Commit 35a34fdd authored by Clement Bois's avatar Clement Bois
Browse files

Merge branch 'ard-additional-dependencies' into 'master' 

record decision about additional dependencies

See merge request to-be-continuous/doc!73
parents 793dce4f 0e8b098b

docs/secu/index.md

+9 −8
Original line number Diff line number Diff line
@@ -37,14 +37,15 @@ By default, _to be continuous_ templates mostly use the `latest` tag from upstre 


_to be continuous_ is not responsible of any possible security issue from a default container image.



You should either :



- use a fixed version tag : using the `maven:3.9.1` instead of `maven:latest` make sure you stay on a specific version of tools 

    - prefer official image with the least tools (prefer minimal size, Alpine distribution or even distro-less if you can find one suited to your needs), the more the image has, heavier is the risk

- build and maintain your own image with a chosen version for each tools

    - use no or a minimal distribution

    - upgrade tools and important components regularly with safe updates

    - root-less image are best to prevent some container escalation vulnerabilities against your runner provider

To mitigate the risks of using `latest` images, you should always use a fixed version tag (`maven:3.9.1` instead of `maven:latest`) or build your own image.



#### Additional dependencies



However, the direct counterpart of using official images is that many default image do not ship all the required tools used by the template (think about `git` and `curl` utilities). For this reason, many templates check the presence of these additional dependencies and install them on the fly (see `maybe_install_pkg` function).



This is a good practice to avoid bloating the image with unnecessary tools, but it also means that you are trusting the upstream repositories of your distribution (i.e. Debian, Alpine, etc.) to not be compromised and requiring network access to download packages.



Every project is encouraged to maintain his own Docker image in order to fit to their needs, avoid extraneous downloading for additional dependencies and simplify the work of security team (it's easy to scan a Docker image). While doing so, we recommend to use a minimal distribution and root-less images to prevent some container escalation vulnerabilities against your runner provider.



> [!tip]

> Whenever building your own image or using an upstream image, you can use [Renovate](https://docs.renovatebot.com/) to watch updates for your tools, test the new version and integrate them seamlessly.