diff options
| author | Adam Cohen <acohen@gitlab.com> | 2019-09-11 12:29:33 -0400 |
|---|---|---|
| committer | Adam Cohen <acohen@gitlab.com> | 2019-09-11 14:03:56 -0400 |
| commit | c107c8d12215849b04f0f7b47e3ebafe1c1513bf (patch) | |
| tree | 63a98a85925feac124e687411e7ececfdaa61318 | |
| parent | 0abc902576a755355b1daf75e19d1f37c6ffb5ff (diff) | |
| download | gitlab-ce-replace-clair-scanner-with-klar.tar.gz | |
Make Container Scanning use analyzers/klar imagereplace-clair-scanner-with-klar
| -rw-r--r-- | changelogs/unreleased/replace-clair-scanner-with-klar.yml | 5 | ||||
| -rw-r--r-- | lib/gitlab/ci/templates/Security/Container-Scanning.gitlab-ci.yml | 51 |
2 files changed, 11 insertions, 45 deletions
diff --git a/changelogs/unreleased/replace-clair-scanner-with-klar.yml b/changelogs/unreleased/replace-clair-scanner-with-klar.yml new file mode 100644 index 00000000000..f7aca08198f --- /dev/null +++ b/changelogs/unreleased/replace-clair-scanner-with-klar.yml @@ -0,0 +1,5 @@ +--- +title: Update CS vendored template to use new CS tool +merge_request: 32930 +author: +type: changed diff --git a/lib/gitlab/ci/templates/Security/Container-Scanning.gitlab-ci.yml b/lib/gitlab/ci/templates/Security/Container-Scanning.gitlab-ci.yml index 2afc99d0bf8..2ad21cd1841 100644 --- a/lib/gitlab/ci/templates/Security/Container-Scanning.gitlab-ci.yml +++ b/lib/gitlab/ci/templates/Security/Container-Scanning.gitlab-ci.yml @@ -1,58 +1,19 @@ -# Read more about this feature here: https://docs.gitlab.com/ee/user/project/merge_requests/container_scanning.html +# Read more about this feature here: https://docs.gitlab.com/ee/user/application_security/container_scanning/ container_scanning: stage: test - image: docker:stable + image: registry.gitlab.com/gitlab-org/security-products/analyzers/klar:latest variables: DOCKER_DRIVER: overlay2 DOCKER_TLS_CERTDIR: "" - # Defining two new variables based on GitLab's CI/CD predefined variables - # https://docs.gitlab.com/ee/ci/variables/#predefined-environment-variables - CI_APPLICATION_REPOSITORY: $CI_REGISTRY_IMAGE/$CI_COMMIT_REF_SLUG - CI_APPLICATION_TAG: $CI_COMMIT_SHA - # Prior to this, you need to have the Container Registry running for your project and setup a build job - # with at least the following steps: - # - # docker build -t $CI_REGISTRY_IMAGE/$CI_COMMIT_REF_SLUG . - # docker push $CI_REGISTRY_IMAGE/$CI_COMMIT_REF_SLUG:$CI_COMMIT_SHA - # - # Container Scanning deals with Docker images only so no need to import the project's Git repository: + # override this variable in your .gitlab-ci.yml file and set to `fetch` if you want to provide a clair-whitelist.yaml file GIT_STRATEGY: none - # Services and containers running in the same Kubernetes pod are all sharing the same localhost address - # https://docs.gitlab.com/runner/executors/kubernetes.html - DOCKER_SERVICE: docker - DOCKER_HOST: tcp://${DOCKER_SERVICE}:2375/ - # https://hub.docker.com/r/arminc/clair-local-scan/tags - CLAIR_LOCAL_SCAN_VERSION: v2.0.8_0ed98e9ead65a51ba53f7cc53fa5e80c92169207 - CLAIR_EXECUTABLE_VERSION: v12 - CLAIR_EXECUTABLE_SHA: 44f2a3fdd7b0d102c98510e7586f6956edc89ab72c6943980f92f4979f7f4081 - ## Disable the proxy for clair-local-scan, otherwise Container Scanning will - ## fail when a proxy is used. - NO_PROXY: ${DOCKER_SERVICE},localhost allow_failure: true services: - - docker:stable-dind + - name: arminc/clair-db:latest + alias: clair-vulnerabilities-db script: - - if [[ -n "$KUBERNETES_PORT" ]]; then { export DOCKER_SERVICE="localhost" ; export DOCKER_HOST="tcp://${DOCKER_SERVICE}:2375" ; } fi - - | - if [[ -n "$CI_REGISTRY_USER" ]]; then - echo "Logging to GitLab Container Registry with CI credentials..." - docker login -u "$CI_REGISTRY_USER" -p "$CI_REGISTRY_PASSWORD" "$CI_REGISTRY" - echo "" - fi - - docker run -d --name db arminc/clair-db:latest - - docker run -p 6060:6060 --link db:postgres -d --name clair --restart on-failure arminc/clair-local-scan:${CLAIR_LOCAL_SCAN_VERSION} - - apk add -U wget ca-certificates - - docker pull ${CI_APPLICATION_REPOSITORY}:${CI_APPLICATION_TAG} - - wget https://github.com/arminc/clair-scanner/releases/download/${CLAIR_EXECUTABLE_VERSION}/clair-scanner_linux_amd64 - - echo "${CLAIR_EXECUTABLE_SHA} clair-scanner_linux_amd64" | sha256sum -c - - mv clair-scanner_linux_amd64 clair-scanner - - chmod +x clair-scanner - - touch clair-whitelist.yml - - retries=0 - - echo "Waiting for clair daemon to start" - - while( ! wget -T 10 -q -O /dev/null http://${DOCKER_SERVICE}:6060/v1/namespaces ) ; do sleep 1 ; echo -n "." ; if [ $retries -eq 10 ] ; then echo " Timeout, aborting." ; exit 1 ; fi ; retries=$(($retries+1)) ; done - - ./clair-scanner -c http://${DOCKER_SERVICE}:6060 --ip $(hostname -i) -r gl-container-scanning-report.json -l clair.log -w clair-whitelist.yml ${CI_APPLICATION_REPOSITORY}:${CI_APPLICATION_TAG} || true + - echo "Starting Container Scan" artifacts: reports: container_scanning: gl-container-scanning-report.json |