Skip to content
Snippets Groups Projects

Enable operational container scanning to scan container images from private registries

What does this MR do and why?

This MR adds support to scan private images configured with imagePullSecrets

Specifically these are the steps implemented to scan private images

  1. Trivy scanner pod retrieves the ImagePullSecret of each image in the namespace and creates a new secret to store the credentials in the gitlab-agent namespace
    1. Store the credentials as keys usernames and passwords in the secret
    2. In the scenario where there are multiple secrets, they will be delimited with , as described in Trivy's docs.
  2. Define TRIVY_PASSWORD and TRIVY_USERNAME as env variables referencing the respective keys in the secret created above in the Trivy Scanner Pod spec
  3. Once scan is complete, delete the secret

How to set up and validate locally

  1. Create a container that uses a private image in your cluster. See steps 1-4
  2. Start an operational container scan for your project
  3. Validate that vulnerabilities are created for the private image
Edited by Shao Ming Tan

Merge request reports

Loading
Loading

Activity

Filter activity
  • Approvals
  • Assignees & reviewers
  • Comments (from bots)
  • Comments (from users)
  • Commits & branches
  • Edits
  • Labels
  • Lock status
  • Mentions
  • Merge request status
  • Tracking
  • Nick Ilieskou
  • Hi @smtan . I went through the MR. Great work. I have some comments. Take a look :ping_pong:

  • Shao Ming Tan added 2 commits

    added 2 commits

    • 3fff5c20 - refactor secrets to use original trivy operator function names
    • 5c50371c - Add test for secretReader

    Compare with previous version

  • Shao Ming Tan added 2 commits

    added 2 commits

    • e31ec521 - Add more tests for secretReader
    • 279343cd - Add test cases for scanner test

    Compare with previous version

  • Shao Ming Tan added 1 commit

    added 1 commit

    • b0fbf46a - Add test cases for scanner test

    Compare with previous version

  • Shao Ming Tan added 1 commit

    added 1 commit

    Compare with previous version

  • Shao Ming Tan added 1 commit

    added 1 commit

    • 3b50ea5e - Fix version of trivy and update ocs readme

    Compare with previous version

  • Shao Ming Tan added 2 commits

    added 2 commits

    • e579d3dd - Fix test referencing wrong trivy version
    • 22768b8f - Ensure that trivy env vars are only added if scanner secret is created

    Compare with previous version

  • Loading
  • Loading
  • Loading
  • Loading
  • Loading
  • Loading
  • Loading
  • Loading
  • Loading
  • Loading
  • Please register or sign in to reply
    Loading