS_PREFIX/secrets:$SECRETS_ANALYZER_VERSION$SECRET_DETECTION_IMAGE_SUFFIX',
services: [], services: [],
allow_failure: true, allow_failure: true,
artifacts: { artifacts: {
...@@ -173,6 +173,7 @@ RSpec.describe Gitlab::Ci::Config::SecurityOrchestrationPolicies::Processor do ...@@ -173,6 +173,7 @@ RSpec.describe Gitlab::Ci::Config::SecurityOrchestrationPolicies::Processor do
GIT_DEPTH: '50', GIT_DEPTH: '50',
SECURE_ANALYZERS_PREFIX: secure_analyzers_prefix, SECURE_ANALYZERS_PREFIX: secure_analyzers_prefix,
SECRETS_ANALYZER_VERSION: '3', SECRETS_ANALYZER_VERSION: '3',
SECRET_DETECTION_IMAGE_SUFFIX: '',
SECRET_DETECTION_EXCLUDED_PATHS: '', SECRET_DETECTION_EXCLUDED_PATHS: '',
SECRET_DETECTION_HISTORIC_SCAN: 'false' SECRET_DETECTION_HISTORIC_SCAN: 'false'
}) })
......
...@@ -32,7 +32,7 @@ RSpec.describe Security::SecurityOrchestrationPolicies::CiConfigurationService d ...@@ -32,7 +32,7 @@ RSpec.describe Security::SecurityOrchestrationPolicies::CiConfigurationService d
expected_configuration = { expected_configuration = {
rules: [{ if: '$SECRET_DETECTION_DISABLED', when: 'never' }, { if: '$CI_COMMIT_BRANCH' }], rules: [{ if: '$SECRET_DETECTION_DISABLED', when: 'never' }, { if: '$CI_COMMIT_BRANCH' }],
stage: 'test', stage: 'test',
image: '$SECURE_ANALYZERS_PREFIX/secrets:$SECRETS_ANALYZER_VERSION', image: '$SECURE_ANALYZERS_PREFIX/secrets:$SECRETS_ANALYZER_VERSION$SECRET_DETECTION_IMAGE_SUFFIX',
services: [], services: [],
allow_failure: true, allow_failure: true,
artifacts: { artifacts: {
...@@ -44,6 +44,7 @@ RSpec.describe Security::SecurityOrchestrationPolicies::CiConfigurationService d ...@@ -44,6 +44,7 @@ RSpec.describe Security::SecurityOrchestrationPolicies::CiConfigurationService d
GIT_DEPTH: '50', GIT_DEPTH: '50',
SECURE_ANALYZERS_PREFIX: secure_analyzers_prefix, SECURE_ANALYZERS_PREFIX: secure_analyzers_prefix,
SECRETS_ANALYZER_VERSION: '3', SECRETS_ANALYZER_VERSION: '3',
SECRET_DETECTION_IMAGE_SUFFIX: '',
SECRET_DETECTION_EXCLUDED_PATHS: '', SECRET_DETECTION_EXCLUDED_PATHS: '',
SECRET_DETECTION_HISTORIC_SCAN: 'false' SECRET_DETECTION_HISTORIC_SCAN: 'false'
} }
......
# Read more about this feature here: https://docs.gitlab.com/ee/user/application_security/iac_scanning/
#
# Configure SAST with CI/CD variables (https://docs.gitlab.com/ee/ci/variables/index.html).
# List of available variables: https://docs.gitlab.com/ee/user/application_security/iac_scanning/index.html
variables: variables:
# Setting this variable will affect all Security templates # Setting this variable will affect all Security templates
# (SAST, Dependency Scanning, ...) # (SAST, Dependency Scanning, ...)
SECURE_ANALYZERS_PREFIX: "registry.gitlab.com/security-products" SECURE_ANALYZERS_PREFIX: "registry.gitlab.com/security-products"
SAST_IMAGE_SUFFIX: ""
SAST_EXCLUDED_PATHS: "spec, test, tests, tmp" SAST_EXCLUDED_PATHS: "spec, test, tests, tmp"
iac-sast: iac-sast:
...@@ -25,7 +32,7 @@ kics-iac-sast: ...@@ -25,7 +32,7 @@ kics-iac-sast:
name: "$SAST_ANALYZER_IMAGE" name: "$SAST_ANALYZER_IMAGE"
variables: variables:
SAST_ANALYZER_IMAGE_TAG: 1 SAST_ANALYZER_IMAGE_TAG: 1
SAST_ANALYZER_IMAGE: "$SECURE_ANALYZERS_PREFIX/kics:$SAST_ANALYZER_IMAGE_TAG" SAST_ANALYZER_IMAGE: "$SECURE_ANALYZERS_PREFIX/kics:$SAST_ANALYZER_IMAGE_TAG$SAST_IMAGE_SUFFIX"
rules: rules:
- if: $SAST_DISABLED - if: $SAST_DISABLED
when: never when: never
......
...@@ -7,6 +7,7 @@ variables: ...@@ -7,6 +7,7 @@ variables:
# Setting this variable will affect all Security templates # Setting this variable will affect all Security templates
# (SAST, Dependency Scanning, ...) # (SAST, Dependency Scanning, ...)
SECURE_ANALYZERS_PREFIX: "registry.gitlab.com/security-products" SECURE_ANALYZERS_PREFIX: "registry.gitlab.com/security-products"
SAST_IMAGE_SUFFIX: ""
SAST_EXCLUDED_ANALYZERS: "" SAST_EXCLUDED_ANALYZERS: ""
SAST_EXCLUDED_PATHS: "spec, test, tests, tmp" SAST_EXCLUDED_PATHS: "spec, test, tests, tmp"
...@@ -251,7 +252,7 @@ semgrep-sast: ...@@ -251,7 +252,7 @@ semgrep-sast:
name: "$SAST_ANALYZER_IMAGE" name: "$SAST_ANALYZER_IMAGE"
variables: variables:
SAST_ANALYZER_IMAGE_TAG: 2 SAST_ANALYZER_IMAGE_TAG: 2
SAST_ANALYZER_IMAGE: "$SECURE_ANALYZERS_PREFIX/semgrep:$SAST_ANALYZER_IMAGE_TAG" SAST_ANALYZER_IMAGE: "$SECURE_ANALYZERS_PREFIX/semgrep:$SAST_ANALYZER_IMAGE_TAG$SAST_IMAGE_SUFFIX"
rules: rules:
- if: $SAST_DISABLED - if: $SAST_DISABLED
when: never when: never
......
...@@ -6,12 +6,14 @@ ...@@ -6,12 +6,14 @@
variables: variables:
SECURE_ANALYZERS_PREFIX: "registry.gitlab.com/security-products" SECURE_ANALYZERS_PREFIX: "registry.gitlab.com/security-products"
SECRET_DETECTION_IMAGE_SUFFIX: ""
SECRETS_ANALYZER_VERSION: "3" SECRETS_ANALYZER_VERSION: "3"
SECRET_DETECTION_EXCLUDED_PATHS: "" SECRET_DETECTION_EXCLUDED_PATHS: ""
.secret-analyzer: .secret-analyzer:
stage: test stage: test
image: "$SECURE_ANALYZERS_PREFIX/secrets:$SECRETS_ANALYZER_VERSION" image: "$SECURE_ANALYZERS_PREFIX/secrets:$SECRETS_ANALYZER_VERSION$SECRET_DETECTION_IMAGE_SUFFIX"
services: [] services: []
allow_failure: true allow_failure: true
variables: variables:
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment