FIPS-140-2 Compliance

[mparuszewski]

Background:

FIPS 140-2 is a U.S. government computer security standard used to approve cryptographic modules. Recently we see increased interest in developing and using FIPS-compliant software. It is especially needed when working with the U.S. government or other regulated industries.

What would you like to be added:

It would be great to see a build of trivy that is FIPS-compliant.

To make sure trivy is FIPS-compliant, we need to build it with Go with crypto libraries that are FIPS-compliant. In the industry BoringSSL fork of Go is used to create FIPS-compliant builds, ie: RKE2, Contour, Konvoy, etc., so we could go with this path or investigate other approaches.

Challenges:

1. We need to compile trivy using Go with FIPS-compliant crypto libraries, as we are using Goreleaser to build trivy and Goreleaser does not allow to specify custom build environment, the main problem is then to use Goreleaser in Docker container with FIPS-compliant crypto libraries. Alternatively, we could provide another approach to building FIPS-compliant binary, like in Contour.

Additional context:

There are multiple articles about the possibility to build go apps that are FIPS-compliant. The main problem that we need to solve is that the app must use FIPS-verified cryptographic libraries. Unfortunately, native golang libraries are not FIPS-verified.

More information:

1. https://kupczynski.info/posts/fips-golang/
2. https://gokulchandrapr.medium.com/go-crypto-and-kubernetes-fips-140-2-fedramp-compliance-66d852ccccd2
3. https://docs.gitlab.com/ee/development/fips_compliance.html#go
4. https://github.com/microsoft/go-crypto-openssl
5. https://developers.redhat.com/articles/2022/05/31/your-go-application-fips-compliant#how_to_get_started

[github-actions[bot]]

This issue is stale because it has been labeled with inactivity.

[tspearconquest]

Please remove stale lifecycle, this is interesting for users who are in FedRAMP or undergoing FedRAMP certification