Container Scanning for multiple images

I’ve successfully setup the Container Scanning feature from GitLab for a single Docker image. Now I’d like to scan yet another image using the same CI/CD configuration in .gitlab-ci.yml

Problem

It looks like it is not possible to have multiple Container Scanning reports on the Merge Request detail page.

The following screenshot shows the result of both Container Scanning jobs in the configuration below.

GitLab Container Scanning report

We scan two Docker images, which both have CVE’s to be reported:

  1. iojs:1.6.3-slim (355 vulnerabilities)
  2. golang:1.3 (1139 vulnerabilities)

Expected result

The Container Scanning report would show a total of 1494 vulnerabilities (355 + 1139). Currently it looks like only the results for the golang image are being included.

Relevant parts of the configuration

container_scanning_first_image:
  script:
    - docker pull golang:1.3 
    - ./clair-scanner -c http://docker:6060 --ip $(hostname -i) -r gl-container-scanning-report-first-image.json -l clair.log golang:1.3 || true
  artifacts:
    reports:
      container_scanning: gl-container-scanning-report-first-image.json

container_scanning_second_image:
  script:
    - docker pull iojs:1.6.3-slim
    - ./clair-scanner -c http://docker:6060 --ip $(hostname -i) -r gl-container-scanning-report-second-image.json -l clair.log iojs:1.6.3-slim || true
  artifacts:
    reports:
      container_scanning: gl-container-scanning-report-second-image.json

Full configuration for reference

image: docker:stable

stages:
  - scan

variables:

  DOCKER_HOST: tcp://docker:2375/
  DOCKER_DRIVER: overlay2

container_scanning_first_image:
  stage: scan
  variables:
    GIT_STRATEGY: none
    DOCKER_SERVICE: docker
    DOCKER_HOST: tcp://${DOCKER_SERVICE}:2375/
    CLAIR_LOCAL_SCAN_VERSION: v2.0.8_fe9b059d930314b54c78f75afe265955faf4fdc1
    NO_PROXY: ${DOCKER_SERVICE},localhost
  allow_failure: true
  services:
    - docker:dind
  script:
    - docker login -u gitlab-ci-token -p $CI_JOB_TOKEN $CI_REGISTRY
    - docker run -d --name db arminc/clair-db:latest
    - docker run -p 6060:6060 --link db:postgres -d --name clair --restart on-failure arminc/clair-local-scan:${CLAIR_LOCAL_SCAN_VERSION}
    - apk add -U wget ca-certificates
    - docker pull golang:1.3 
    - wget https://github.com/arminc/clair-scanner/releases/download/v8/clair-scanner_linux_amd64
    - mv clair-scanner_linux_amd64 clair-scanner
    - chmod +x clair-scanner
    - touch clair-whitelist.yml
    - retries=0
    - echo "Waiting for clair daemon to start"
    - while( ! wget -T 10 -q -O /dev/null http://${DOCKER_SERVICE}:6060/v1/namespaces ) ; do sleep 1 ; echo -n "." ; if [ $retries -eq 10 ] ; then echo " Timeout, aborting." ; exit 1 ; fi ; retries=$(($retries+1)) ; done
    - ./clair-scanner -c http://${DOCKER_SERVICE}:6060 --ip $(hostname -i) -r gl-container-scanning-report-first-image.json -l clair.log golang:1.3 || true
  artifacts:
    paths:
      - gl-container-scanning-report-first-image.json
    reports:
      container_scanning: gl-container-scanning-report-first-image.json
  dependencies: []
  only:
    refs:
      - branches
    variables:
      - $GITLAB_FEATURES =~ /\bcontainer_scanning\b/
  except:
    variables:
      - $CONTAINER_SCANNING_DISABLED

container_scanning_second_image:
  stage: scan
  variables:
    GIT_STRATEGY: none
    DOCKER_SERVICE: docker
    DOCKER_HOST: tcp://${DOCKER_SERVICE}:2375/
    CLAIR_LOCAL_SCAN_VERSION: v2.0.8_fe9b059d930314b54c78f75afe265955faf4fdc1
    NO_PROXY: ${DOCKER_SERVICE},localhost
  allow_failure: true
  services:
    - docker:dind
  script:
    - docker login -u gitlab-ci-token -p $CI_JOB_TOKEN $CI_REGISTRY
    - docker run -d --name db arminc/clair-db:latest
    - docker run -p 6060:6060 --link db:postgres -d --name clair --restart on-failure arminc/clair-local-scan:${CLAIR_LOCAL_SCAN_VERSION}
    - apk add -U wget ca-certificates
    - docker pull iojs:1.6.3-slim
    - wget https://github.com/arminc/clair-scanner/releases/download/v8/clair-scanner_linux_amd64
    - mv clair-scanner_linux_amd64 clair-scanner
    - chmod +x clair-scanner
    - touch clair-whitelist.yml
    - retries=0
    - echo "Waiting for clair daemon to start"
    - while( ! wget -T 10 -q -O /dev/null http://${DOCKER_SERVICE}:6060/v1/namespaces ) ; do sleep 1 ; echo -n "." ; if [ $retries -eq 10 ] ; then echo " Timeout, aborting." ; exit 1 ; fi ; retries=$(($retries+1)) ; done
    - ./clair-scanner -c http://${DOCKER_SERVICE}:6060 --ip $(hostname -i) -r gl-container-scanning-report-second-image.json -l clair.log iojs:1.6.3-slim || true
  artifacts:
    paths:
      - gl-container-scanning-report-second-image.json
    reports:
      container_scanning: gl-container-scanning-report-second-image.json
  dependencies: []
  only:
    refs:
      - branches
    variables:
      - $GITLAB_FEATURES =~ /\bcontainer_scanning\b/
  except:
    variables:
      - $CONTAINER_SCANNING_DISABLED

Question

How should the GitLab Container Scanning feature be configured in order to be able to report the results of two Docker images?

I have asked the same question on StackOverflow, before I realised this forum might result in a quicker response :slight_smile: See docker - Container Scanning feature does not work for multiple images - Stack Overflow

Anyone who can help me with this?

Hi Voles,

Thank you for bringing this up and apologies for very late reply. We created issue for that to tackle. You can follow further discussions and progress here https://gitlab.com/gitlab-org/gitlab/issues/34330

Thank you @celdem for jumping into this conversation. It looks like actually https://gitlab.com/gitlab-org/gitlab/issues/34330 is about supporting multi-stage images. To allow for scanning multiple separate images we have https://gitlab.com/gitlab-org/gitlab/issues/6946.

1 Like