Document available env variables for Container Scanningdocs/container-scanning-variables

1 files changed, 46 insertions, 2 deletions

diff --git a/doc/user/application_security/container_scanning/index.md b/doc/user/application_security/container_scanning/index.md
index 7b631a5a1cd..57300ba938e 100644
--- a/doc/user/application_security/container_scanning/index.md
+++ b/doc/user/application_security/container_scanning/index.md
@@ -94,9 +94,53 @@ If you want to whitelist some specific vulnerabilities, you can do so by definin
 them in a YAML file named `clair-whitelist.yml`. Read more in the
 [Clair documentation](https://github.com/arminc/clair-scanner/blob/master/README.md#example-whitelist-yaml-file).
 
+### Customizing the Container Scanning settings
+
+The Container Scanning settings can be changed through [environment variables](#available-variables) by using the
+[`variables`](../../../ci/yaml/README.md#variables) parameter in `.gitlab-ci.yml`.
+
+For example:
+
+```yaml
+include:
+  template: Container-Scanning.gitlab-ci.yml
+
+variables:
+  CLAIR_SCAN_LOCAL_VERSION: "2.0.5"
+```
+
+Because template is [evaluated before](../../../ci/yaml/README.md#include) the pipeline
+configuration, the last mention of the variable will take precedence.
+
+### Overriding the Container Scanning template
+
+If you want to override the job definition (for example, change properties like
+`variables` or `dependencies`), you need to declare a `Container_scanning` job
+after the template inclusion and specify any additional keys under it. For example:
+
+```yaml
+include:
+  template: Container-Scanning.gitlab-ci.yml
+
+container_scanning:
+  variables:
+    CLAIR_SCAN_LOCAL_VERSION: "2.0.5"
+```
+
+### Available variables
+
+Container Scanning can be [configured](#customizing-the-container-scanning-settings)
+using environment variables.
+
+| Environment variable            | Function |
+|-------------------------------- |----------|
+| `CLAIR_SCAN_LOCAL_VERSION`      | Select a custom version (actually, a Docker tag) of [clair-local-scan](https://github.com/arminc/clair-local-scan) to use. |
+| `CLAIR_EXECUTABLE_VERSION`      | Select a custom version of [clair-scanner](https://github.com/arminc/clair-scanner) binary to use. |
+
 ## Example
 
-The following is a sample `.gitlab-ci.yml` that will build your Docker Image, push it to the container registry and run Container Scanning. 
+The following is a sample `.gitlab-ci.yml` that will build your Docker image,
+push it to the Container Registry and run Container Scanning:
 
 ```yaml
 variables:
@@ -155,4 +199,4 @@ docker: Error response from daemon: failed to copy xattrs: failed to set xattr "
 This is a result of a bug in Docker which is now [fixed](https://github.com/containerd/continuity/pull/138 "fs: add WithAllowXAttrErrors CopyOpt").
 To prevent the error, ensure the Docker version that the Runner is using is
 `18.09.03` or higher. For more information, see
-[issue #10241](https://gitlab.com/gitlab-org/gitlab-ee/issues/10241 "Investigate why Container Scanning is not working with NFS mounts").
\ No newline at end of file
+[issue #10241](https://gitlab.com/gitlab-org/gitlab-ee/issues/10241 "Investigate why Container Scanning is not working with NFS mounts").