Enable operational container scanning to scan container images from private registries
What does this MR do and why?
This MR adds support to scan private images configured with imagePullSecrets
Specifically these are the steps implemented to scan private images
- Trivy scanner pod retrieves the
ImagePullSecret
of each image in the namespace and creates a new secret to store the credentials in thegitlab-agent
namespace- Store the credentials as keys
usernames
andpasswords
in the secret - In the scenario where there are multiple secrets, they will be delimited with
,
as described in Trivy's docs.
- Store the credentials as keys
- Define
TRIVY_PASSWORD
andTRIVY_USERNAME
as env variables referencing the respective keys in the secret created above in the Trivy Scanner Pod spec - Once scan is complete, delete the secret
How to set up and validate locally
- Create a container that uses a private image in your cluster. See steps 1-4
- Start an operational container scan for your project
- Validate that vulnerabilities are created for the private image
Merge request reports
Activity
changed milestone to %16.2
assigned to @smtan
1 Warning Please add a merge request subtype to this merge request. Reviewer roulette
Changes that require review have been detected! A merge request is normally reviewed by both a reviewer and a maintainer in its primary category and by a maintainer in all other categories.
To spread load more evenly across eligible reviewers, Danger has picked a candidate for each review slot. Feel free to override these selections if you think someone else would be better-suited or use the GitLab Review Workload Dashboard to find other available reviewers.
To read more on how to use the reviewer roulette, please take a look at the Engineering workflow and code review guidelines. Please consider assigning a reviewer or maintainer who is a domain expert in the area of the merge request.
Once you've decided who will review this merge request, mention them as you normally would! Danger does not automatically notify them for you.
Reviewer Maintainer No reviewer available Mikhail Mazurskiy (
@ash2k
) (UTC+10)If needed, you can retry the
danger-review
job that generated this comment.Generated by
DangerHi @nilieskou, this is the MR I mentioned to address this issue. FYI that I'm still left with adding tests for
secrets.go
and updatingscanner_test.go
as well as polishing things up, but I'd appreciate any comments in the meantime- Resolved by Shao Ming Tan
- Resolved by Shao Ming Tan
- Resolved by Shao Ming Tan
- Resolved by Shao Ming Tan
- Resolved by Shao Ming Tan
- Resolved by Shao Ming Tan
- Resolved by Shao Ming Tan
Hi @smtan . I went through the MR. Great work. I have some comments. Take a look
added 2 commits