When building a SaaS CI tool, what’s the most responsible way to clone users’ repositories to the web server to run checks? I see a few options:
1. Clone it to a
/tmp folder directly on the server
Pros: Simple, straightforward.
Cons: Executing untrusted scripts inside your application; multiple users’ code is vulnerable.
2. Clone it within a Docker container
Pros: Untrusted code is [more] sandboxed and ephemeral; cannot read other users’ code.
Cons: Perhaps more difficult to manage resources, e.g. how much memory/storage is Docker using? Scaling is difficult, but similar to option 1. Can’t cache user code for repeated runs since it lives in an ephemeral Docker container.
3. Clone it in a Docker container within a Kubernetes pod
Pros: Same as 2, but scaling is more manageable since Kubernetes makes it easy.
Cons: Lots of overhead and setup.
Any thoughts or recommendations? How do you clone repos for Github Apps?