Update Security Policy to use FIPS images when FIPS Mode is enabled

Changelog: added
EE: true
parent 855a4095
......@@ -45,6 +45,23 @@ module Security
ci_configuration[template.to_sym]
.deep_merge(variables: ci_configuration[:variables].deep_merge(ci_variables).compact)
.except(:rules)
.merge(fips_mode_default_rules(template))
end
def fips_mode_default_rules(template)
return {} if template != 'container_scanning'
{
rules: [
{
if: '$CI_GITLAB_FIPS_MODE == "true" && $CS_ANALYZER_IMAGE !~ /-(fips|ubi)\z/',
variables: { CS_IMAGE_SUFFIX: '-fips' }
},
{
when: 'always'
}
]
}
end
def child_pipeline_configuration(template, ci_variables)
......
......@@ -104,7 +104,16 @@ RSpec.describe Security::SecurityOrchestrationPolicies::CiConfigurationService d
variables: {
CS_ANALYZER_IMAGE: "#{Gitlab::Saas.registry_prefix}/security-products/container-scanning:4",
GIT_STRATEGY: 'none'
},
rules: [
{
if: '$CI_GITLAB_FIPS_MODE == "true" && $CS_ANALYZER_IMAGE !~ /-(fips|ubi)\z/',
variables: { CS_IMAGE_SUFFIX: '-fips' }
},
{
when: 'always'
}
]
}
expect(subject.deep_symbolize_keys).to eq(expected_configuration)
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment