I am currently working on setting up a GitLab CI/CD pipeline for building Docker images using Kaniko and scanning them for vulnerabilities using GitLab Container Scanning. However, I’m facing a challenge in performing the container scan before pushing the images to the registry, and I’m looking for alternatives to using artifacts.
Here’s the issue:
Context: Our organization is focused on minimizing the size of our GitLab Enterprise instance, and saving the images as artifacts during the CI/CD process is discouraged due to space constraints.
Security Concerns: We are also concerned about security. We don’t want to push Docker images to the registry if they have critical vulnerabilities. This poses a security risk, and we want to ensure that images are scanned for vulnerabilities before pushing.
GitLab recommends pushing the images first and then scanning them, but this goes against our security policies.
so basically i have 2 questions:
- Are there alternative approaches or best practices to integrate GitLab Container Scanning into our GitLab CI/CD pipeline with Kaniko so that we can perform the vulnerability scan before pushing the images to the registry without using artifacts?
- Additionally, is it possible to configure GitLab CI to run two jobs using the same storage, where one job builds the image and another scans it, without the need to save the image as an artifact in between?