diff options
Diffstat (limited to 'doc/development/fips_compliance.md')
| -rw-r--r-- | doc/development/fips_compliance.md | 91 |
1 files changed, 20 insertions, 71 deletions
diff --git a/doc/development/fips_compliance.md b/doc/development/fips_compliance.md index 147ff5fa6e9..830a8e3cd2a 100644 --- a/doc/development/fips_compliance.md +++ b/doc/development/fips_compliance.md @@ -59,17 +59,15 @@ listed here that also do not work properly in FIPS mode: - [Container Scanning](../user/application_security/container_scanning/index.md) support for scanning images in repositories that require authentication. - [Code Quality](../ci/testing/code_quality.md) does not support operating in FIPS-compliant mode. - [Dependency scanning](../user/application_security/dependency_scanning/index.md) support for Gradle. -- [Dynamic Application Security Testing (DAST)](../user/application_security/dast/index.md) - does not support operating in FIPS-compliant mode. +- [Dynamic Application Security Testing (DAST)](../user/application_security/dast/index.md) supports a reduced set of analyzers. Browser-based and proxy-based analyzers are not available in FIPS mode today, however DAST API and DAST API Fuzzing images are available. - [License compliance](../user/compliance/license_compliance/index.md). - [Solutions for vulnerabilities](../user/application_security/vulnerabilities/index.md#resolve-a-vulnerability) for yarn projects. - [Static Application Security Testing (SAST)](../user/application_security/sast/index.md) supports a reduced set of [analyzers](../user/application_security/sast/index.md#fips-enabled-images) when operating in FIPS-compliant mode. -- Advanced Search is currently not included in FIPS mode. It must not be enabled to be FIPS-compliant. +- Advanced search is currently not included in FIPS mode. It must not be enabled to be FIPS-compliant. - [Gravatar or Libravatar-based profile images](../administration/libravatar.md) are not FIPS-compliant. -- [Personal Access Tokens](../user/profile/personal_access_tokens.md) are not available for use or creation. Additionally, these package repositories are disabled in FIPS mode: @@ -275,104 +273,55 @@ all: gitlab_charts_custom_config_file: '/path/to/gitlab-environment-toolkit/ansible/environments/gitlab-10k/inventory/charts.yml' ``` -Now create `charts.yml` in the location specified above and specify tags with a `-fips` suffix. For example: +Now create `charts.yml` in the location specified above and specify tags with a `-fips` suffix. -```yaml -global: - image: - pullPolicy: Always - certificates: - image: - tag: master-fips - kubectl: - image: - tag: master-fips - -gitlab: - gitaly: - image: - tag: master-fips - gitlab-exporter: - image: - tag: master-fips - gitlab-shell: - image: - tag: main-fips # The default branch is main, not master - gitlab-mailroom: - image: - tag: master-fips - gitlab-pages: - image: - tag: master-fips - migrations: - image: - tag: master-fips - sidekiq: - image: - tag: master-fips - toolbox: - image: - tag: master-fips - webservice: - image: - tag: master-fips - workhorse: - tag: master-fips - -nginx-ingress: - controller: - image: - repository: registry.gitlab.com/gitlab-org/cloud-native/charts/gitlab-ingress-nginx/controller - tag: v1.2.1-fips - pullPolicy: Always - digest: sha256:c4222b7ab3836b9be2a7649cff4b2e6ead34286dfdf3a7b04eb34fdd3abb0334 -``` - -The above example shows a FIPS-enabled [`nginx-ingress`](https://github.com/kubernetes/ingress-nginx) image. -See our [Charts documentation on FIPS](https://docs.gitlab.com/charts/advanced/fips/index.html) for more details. +See our [Charts documentation on FIPS](https://docs.gitlab.com/charts/advanced/fips/index.html) for more details, including +an [example values file](https://gitlab.com/gitlab-org/charts/gitlab/blob/master/examples/fips/values.yaml) as a reference. You can also use release tags, but the versioning is tricky because each component may use its own versioning scheme. For example, for GitLab v15.2: ```yaml global: + image: + tagSuffix: -fips certificates: image: - tag: 20211220-r0-fips + tag: 20211220-r0 kubectl: image: - tag: 1.18.20-fips + tag: 1.18.20 gitlab: gitaly: image: - tag: v15.2.0-fips + tag: v15.2.0 gitlab-exporter: image: - tag: 11.17.1-fips + tag: 11.17.1 gitlab-shell: image: - tag: v14.9.0-fips + tag: v14.9.0 gitlab-mailroom: image: - tag: v15.2.0-fips + tag: v15.2.0 gitlab-pages: image: - tag: v1.61.0-fips + tag: v1.61.0 migrations: image: - tag: v15.2.0-fips + tag: v15.2.0 sidekiq: image: - tag: v15.2.0-fips + tag: v15.2.0 toolbox: image: - tag: v15.2.0-fips + tag: v15.2.0 webservice: image: - tag: v15.2.0-fips + tag: v15.2.0 workhorse: - tag: v15.2.0-fips + tag: v15.2.0 ``` ## FIPS Performance Benchmarking @@ -496,7 +445,7 @@ irb(main):001:0> require 'openssl'; OpenSSL.fips_mode ### Go -Google maintains a [`dev.boringcrypto` branch](https://github.com/golang/go/tree/dev.boringcrypto) in the Golang compiler +Google maintains a [`dev.boringcrypto` branch](https://github.com/golang/go/tree/dev.boringcrypto) in the Go compiler that makes it possible to statically link BoringSSL, a FIPS-validated module forked from OpenSSL. However, BoringSSL is not intended for public use. |