Container Scanning questions

We are an enterprise customer and are evaluating using container scanning in our MR’s. I have the container scanning stage working, but I don’t see the results of it in the merge request at all (even though the docs say we should). Also, even if i allow_failure:false, the stage still passes. We want MR’s to be blocked on a failed scan.

Any ideas?

Did you do it manually like https://docs.gitlab.com/ee/user/application_security/container_scanning/#manual-job-definition-for-gitlab-115-and-later or the Auto container scanning? Can you show your gitlab ci file?

Soo… I had to sign up for the forums with another account as for some reason my account was locked? I’ve only posted the message above, so I’d love to know why that came to be…

Anyway, in reply to your question, this is the container scanning stage:

container_scanning:
  stage: container_scan
  image: docker:stable
  allow_failure: false
  variables:
    ## Define two new variables based on GitLab's CI/CD predefined variables
    ## https://docs.gitlab.com/ee/ci/variables/README.html#predefined-environment-variables
    CI_APPLICATION_REPOSITORY: $CI_REGISTRY_IMAGE/$CI_COMMIT_REF_SLUG
    CI_APPLICATION_TAG: $CI_COMMIT_SHA
    CLAIR_LOCAL_SCAN_VERSION: v2.0.8_fe9b059d930314b54c78f75afe265955faf4fdc1
  services:
    - docker:stable-dind
  script:
    - docker run -d --name db arminc/clair-db:latest
    - docker run -p 6060:6060 --link db:postgres -d --name clair --restart on-failure arminc/clair-local-scan:${CLAIR_LOCAL_SCAN_VERSION}
    - apk add -U wget ca-certificates
    - docker login -u gitlab-ci-token -p $GL_TOKEN gitlabserver:4567
    - docker pull ${CI_APPLICATION_REPOSITORY}:${CI_APPLICATION_TAG}
    - wget https://github.com/arminc/clair-scanner/releases/download/v8/clair-scanner_linux_amd64
    - mv clair-scanner_linux_amd64 clair-scanner
    - chmod +x clair-scanner
    - touch clair-whitelist.yml
    - while( ! wget -q -O /dev/null http://docker:6060/v1/namespaces ) ; do sleep 1 ; done
    - retries=0
    - echo "Waiting for clair daemon to start"
    - while( ! wget -T 10 -q -O /dev/null http://docker:6060/v1/namespaces ) ; do sleep 1 ; echo -n "." ; if [ $retries -eq 10 ] ; then echo " Timeout, aborting." ; exit 1 ; fi ; retries=$(($retries+1)) ; done
    - ./clair-scanner -c http://docker:6060 --ip $(hostname -i) -r gl-container-scanning-report.json -l clair.log -w clair-whitelist.yml ${CI_APPLICATION_REPOSITORY}:${CI_APPLICATION_TAG} || true
  artifacts:
    reports:
      container_scanning: gl-container-scanning-report.json
  only:
    refs:
    - merge_requests

ok, as long as you indeed run Gitlab enterprise 11.5 or later, I do not see a problem. (sorry I’m a bit late, I was on holidays).
Sorry, no clue here