Use environment variable for Container Scanning Air gapped configuration
Problem to solve
The MVC of air-gap for Container Scanning requires to override the job image, which creates tight coupling with the job name.
image value of the Container-Scanning.gitlab-ci.yml template to allow configuring the docker image location via an environment variable
SECURITY_SCANNER_IMAGE_PREFIX like what we've done for Dependency Scanning will remove that coupling and provide a better UX as it will be consistent for all security features:
variables: CS_MAJOR_VERSION: 2 SECURITY_SCANNER_IMAGE_PREFIX: "registry.gitlab.com/gitlab-org/security-products/analyzers" container_scanning: stage: test image: $SECURITY_SCANNER_IMAGE_PREFIX/klar:$CS_MAJOR_VERSION
- update user documentation at https://docs.gitlab.com/ee/user/application_security/container_scanning/index.html#running-container-scanning-in-an-offline-air-gapped-installation
Availability & Testing
What does success look like, and how can we measure that?
Air gapped support for Container Scanning can be configured without overriding the job definition.