Has anyone tried to use container scanning in the CICD pipeline and encountered error “gtcs scan”
$ gtcs scan
bash: line 135: gtcs: command not found
Please share the configuration in .gitlab-ci.yml
for container scanning, and the environment (self-managed/SaaS, which versions, etc.)
This error indicates that the gtcs
command is not available.
gtcs
is the command which the container_scanning
job uses to perform container scanning by default.
- Dockerfile · master · GitLab.org / security-products / analyzers / container-scanning · GitLab
- lib/gitlab/ci/templates/Jobs/Container-Scanning.gitlab-ci.yml · master · GitLab.org / GitLab · GitLab
greg@gitlab:[~]:) docker run -it registry.gitlab.com/security-products/container-scanning:6 which gtcs
/usr/local/bundle/bin/gtcs
Can you confirm that all prerequisites for running container scanning in your pipeline have been fulfilled?
If you comment everything out except for the following minimal container_scanning
job configuration, does the error persist?
include:
- template: Jobs/Container-Scanning.gitlab-ci.yml
container_scanning:
variables:
CS_IMAGE: <registry.example.com>/<image>:<tag>
Yes , everything commented out and same error
The template include uses Security/
as path. This was deprecated and moved in 15.x. The current configuration uses Jobs/
.
Re-iterating on my question earlier, which GitLab version is involved here? My guess is self-managed, and a version in or before 15.x.
Gitlab version 15.9 and tried using Jobs/ and encounter the same problem. I even created I new project and use the examples in Gitlab container scanning docs and still same error
If you have a nested pipeline and/or are running into this issue, you can resolve it by referencing the image from gitlab directly
# https://gitlab.com/gitlab-org/security-products/analyzers/container-scanning/container_registry/1741162?orderBy=PUBLISHED_AT&sort=desc
image: registry.gitlab.com/gitlab-org/security-products/analyzers/container-scanning:7-fips
I had this issue when it was going to a runner that was shell based. It needed to go to one that was docker based. Hope this helps.
I’m seeing the same problem.
My gitlab-ci.yaml looks like this:
variables:
DEV_ECR_REG: "XXXXXX.dkr.ecr.eu-west-2.amazonaws.com"
CS_IMAGE: XXXXXXX.dkr.ecr.eu-west-2.amazonaws.com/${CI_PROJECT_NAME}:${CI_COMMIT_SHORT_SHA}
CS_REGISTRY_USER: AWS
CS_REGISTRY_PASSWORD: "$AWS_ECR_PASSWORD"
AWS_DEFAULT_REGION: eu-west-2
stages:
- build
- test
- deploy
container_scanning:
before_script:
- export AWS_SECRET_ACCESS_KEY=$DEV_AWS_SECRET_ACCESS_KEY && export AWS_ACCESS_KEY_ID=$DEV_AWS_ACCESS_KEY_ID
- ruby -r open-uri -e "IO.copy_stream(URI.open('https://awscli.amazonaws.com/awscli-exe-linux-x86_64.zip'), 'awscliv2.zip')"
- unzip -qq awscliv2.zip
- ./aws/install
- aws --version
- export AWS_ECR_PASSWORD=$(aws ecr get-login-password --region eu-west-2)
include:
- template: Jobs/Container-Scanning.gitlab-ci.yml
Logs from the job:
Running with gitlab-runner 17.0.0~pre.88.g761ae5dd (761ae5dd)
on green-1.saas-linux-small-amd64.runners-manager.gitlab.com/default JLgUopmM, system ID: s_deaa2ca09de7
Resolving secrets
Preparing the "docker+machine" executor
00:21
Using Docker executor with image ruby:3.1 ...
Pulling docker image ruby:3.1 ...
Using docker image sha256:3ad239d6e3a500a646ee4f9d1523135a4c44f19c3abf1b4556eb5db4f375b9d5 for ruby:3.1 with digest ruby@sha256:34368e5da74213593681c4665bbf9efe4e7fec3956d19208ea0822b5bbd754a4 ...
