Commit bc203d05 authored by Pavel Shutsin's avatar Pavel Shutsin

Merge branch '358742-update-security-policy-to-include-support-for-fips-mode' into 'master'

Update Security Policy to use FIPS images when FIPS Mode is enabled

See merge request gitlab-org/gitlab!85150
parents 59d437f4 e16c90f7
...@@ -45,6 +45,23 @@ module Security ...@@ -45,6 +45,23 @@ module Security
ci_configuration[template.to_sym] ci_configuration[template.to_sym]
.deep_merge(variables: ci_configuration[:variables].deep_merge(ci_variables).compact) .deep_merge(variables: ci_configuration[:variables].deep_merge(ci_variables).compact)
.except(:rules) .except(:rules)
.merge(fips_mode_default_rules(template))
end
def fips_mode_default_rules(template)
return {} if template != 'container_scanning'
{
rules: [
{
if: '$CI_GITLAB_FIPS_MODE == "true" && $CS_ANALYZER_IMAGE !~ /-(fips|ubi)\z/',
variables: { CS_IMAGE_SUFFIX: '-fips' }
},
{
when: 'always'
}
]
}
end end
def child_pipeline_configuration(template, ci_variables) def child_pipeline_configuration(template, ci_variables)
......
...@@ -104,7 +104,16 @@ RSpec.describe Security::SecurityOrchestrationPolicies::CiConfigurationService d ...@@ -104,7 +104,16 @@ RSpec.describe Security::SecurityOrchestrationPolicies::CiConfigurationService d
variables: { variables: {
CS_ANALYZER_IMAGE: "#{Gitlab::Saas.registry_prefix}/security-products/container-scanning:4", CS_ANALYZER_IMAGE: "#{Gitlab::Saas.registry_prefix}/security-products/container-scanning:4",
GIT_STRATEGY: 'none' GIT_STRATEGY: 'none'
},
rules: [
{
if: '$CI_GITLAB_FIPS_MODE == "true" && $CS_ANALYZER_IMAGE !~ /-(fips|ubi)\z/',
variables: { CS_IMAGE_SUFFIX: '-fips' }
},
{
when: 'always'
} }
]
} }
expect(subject.deep_symbolize_keys).to eq(expected_configuration) expect(subject.deep_symbolize_keys).to eq(expected_configuration)
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment