Container Scanning exits with success status when vulnerabilities are found
Summary
I've just discovered that the GitLab Container Scanning tool is exiting with a success status code of 0 regardless of whether vulnerabilities have been found or not.
In a Container Scanning job which uses the default settings, this won't have much of an impact, but if a user were to override the allow_failure
option and set it to false
, then the job would not fail as expected.
Steps to reproduce
Create a new project a .gitlab-ci.yml
file containing :
include:
- template: Container-Scanning.gitlab-ci.yml
container_scanning:
variables:
CI_APPLICATION_REPOSITORY: "alpine"
CI_APPLICATION_TAG: "3.9.2"
DOCKER_USER: ""
DOCKER_PASSWORD: ""
allow_failure: false
Example Project
https://gitlab.com/adamcohen/test-allow-failure-in-cs/-/tree/test-allow-failure
What is the current bug behavior?
Container Scanning job succeeds
What is the expected correct behavior?
Container Scanning job fails
Relevant logs and/or screenshots
https://gitlab.com/adamcohen/test-allow-failure-in-cs/-/jobs/479147073
[ERRO] ▶ Image [alpine:3.9.2] contains 1 unapproved vulnerabilities
+------------+---------------------+--------------+-----------------+---------------------------------------------------------------+
| STATUS | CVE SEVERITY | PACKAGE NAME | PACKAGE VERSION | CVE DESCRIPTION |
+------------+---------------------+--------------+-----------------+---------------------------------------------------------------+
| Unapproved | High CVE-2019-14697 | musl | 1.1.20-r3 | musl:1.1.20-r3 is affected by CVE-2019-14697 |
| | | | | https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-14697 |
+------------+---------------------+--------------+-----------------+---------------------------------------------------------------+
Running after script
Uploading artifacts for successful job
Uploading artifacts...
gl-container-scanning-report.json: found 1 matching files
Uploading artifacts to coordinator... ok id=478894136 responseStatus=201 Created token=ANXWvwFC
Job succeeded
The above job should fail, but it succeeds.
Output of checks
This bug happens on GitLab.com
Edited by Adam Cohen