Preparing environment
00:05
Running on runner-jlguopmm-project-25824718-concurrent-0 via runner-jlguopmm-s-l-s-amd64-1724947427-7c2b384f...
Getting source from Git repository
00:01
Skipping Git repository setup
Skipping Git checkout
Skipping Git submodules setup
Executing "step_script" stage of the job script
00:11
Using docker image sha256:3ad239d6e3a500a646ee4f9d1523135a4c44f19c3abf1b4556eb5db4f375b9d5 for ruby:3.1 with digest ruby@sha256:34368e5da74213593681c4665bbf9efe4e7fec3956d19208ea0822b5bbd754a4 ...
$ export AWS_SECRET_ACCESS_KEY=$DEV_AWS_SECRET_ACCESS_KEY && export AWS_ACCESS_KEY_ID=$DEV_AWS_ACCESS_KEY_ID
$ ruby -r open-uri -e "IO.copy_stream(URI.open('https://awscli.amazonaws.com/awscli-exe-linux-x86_64.zip'), 'awscliv2.zip')"
$ unzip -qq awscliv2.zip
$ ./aws/install
You can now run: /usr/local/bin/aws --version
$ aws --version
aws-cli/2.17.40 Python/3.11.9 Linux/5.15.154+ exe/x86_64.debian.12
$ export AWS_ECR_PASSWORD=$(aws ecr get-login-password --region region)
Could not connect to the endpoint URL: "https://api.ecr.region.amazonaws.com/"
$ gtcs scan
/usr/bin/bash: line 167: gtcs: command not found
Uploading artifacts for failed job
00:01
Uploading artifacts...
WARNING: **/gl-sbom-*.cdx.json: no matching files. Ensure that the artifact path is relative to the working directory (/builds/red61/docker-exim)
ERROR: No files to upload
Uploading artifacts...
WARNING: gl-container-scanning-report.json: no matching files. Ensure that the artifact path is relative to the working directory (/builds/red61/docker-exim)
ERROR: No files to upload
Cleaning up project directory and file based variables
00:00
ERROR: Job failed: exit code 1
It seems for some reason it is pulling a ruby image.
If I add the variable
CS_ANALYZER_IMAGE: "$CI_TEMPLATE_REGISTRY_HOST/security-products/container-scanning:7"
It starts to pull the right image:
Running with gitlab-runner 17.0.0~pre.88.g761ae5dd (761ae5dd)
on green-6.saas-linux-small-amd64.runners-manager.gitlab.com/default YKxHNyexq, system ID: s_a201ab37b78a
Resolving secrets
Preparing the "docker+machine" executor
00:13
Using Docker executor with image registry.gitlab.com/security-products/container-scanning:7 ...
Authenticating with credentials from job payload (GitLab Registry)
Pulling docker image registry.gitlab.com/security-products/container-scanning:7 ...
Using docker image sha256:8627fc2a6187212d1d37fb96a3a8a1b9491b68f5b951ea882c8c2b22a502f36b for registry.gitlab.com/security-products/container-scanning:7 with digest registry.gitlab.com/security-products/container-scanning@sha256:0a85bfddcd388458107642a26f5b0ef6faa9cb53b8c447893b16694e891437fd ...
Preparing environment
00:05
Running on runner-ykxhnyexq-project-25824718-concurrent-0 via runner-ykxhnyexq-s-l-s-amd64-1724948423-e0a9fd1e...
Getting source from Git repository
00:01
Skipping Git repository setup
Skipping Git checkout
Skipping Git submodules setup
Executing "step_script" stage of the job script
00:24
Using docker image sha256:8627fc2a6187212d1d37fb96a3a8a1b9491b68f5b951ea882c8c2b22a502f36b for registry.gitlab.com/security-products/container-scanning:7 with digest registry.gitlab.com/security-products/container-scanning@sha256:0a85bfddcd388458107642a26f5b0ef6faa9cb53b8c447893b16694e891437fd ...
