Docker Image Created by GitLab different than what Dockerfile creates in project
Summary
I cloned an OWASP Web Application project (OWASP Benchmark) into gitlab at: https://gitlab.com/wichers/benchmark
And the first thing I did was to enable the AppSec tools scanner w/AutoDevOps enabled. Most of the scans ran fine. But I was wondering how GitLab automagically created the Docker image and where it put it. I eventually found it at: registry.gitlab.com/wichers/benchmark/master:latest, but after some investigation, determined that this image is somewhat different than what the project's Dockerfile generates on it's own.
Steps to reproduce
This project has a Dockerfile at: https://gitlab.com/wichers/benchmark/-/blob/master/VMs/Dockerfile
And there is a script to use it at: https://gitlab.com/wichers/benchmark/-/blob/master/VMs/buildDockerImage.sh
As the project owner, I've recently used this build script to build a recent Docker image, tag it, then publish it to the docker registry at: https://hub.docker.com/r/wichers/benchmark
GitLab AutoDevops apparently automagically found the Docker file referenced above, built an image somehow, and then pushed it to: registry.gitlab.com/wichers/benchmark/master:latest
And then ran container security analysis against this image. However, I was wondering how similar the GitLab generated image was to how the project's generated image is. The first thing I noticed in the GitLab image was 1.6G but mine is only 1.2G. But I wanted to determine the actual differences inside the images, so I found a tool called: container-diff, which you can read about and download from: https://github.com/GoogleContainerTools/container-diff. This tool can analyze the internals of Docker images to compare them to each other (Pretty cool actually).
Once you have this tool installed and working per it's instructions, you can 'diff' the GitLab Benchmark image and the one I generated and published to the Docker registry using this command:
container-diff diff remote://registry.gitlab.com/wichers/benchmark/master:latest remote://wichers/benchmark:latest --type=file --type=rpm --type=pip --type=apt --type=node > benchmarkContainerDiffResults.txt
The above pulls the images from the 2 repos online so you don't have to have pulled them to your local Docker registry.
When you look inside the benchmarkContainerDiffResults.txt file, you'll notice there are lots of things that are only in the GitLab image that are NOT in the wichers/benchmark:latest image.
Given this is true, the container_scanner could find security issues in this NEW items and report them as things to be fixed, when they don't actually exist in the image the project is using.
Any clue why the GitLab generated image is different and is there a way to get those 'extra things' to not be included? Is this a BUG in GitLab? A configuration issue on my part?
What is the current bug behavior?
The Docker images are significantly different and should not be.
What is the expected correct behavior?
There should be nothing new in the GitLab image not present in the benchmark:latest image generated by the project.
Output of checks
This bug happens on GitLab.com
Possible fixes
No idea.