Engineering Discovery: create a Container Scanning analyzer for Clair

Problem to solve

It looks like the removal of Docker in docker with current tooling for Container Scanning is not achievable. As a consequence, we need to explore other approaches. On top of supporting multiple tools for Container Scanning analysis, having a dedicated analyzer will align with the new vision for our architecture (no orchestration layer).

Intended users

• Persona: Software developer
• Persona: DevOps Engineer

Further details

Based on this discussion the goal of this discovery is to find a way to replace current container scanning tool with a custom made analyzer on top of Clair directly, without using the intermediary clair-scanner wrapper.

Proposal

• analyze a possible approach to wrap clair without requiring Docker in Docker as explained in https://www.nearform.com/blog/static-analysis-of-docker-image-vulnerabilities-with-clair/

What does success look like, and how can we measure that?

The outcome of this discovery is an implementation plan to replace current tooling with an analyzer wrapping Clair.

What is the type of buyer?

GitLab Ultimate

Links / references

Conclusion

We've discovered that we can avoid using clair-scanner (and thus docker-in-docker) by switching to another tool called klar. klar will allow us to scan images hosted in the GitLab Container Registry by providing authentication details to login to the registry and then directly downloading the image layers from the registry over http.

The next steps, which will be completed in https://gitlab.com/gitlab-org/gitlab-ee/issues/13069, are:

1. Create a custom build image which runs the clair server as a background process
2. Download the klar binary and run it against the image to be scanned
3. Transform the JSON report produced by klar into a format which can be parsed and displayed in the Security tab of the pipeline screen