$ export AWS_SECRET_ACCESS_KEY=$DEV_AWS_SECRET_ACCESS_KEY && export AWS_ACCESS_KEY_ID=$DEV_AWS_ACCESS_KEY_ID
$ ruby -r open-uri -e "IO.copy_stream(URI.open('https://awscli.amazonaws.com/awscli-exe-linux-x86_64.zip'), 'awscliv2.zip')"
$ unzip -qq awscliv2.zip
$ sudo ./aws/install
You can now run: /usr/local/bin/aws --version
$ aws --version
aws-cli/2.17.40 Python/3.11.9 Linux/5.15.154+ exe/x86_64.debian
$ export AWS_ECR_PASSWORD=$(aws ecr get-login-password --region eu-west-2)
$ gtcs scan
[INFO] [2024-08-29 16:21:53 +0000] [container-scanning] > Remediation is disabled; /builds/red61/docker-exim/Dockerfile cannot be found. Have you set `GIT_STRATEGY` and
`CS_DOCKERFILE_PATH`?
See https://docs.gitlab.com/ee/user/application_security/container_scanning/#solutions-for-vulnerabilities-auto-remediation
[INFO] [2024-08-29 16:21:54 +0000] [container-scanning] > Scanning container from registry 353058589905.dkr.ecr.eu-west-2.amazonaws.com/docker-exim:84e34c70 for vulnerabilities with severity level UNKNOWN or higher, with gcs 7.3.5 and Trivy Version: 0.52.1, advisories updated at 2024-08-28T12:12:54+00:00
[INFO] [2024-08-29 16:21:59 +0000] [container-scanning] > Scanning container from registry 353058589905.dkr.ecr.eu-west-2.amazonaws.com/docker-exim:84e34c70 for vulnerabilities with severity level UNKNOWN or higher, with gcs 7.3.5 and Trivy Version: 0.52.1, advisories updated at 2024-08-28T12:12:54+00:00
Uploading artifacts for successful job
00:06
Uploading artifacts...
gl-container-scanning-report.json: found 1 matching artifact files and directories
WARNING: gl-dependency-scanning-report.json: no matching files. Ensure that the artifact path is relative to the working directory (/builds/red61/docker-exim)
**/gl-sbom-*.cdx.json: found 1 matching artifact files and directories
WARNING: Upload request redirected location=https://gitlab.com/api/v4/jobs/7699979376/artifacts?artifact_format=zip&artifact_type=archive new-url=https://gitlab.com
WARNING: Retrying... context=artifacts-uploader error=request redirected
Uploading artifacts as "archive" to coordinator... 201 Created id=7699979376 responseStatus=201 Created token=glcbt-66
Uploading artifacts...
**/gl-sbom-*.cdx.json: found 1 matching artifact files and directories
WARNING: Upload request redirected location=https://gitlab.com/api/v4/jobs/7699979376/artifacts?artifact_format=gzip&artifact_type=cyclonedx new-url=https://gitlab.com
WARNING: Retrying... context=artifacts-uploader error=request redirected
Uploading artifacts as "cyclonedx" to coordinator... 201 Created id=7699979376 responseStatus=201 Created token=glcbt-66
Uploading artifacts...
gl-container-scanning-report.json: found 1 matching artifact files and directories
WARNING: Upload request redirected location=https://gitlab.com/api/v4/jobs/7699979376/artifacts?artifact_format=raw&artifact_type=container_scanning new-url=https://gitlab.com
WARNING: Retrying... context=artifacts-uploader error=request redirected
Uploading artifacts as "container_scanning" to coordinator... 201 Created id=7699979376 responseStatus=201 Created token=glcbt-66
Cleaning up project directory and file based variables
00:01
Job succeeded
Also latest trivy version is 0.54, please update it.
And fix the bug.