Container Scanning analyzer for Clair
Problem to solve
Following discovery done in https://gitlab.com/gitlab-org/gitlab-ee/issues/13068, implement the Container Scanning analyzer for Clair.
Intended users
Further details
The current implementation of container scanning uses clair-scanner and thus requires the use of docker-in-docker which is not ideal. We discovered in https://gitlab.com/gitlab-org/gitlab-ee/issues/13068 that we can use another tool called klar to streamline the container scanning process and avoid using docker-in-docker.
Proposal
-
Create a custom buildimage which runs the clair server as a background process (perhaps using supervisord) and does the following:-
Contains the klar binary and runs it against the image to be scanned -
Allows a whitelist to be provided and uses the same format and behaviour as the current container scanning tool -
Transforms the JSONreport produced byklarinto a format which can be parsed and displayed in theSecuritytab of the pipeline screen
-
-
Update the Container-Scanning.gitlab-ci.yml template to use the custom buildimage from the above step as part of https://gitlab.com/gitlab-org/gitlab-ee/issues/11003 (completed in !16342 (merged)) -
Update Container Scanning documentation including an explanation that the whitelist format has changed to the following (completed in !16404 (merged))
Permissions and Security
No change.
Documentation
The introduction of Container Scanning documentation needs to be updated because it explicitly mentions clair-scanner.
If you are using GitLab CI/CD, you can check your Docker images (or more precisely the containers) for known vulnerabilities by using Clair and clair-scanner, two open source tools for Vulnerability Static Analysis for containers.
Testing
What does success look like, and how can we measure that?
Successful image scanning with whitelist support, table output in CI job log, and list of vulnerabilities available on the Security tab of the pipeline page