Engineering Discovery: create a Container Scanning analyzer for Clair
Problem to solve
It looks like the removal of Docker in docker with current tooling for Container Scanning is not achievable. As a consequence, we need to explore other approaches. On top of supporting multiple tools for Container Scanning analysis, having a dedicated analyzer will align with the new vision for our architecture (no orchestration layer).
Intended users
Further details
Based on this discussion the goal of this discovery is to find a way to replace current container scanning tool with a custom made analyzer on top of Clair directly, without using the intermediary clair-scanner
wrapper.
Proposal
-
analyze a possible approach to wrap clair without requiring Docker in Docker as explained in https://www.nearform.com/blog/static-analysis-of-docker-image-vulnerabilities-with-clair/
What does success look like, and how can we measure that?
The outcome of this discovery is an implementation plan to replace current tooling with an analyzer wrapping Clair.
What is the type of buyer?
Links / references
Conclusion
We've discovered that we can avoid using clair-scanner (and thus docker-in-docker) by switching to another tool called klar. klar
will allow us to scan images hosted in the GitLab Container Registry
by providing authentication details to login to the registry and then directly downloading the image layers from the registry over http.
The next steps, which will be completed in https://gitlab.com/gitlab-org/gitlab-ee/issues/13069, are:
- Create a custom
build
image which runs the clair server as a background process - Download the
klar
binary and run it against the image to be scanned - Transform the
JSON
report produced byklar
into a format which can be parsed and displayed in theSecurity
tab of the pipeline screen