Container scanning

Has anyone tried to use container scanning in the CICD pipeline and encountered error “gtcs scan”
$ gtcs scan bash: line 135: gtcs: command not found
gitlab

Please share the configuration in .gitlab-ci.yml for container scanning, and the environment (self-managed/SaaS, which versions, etc.) :slight_smile:

This error indicates that the gtcs command is not available.

gtcs is the command which the container_scanning job uses to perform container scanning by default.

greg@gitlab:[~]:) docker run -it registry.gitlab.com/security-products/container-scanning:6 which gtcs
/usr/local/bundle/bin/gtcs

Can you confirm that all prerequisites for running container scanning in your pipeline have been fulfilled?

If you comment everything out except for the following minimal container_scanning job configuration, does the error persist?

include:
  - template: Jobs/Container-Scanning.gitlab-ci.yml

container_scanning:
  variables:
    CS_IMAGE: <registry.example.com>/<image>:<tag>

Yes , everything commented out and same error

The template include uses Security/ as path. This was deprecated and moved in 15.x. The current configuration uses Jobs/.

Re-iterating on my question earlier, which GitLab version is involved here? My guess is self-managed, and a version in or before 15.x.

Gitlab version 15.9 and tried using Jobs/ and encounter the same problem. I even created I new project and use the examples in Gitlab container scanning docs and still same error

If you have a nested pipeline and/or are running into this issue, you can resolve it by referencing the image from gitlab directly

  # https://gitlab.com/gitlab-org/security-products/analyzers/container-scanning/container_registry/1741162?orderBy=PUBLISHED_AT&sort=desc
  image: registry.gitlab.com/gitlab-org/security-products/analyzers/container-scanning:7-fips

I had this issue when it was going to a runner that was shell based. It needed to go to one that was docker based. Hope this helps.

I’m seeing the same problem.

My gitlab-ci.yaml looks like this:

variables:
  DEV_ECR_REG: "XXXXXX.dkr.ecr.eu-west-2.amazonaws.com"
  CS_IMAGE: XXXXXXX.dkr.ecr.eu-west-2.amazonaws.com/${CI_PROJECT_NAME}:${CI_COMMIT_SHORT_SHA}
  CS_REGISTRY_USER: AWS
  CS_REGISTRY_PASSWORD: "$AWS_ECR_PASSWORD"
  AWS_DEFAULT_REGION: eu-west-2

stages:
  - build
  - test
  - deploy

container_scanning:
  before_script:
    - export AWS_SECRET_ACCESS_KEY=$DEV_AWS_SECRET_ACCESS_KEY && export AWS_ACCESS_KEY_ID=$DEV_AWS_ACCESS_KEY_ID
    - ruby -r open-uri -e "IO.copy_stream(URI.open('https://awscli.amazonaws.com/awscli-exe-linux-x86_64.zip'), 'awscliv2.zip')"
    - unzip -qq awscliv2.zip
    - ./aws/install
    - aws --version
    - export AWS_ECR_PASSWORD=$(aws ecr get-login-password --region eu-west-2)

include:
  - template: Jobs/Container-Scanning.gitlab-ci.yml

Logs from the job:

