Container scanning doesn't work with kaniko
Summary
When building images with kaniko, the clair cve scanner doesnt work.
Steps to reproduce
Use Container-Scanning.gitlab-ci.yml with kaniko as mentioned in your docs.
Configuration used
(Please provide a sanitized version of the configuration used wrapped in a code block (```yaml))
stages:
- docker-build-push # to run on kaniko branch
- test
docker-build-push:
# https://docs.gitlab.com/ee/ci/docker/using_kaniko.html#building-a-docker-image-with-kaniko
only:
refs: # branches to run on
- master
- dev
stage: docker-build-push
image:
name: gcr.io/kaniko-project/executor:debug-v0.16.0
entrypoint: [""]
before_script:
- |
echo "-----BEGIN CERTIFICATE-----
.......
-----END CERTIFICATE-----" >> /kaniko/ssl/certs/additional-ca-cert-bundle.crt
script:
- echo "{\"auths\":{\"$COMPANY_REGISTRY\":{\"auth\":\"$(echo -n $COMPANY_REGISTRY_USER:$COMPANY_REGISTRY_PASSWORD | base64)\"}}}" > /kaniko/.docker/config.json
# for each tag that you want to add append '--destination $COMPANY_REGISTRY_IMAGE' at the end of the below line
- /kaniko/executor --context $COMPANY_PROJECT_DIR --dockerfile $COMPANY_PROJECT_DIR/$DOCKERFILENAME --destination $COMPANY_REGISTRY_IMAGE
variables:
DOCKERFILENAME: Dockerfile
# registry/project/image:tag
COMPANY_REGISTRY_IMAGE: registry.COMPANY.com/project/buildock:test
COMPANY_PROJECT_DIR: .
include:
- template: Security/Container-Scanning.gitlab-ci.yml
# project/global variables
variables:
CLAIR_OUTPUT: High
DOCKER_DRIVER: overlay2
container_scanning:
stage: docker-build-pushCurrent behavior
image gets pushed but no output from clair or scanner as if it doesnt exist in the ci file.
Expected behavior
The CVE scanner output is displayed in log.
Versions
- Chart: 13.0 is the gitlab version
- Platform:
- Self-hosted: (RKE)
Relevant logs
no logs from scanner.