Container Scanning questions

jclark · June 14, 2019, 3:31pm

We are an enterprise customer and are evaluating using container scanning in our MR’s. I have the container scanning stage working, but I don’t see the results of it in the merge request at all (even though the docs say we should). Also, even if i allow_failure:false, the stage still passes. We want MR’s to be blocked on a failed scan.

Any ideas?

bartj · June 18, 2019, 9:12am

Did you do it manually like https://docs.gitlab.com/ee/user/application_security/container_scanning/#manual-job-definition-for-gitlab-115-and-later or the Auto container scanning? Can you show your gitlab ci file?

Zunee · June 27, 2019, 2:03am

Soo… I had to sign up for the forums with another account as for some reason my account was locked? I’ve only posted the message above, so I’d love to know why that came to be…

Anyway, in reply to your question, this is the container scanning stage:

container_scanning:
  stage: container_scan
  image: docker:stable
  allow_failure: false
  variables:
    ## Define two new variables based on GitLab's CI/CD predefined variables
    ## https://docs.gitlab.com/ee/ci/variables/README.html#predefined-environment-variables
    CI_APPLICATION_REPOSITORY: $CI_REGISTRY_IMAGE/$CI_COMMIT_REF_SLUG
    CI_APPLICATION_TAG: $CI_COMMIT_SHA
    CLAIR_LOCAL_SCAN_VERSION: v2.0.8_fe9b059d930314b54c78f75afe265955faf4fdc1
  services:
    - docker:stable-dind
  script:
    - docker run -d --name db arminc/clair-db:latest
    - docker run -p 6060:6060 --link db:postgres -d --name clair --restart on-failure arminc/clair-local-scan:${CLAIR_LOCAL_SCAN_VERSION}
    - apk add -U wget ca-certificates
    - docker login -u gitlab-ci-token -p $GL_TOKEN gitlabserver:4567
    - docker pull ${CI_APPLICATION_REPOSITORY}:${CI_APPLICATION_TAG}
    - wget https://github.com/arminc/clair-scanner/releases/download/v8/clair-scanner_linux_amd64
    - mv clair-scanner_linux_amd64 clair-scanner
    - chmod +x clair-scanner
    - touch clair-whitelist.yml
    - while( ! wget -q -O /dev/null http://docker:6060/v1/namespaces ) ; do sleep 1 ; done
    - retries=0
    - echo "Waiting for clair daemon to start"
    - while( ! wget -T 10 -q -O /dev/null http://docker:6060/v1/namespaces ) ; do sleep 1 ; echo -n "." ; if [ $retries -eq 10 ] ; then echo " Timeout, aborting." ; exit 1 ; fi ; retries=$(($retries+1)) ; done
    - ./clair-scanner -c http://docker:6060 --ip $(hostname -i) -r gl-container-scanning-report.json -l clair.log -w clair-whitelist.yml ${CI_APPLICATION_REPOSITORY}:${CI_APPLICATION_TAG} || true
  artifacts:
    reports:
      container_scanning: gl-container-scanning-report.json
  only:
    refs:
    - merge_requests

bartj · July 10, 2019, 1:21pm

ok, as long as you indeed run Gitlab enterprise 11.5 or later, I do not see a problem. (sorry I’m a bit late, I was on holidays).
Sorry, no clue here

jclark · July 22, 2019, 7:38am

stages:
  - build_local_docker_image
  - container_scan

build_local_docker_image:
  stage: build_local_docker_image
  image: docker:stable
  script:
    - echo $CI_REGISTRY_IMAGE/$CI_COMMIT_REF_SLUG:$CI_COMMIT_SHA
    - docker login -u gitlab-ci-token -p $GL_TOKEN somerepo:4567
    - docker build --build-arg BUILD_VERSION=$version -t $CI_REGISTRY_IMAGE/$CI_COMMIT_REF_SLUG:$CI_COMMIT_SHA .
    - docker push $CI_REGISTRY_IMAGE/$CI_COMMIT_REF_SLUG:$CI_COMMIT_SHA

container_scanning:
  stage: container_scan
  image: docker:stable
  allow_failure: false
  variables:
    ## Define two new variables based on GitLab's CI/CD predefined variables
    ## https://docs.gitlab.com/ee/ci/variables/README.html#predefined-environment-variables
    CI_APPLICATION_REPOSITORY: $CI_REGISTRY_IMAGE/$CI_COMMIT_REF_SLUG
    CI_APPLICATION_TAG: $CI_COMMIT_SHA
    CLAIR_LOCAL_SCAN_VERSION: v2.0.8_fe9b059d930314b54c78f75afe265955faf4fdc1
  services:
    - docker:stable-dind
  script:
    - docker run -d --name db arminc/clair-db:latest
    - docker run -p 6060:6060 --link db:postgres -d --name clair --restart on-failure arminc/clair-local-scan:${CLAIR_LOCAL_SCAN_VERSION}
    - apk add -U wget ca-certificates
    - docker login -u gitlab-ci-token -p $GL_TOKEN somerepo:4567
    - docker pull ${CI_APPLICATION_REPOSITORY}:${CI_APPLICATION_TAG}
    - wget https://github.com/arminc/clair-scanner/releases/download/v8/clair-scanner_linux_amd64
    - mv clair-scanner_linux_amd64 clair-scanner
    - chmod +x clair-scanner
    - touch clair-whitelist.yml
    - while( ! wget -q -O /dev/null http://docker:6060/v1/namespaces ) ; do sleep 1 ; done
    - retries=0
    - echo "Waiting for clair daemon to start"
    - while( ! wget -T 10 -q -O /dev/null http://docker:6060/v1/namespaces ) ; do sleep 1 ; echo -n "." ; if [ $retries -eq 10 ] ; then echo " Timeout, aborting." ; exit 1 ; fi ; retries=$(($retries+1)) ; done
    - ./clair-scanner -c http://docker:6060 --ip $(hostname -i) -r gl-container-scanning-report.json -l clair.log -w clair-whitelist.yml ${CI_APPLICATION_REPOSITORY}:${CI_APPLICATION_TAG} || true
  artifacts:
    reports:
      container_scanning: gl-container-scanning-report.json

variables:
  DOCKER_DRIVER: overlay2

before_script:
  - mkdir -p $HOME/.docker
  - echo "$DOCKER_AUTH_CONFIG" >> "$HOME/.docker/config.json"