Home
Contribute Contact Us Browse all meetings
Home Contribute Contact Us Browse all meetings
GitLab / Incubation Engineering / 16 May 2022
GitLab / Incubation Engineering / 16 May 2022
Previous Meeting Next Meeting
Add meeting Rate page Subscribe
youtube image
From YouTube: Incubation Engineering AI Assist - Weekly Demo 16-05-2022

Description

Issue: https://gitlab.com/gitlab-org/incubation-engineering/ai-assist/meta/-/issues/7

A

Hello and welcome back to another update of ai assist.

A

Last week I worked on the parser. I basically finished the parser, including a lot of tests that should cover every case possible, but maybe I missed something and that's also what's coming up this week this week, I'm going to get probably 20 docker files from the most popular docker images run the parser against this and manually verify that they work.

A

If that is all fine, hopefully maybe there are some edge cases that I still need to incorporate. I can move on to gathering a whole lot more documents, I'm probably going to use the github api for it as it's easy to search for dockerfiles.

A

If something is available in gitlab, please let me know.

A

I also thought about using docker hub to get images, but that makes it a whole lot more complicated because you could download the image and then reverse engineer the dockerfile, but it's an extra dependency.

A

I think it's going to be easier to just use plain text from uh the other thing that I worked on was the analyzer, so I basically created three rules that I wanted to begin with um for validating a secure docker file, the first one is to validate that no credentials are being copied over, so it just looks for these type of files. Currently it's um static, so it just takes a look at if these files are being copied not if they are actually present.

A

So if you do a copy dot to some directory, then this will obviously fail. That would be the next step to actually parse which files are actually going to be copied. The second one is to prevent build arguments leaking sensitive information. If you use a build arc like an api token that will get stored in the docker image, so that's something that you don't want and the last one is to verify that the last use is not root.

A

um I looked at hudderlin to find more obvious rules. I didn't find them that quickly and I figured this is fine for now, once we have the data from dockerfiles, we can find out what is actually leading to insecure, docker images.

A

This week I also have a off-site with incubation engineering department in amsterdam which I'm looking forward to, but it's also going to be three days so that will bite into my productivity for this week. I hope this week to have finished the manual checking of the dockerfiles.

A

Let's see how it goes I'll be back on friday with another update. Thank you. Bye.