Please help fill in this template with all the details to help others help you more efficiently. Use formatting blocks for code, config, logs and ensure to remove sensitive data.
Problem to solve
I am trying to implement container scanning.
- The first part of the container scanning seems to work, but it seems that the Trivy scanner bombs out on a timeout of some sort.
Steps to reproduce
I have used the GitLab documentation on container scanning, and created a .gitlab-ci.yml file from the examples, but one that would fit my needs.
Configuration
My .gitlab-ci.yml file:
# This image is used for java projects where a jar is built. You can change this to a different image suiting your needs.
image: $CI_REGISTRY/systems/base-containers/maven:latest
cache:
paths:
- .m2/repository
variables:
MAVEN_OPTS: "-Dmaven.repo.local=$CI_PROJECT_DIR/.m2/repository"
stages:
- feature-coding
- test
- deploy-dev-release
- create-release
- deploy-staging-release
- hotfix
include:
- local: .ci/.feature-branch.yml
- local: .ci/.hotfix.yml
- local: .ci/.release-tags.yml
- template: Jobs/SAST.gitlab-ci.yml
- template: Code-Quality.gitlab-ci.yml
- template: Jobs/Container-Scanning.gitlab-ci.yml
code_quality:
variables:
CODECLIMATE_DEBUG: "1"
# CI_DEBUG_TRACE: "true"
rules:
- if: $CI_PIPELINE_SOURCE == 'merge_request_event' && $CI_MERGE_REQUEST_SOURCE_BRANCH_NAME !~ /^hotfix-*/
- if: $CI_COMMIT_TAG
- if: $CI_COMMIT_BRANCH == 'main'
nodejs-scan-sast:
rules:
- if: $CI_PIPELINE_SOURCE == 'merge_request_event' && $CI_MERGE_REQUEST_SOURCE_BRANCH_NAME !~ /^hotfix-*/
- if: $CI_COMMIT_TAG
- if: $CI_COMMIT_BRANCH == 'main'
container_scanning:
rules:
- if: $CI_PIPELINE_SOURCE == 'merge_request_event' && $CI_MERGE_REQUEST_SOURCE_BRANCH_NAME !~ /^hotfix-*/
- if: $CI_COMMIT_TAG
- if: $CI_COMMIT_BRANCH == 'main'
variables:
CS_IMAGE: $CI_REGISTRY_IMAGE/my_image:latest
CS_DOCKERFILE_PATH: Dockerfile_for_my_image
GIT_STRATEGY: fetch
I have not made any changes to the template files in use!
Relevant output from the job log:
[INFO] [2024-04-01 12:23:41 +0000] [container-scanning] > Scanning container from registry registry.hbps.co.za/hanse/nwu-sast/kafka-sas-tags-student-admission-application-status:latest for vulnerabilities with severity level UNKNOWN or higher, with gcs 6.7.0 and Trivy Version: 0.49.1, advisories updated at 2024-03-31T12:11:21+00:00
[ERROR] [2024-04-01 12:43:47 +0000] [container-scanning] > OS dependency scan failed. Use `SECURE_LOG_LEVEL=debug` to see more details.
[ERROR] [2024-04-01 12:43:47 +0000] [container-scanning] > 2024-04-01T12:23:42.950Z INFO Vulnerability scanning is enabled
2024-04-01T12:24:23.398Z INFO Java DB Repository: ghcr.io/aquasecurity/trivy-java-db:1
2024-04-01T12:24:23.398Z INFO Downloading the Java DB...
2024-04-01T12:43:46.945Z INFO The Java DB is cached for 3 days. If you want to update the database more frequently, the '--reset' flag clears the DB cache.
2024-04-01T12:43:46.985Z WARN Increase --timeout value
2024-04-01T12:43:46.985Z FATAL image scan error: scan error: scan failed: failed analysis: analyze error: pipeline error: failed to analyze layer (sha256:ffd0f36a9dd252974e5f3e919fab6acd960ade53b3b043f67644c3c74920d828): post analysis error: post analysis error: walk dir error: walk error: context deadline exceeded
[INFO] [2024-04-01 12:43:51 +0000] [container-scanning] > Scanning container from registry registry.hbps.co.za/hanse/nwu-sast/kafka-sas-tags-student-admission-application-status:latest for vulnerabilities with severity level UNKNOWN or higher, with gcs 6.7.0 and Trivy Version: 0.49.1, advisories updated at 2024-03-31T12:11:21+00:00
Uploading artifacts for failed job 00:03
Uploading artifacts...
**/gl-sbom-*.cdx.json: found 1 matching artifact files and directories
Uploading artifacts as "cyclonedx" to coordinator... 201 Created id=1729 responseStatus=201 Created token=glcbt-64
Uploading artifacts...
gl-container-scanning-report.json: found 1 matching artifact files and directories
Uploading artifacts as "container_scanning" to coordinator... 201 Created id=1729 responseStatus=201 Created token=glcbt-64
Uploading artifacts...
I have seen on Github that this issue has been opened, but I don’t know where to set the timeout mentioned, as there is no such known variable listed on this list of known cicd variable for container scanning. Is this a timeout issue, or am I looking at something different here?
Versions
Please select whether options apply, and add the version information.
- Self-managed v16.9.1-ee
- GitLab.com SaaS
- Self-hosted Runners v16.9.0
Thanks in advance for anyone willing to help!