Running with gitlab-runner 17.0.0~pre.88.g761ae5dd (761ae5dd)
  on green-1.saas-linux-small-amd64.runners-manager.gitlab.com/default JLgUopmM, system ID: s_deaa2ca09de7
Resolving secrets
Preparing the "docker+machine" executor
00:21
Using Docker executor with image ruby:3.1 ...
Pulling docker image ruby:3.1 ...
Using docker image sha256:3ad239d6e3a500a646ee4f9d1523135a4c44f19c3abf1b4556eb5db4f375b9d5 for ruby:3.1 with digest ruby@sha256:34368e5da74213593681c4665bbf9efe4e7fec3956d19208ea0822b5bbd754a4 ...
Preparing environment
00:05
Running on runner-jlguopmm-project-25824718-concurrent-0 via runner-jlguopmm-s-l-s-amd64-1724947427-7c2b384f...
Getting source from Git repository
00:01
Skipping Git repository setup
Skipping Git checkout
Skipping Git submodules setup
Executing "step_script" stage of the job script
00:11
Using docker image sha256:3ad239d6e3a500a646ee4f9d1523135a4c44f19c3abf1b4556eb5db4f375b9d5 for ruby:3.1 with digest ruby@sha256:34368e5da74213593681c4665bbf9efe4e7fec3956d19208ea0822b5bbd754a4 ...
$ export AWS_SECRET_ACCESS_KEY=$DEV_AWS_SECRET_ACCESS_KEY && export AWS_ACCESS_KEY_ID=$DEV_AWS_ACCESS_KEY_ID
$ ruby -r open-uri -e "IO.copy_stream(URI.open('https://awscli.amazonaws.com/awscli-exe-linux-x86_64.zip'), 'awscliv2.zip')"
$ unzip -qq awscliv2.zip
$ ./aws/install
You can now run: /usr/local/bin/aws --version
$ aws --version
aws-cli/2.17.40 Python/3.11.9 Linux/5.15.154+ exe/x86_64.debian.12
$ export AWS_ECR_PASSWORD=$(aws ecr get-login-password --region region)
Could not connect to the endpoint URL: "https://api.ecr.region.amazonaws.com/"
$ gtcs scan
/usr/bin/bash: line 167: gtcs: command not found
Uploading artifacts for failed job
00:01
Uploading artifacts...
WARNING: **/gl-sbom-*.cdx.json: no matching files. Ensure that the artifact path is relative to the working directory (/builds/red61/docker-exim) 
ERROR: No files to upload                          
Uploading artifacts...
WARNING: gl-container-scanning-report.json: no matching files. Ensure that the artifact path is relative to the working directory (/builds/red61/docker-exim) 
ERROR: No files to upload                          
Cleaning up project directory and file based variables
00:00
ERROR: Job failed: exit code 1

It seems for some reason it is pulling a ruby image.

If I add the variable

  CS_ANALYZER_IMAGE: "$CI_TEMPLATE_REGISTRY_HOST/security-products/container-scanning:7"

It starts to pull the right image:

