Type: New Feature
Affects Version/s: None
Fix Version/s: 8.5
The USA Department of Defense (DoD) maintains a repository of images [https://software.af.mil/dsop/services/] that are accredited for use by DoD customers.
The DoD wants all approved containers to be based on approved & hardened base images as well as for the top software layers to undergo a thorough security scan. Software based on non-compliant base images or with outstanding vulnerabilities that have not been addressed or justified will not be approved for use by DoD customers.
We decided to fully with a process for making SonarQube images available within this repo.
- Adopting DoD-compliant security scanning practices as part of our own release hardening will allow us to detect vulnerabilities in our own & dependent software that we were otherwise only learning of reactively.
- Software that’s gone through the approval process will not require customers to complete STIGs in order to run the software. STIG requests from US Government customers represent a not-insignificant volume of Community threads and commercial support tickets.
- The official repo for DoD-approved images is here: https://ironbank.dsop.io/
- There is a publicly-available GitLab instance used to store the source for images at https://dccscr.dsop.io/dsop
- A SonarQube project area already exists. This was formerly maintained by contractors working for the DoD but should be taken over by SonarSource: https://dccscr.dsop.io/dsop/sonarsource/sonarqube
- A repository of documents describing the overall DoD approach to DevSecOps and containerization is here: https://software.af.mil/dsop/documents/
- The onboarding guide for vendors looking to become Iron Bank contributors is here: https://repo1.dsop.io/dsop/dccscr/-/blob/master/contributor-onboarding/README.md
We want to provide and support official images for all the SonarQube editions we already offer on DockerHub: SonarQube CE, DE, EE
The current Structure by the DoD is already confirmed functional from a technical point of view.
The majority of the changes that need to happen are process related, specially how we react to vulnerabilities that are found by the DoD in our Software
Take ownership in the Repositories provided by the DoD
The Sonarqube repositories were originally created by RedHat contractors that are no longer working for the DoD. They have been adopted by internal sources of the DoD and should now fall in our responsibility as a Vendor.
For the Majority there are no adaptations needed apart from:
- The Docker Healthcheck
- Should be synced with what we have in the docker-healthcheck library
- The Scripts folder needs to be kept up to date with our docker repository
- Implement Sync mechanism for Vendor scripts using kpt and renovate
Create a new Repository for the DE in the same gitlab Space as the other once
- Follow the DoDs Spec on this one
- There is information about an internal project of the DoD with the DE but to fully deliver we should create a new repository that is under our ownership