Skip to content

Enable operational container scanning to scan container images from private registries

Shao Ming Tan requested to merge 415451-container-images-from-private-registries-are-not-being-scanned-in-operational-container into master

What does this MR do and why?

This MR adds support to scan private images configured with imagePullSecrets

Specifically these are the steps implemented to scan private images

  1. Trivy scanner pod retrieves the ImagePullSecret of each image in the namespace and creates a new secret to store the credentials in the gitlab-agent namespace
    1. Store the credentials as keys usernames and passwords in the secret
    2. In the scenario where there are multiple secrets, they will be delimited with , as described in Trivy's docs.
  2. Define TRIVY_PASSWORD and TRIVY_USERNAME as env variables referencing the respective keys in the secret created above in the Trivy Scanner Pod spec
  3. Once scan is complete, delete the secret

How to set up and validate locally

  1. Create a container that uses a private image in your cluster. See steps 1-4
  2. Start an operational container scan for your project
  3. Validate that vulnerabilities are created for the private image
Edited by Shao Ming Tan

Merge request reports