Running with gitlab-runner 17.0.0~pre.88.g761ae5dd (761ae5dd)
  on green-6.saas-linux-small-amd64.runners-manager.gitlab.com/default YKxHNyexq, system ID: s_a201ab37b78a
Resolving secrets
Preparing the "docker+machine" executor
00:13
Using Docker executor with image registry.gitlab.com/security-products/container-scanning:7 ...
Authenticating with credentials from job payload (GitLab Registry)
Pulling docker image registry.gitlab.com/security-products/container-scanning:7 ...
Using docker image sha256:8627fc2a6187212d1d37fb96a3a8a1b9491b68f5b951ea882c8c2b22a502f36b for registry.gitlab.com/security-products/container-scanning:7 with digest registry.gitlab.com/security-products/container-scanning@sha256:0a85bfddcd388458107642a26f5b0ef6faa9cb53b8c447893b16694e891437fd ...
Preparing environment
00:05
Running on runner-ykxhnyexq-project-25824718-concurrent-0 via runner-ykxhnyexq-s-l-s-amd64-1724948423-e0a9fd1e...
Getting source from Git repository
00:01
Skipping Git repository setup
Skipping Git checkout
Skipping Git submodules setup
Executing "step_script" stage of the job script
00:24
Using docker image sha256:8627fc2a6187212d1d37fb96a3a8a1b9491b68f5b951ea882c8c2b22a502f36b for registry.gitlab.com/security-products/container-scanning:7 with digest registry.gitlab.com/security-products/container-scanning@sha256:0a85bfddcd388458107642a26f5b0ef6faa9cb53b8c447893b16694e891437fd ...
$ export AWS_SECRET_ACCESS_KEY=$DEV_AWS_SECRET_ACCESS_KEY && export AWS_ACCESS_KEY_ID=$DEV_AWS_ACCESS_KEY_ID
$ ruby -r open-uri -e "IO.copy_stream(URI.open('https://awscli.amazonaws.com/awscli-exe-linux-x86_64.zip'), 'awscliv2.zip')"
$ unzip -qq awscliv2.zip
$ sudo ./aws/install
You can now run: /usr/local/bin/aws --version
$ aws --version
aws-cli/2.17.40 Python/3.11.9 Linux/5.15.154+ exe/x86_64.debian
$ export AWS_ECR_PASSWORD=$(aws ecr get-login-password --region eu-west-2)
$ gtcs scan
[INFO] [2024-08-29 16:21:53 +0000] [container-scanning]  >  Remediation is disabled; /builds/red61/docker-exim/Dockerfile cannot be found. Have you set `GIT_STRATEGY` and
`CS_DOCKERFILE_PATH`?
See https://docs.gitlab.com/ee/user/application_security/container_scanning/#solutions-for-vulnerabilities-auto-remediation
[INFO] [2024-08-29 16:21:54 +0000] [container-scanning]  >  Scanning container from registry 353058589905.dkr.ecr.eu-west-2.amazonaws.com/docker-exim:84e34c70 for vulnerabilities with severity level UNKNOWN or higher, with gcs 7.3.5 and Trivy Version: 0.52.1, advisories updated at 2024-08-28T12:12:54+00:00
[INFO] [2024-08-29 16:21:59 +0000] [container-scanning]  >  Scanning container from registry 353058589905.dkr.ecr.eu-west-2.amazonaws.com/docker-exim:84e34c70 for vulnerabilities with severity level UNKNOWN or higher, with gcs 7.3.5 and Trivy Version: 0.52.1, advisories updated at 2024-08-28T12:12:54+00:00
Uploading artifacts for successful job
00:06
Uploading artifacts...
gl-container-scanning-report.json: found 1 matching artifact files and directories 
WARNING: gl-dependency-scanning-report.json: no matching files. Ensure that the artifact path is relative to the working directory (/builds/red61/docker-exim) 
**/gl-sbom-*.cdx.json: found 1 matching artifact files and directories 
WARNING: Upload request redirected                  location=https://gitlab.com/api/v4/jobs/7699979376/artifacts?artifact_format=zip&artifact_type=archive new-url=https://gitlab.com
WARNING: Retrying...                                context=artifacts-uploader error=request redirected
Uploading artifacts as "archive" to coordinator... 201 Created  id=7699979376 responseStatus=201 Created token=glcbt-66
Uploading artifacts...
**/gl-sbom-*.cdx.json: found 1 matching artifact files and directories 
WARNING: Upload request redirected                  location=https://gitlab.com/api/v4/jobs/7699979376/artifacts?artifact_format=gzip&artifact_type=cyclonedx new-url=https://gitlab.com
WARNING: Retrying...                                context=artifacts-uploader error=request redirected
Uploading artifacts as "cyclonedx" to coordinator... 201 Created  id=7699979376 responseStatus=201 Created token=glcbt-66
Uploading artifacts...
gl-container-scanning-report.json: found 1 matching artifact files and directories 
WARNING: Upload request redirected                  location=https://gitlab.com/api/v4/jobs/7699979376/artifacts?artifact_format=raw&artifact_type=container_scanning new-url=https://gitlab.com
WARNING: Retrying...                                context=artifacts-uploader error=request redirected
Uploading artifacts as "container_scanning" to coordinator... 201 Created  id=7699979376 responseStatus=201 Created token=glcbt-66
Cleaning up project directory and file based variables
00:01
Job succeeded

Also latest trivy version is 0.54, please update it.
And fix the bug.