Update Container Scanning integration test to check all supported architectures
Summary
We need to update the Container Scanning integration test to check the following supported architectures, so as not to allow regression bugs like this one in the future:
-
Alpine -
Debian -
Centos -
Red Hat Enterprise Linux -
Red Hat UBI -
Oracle Linux -
Amazon Linux -
Ubuntu -
openSUSE Leap (trivy only) - [-] SUSE Enterprise Linux (trivy only, no vulnerable images available)
-
Photon OS (trivy only) -
Distroless
Rather than scanning one image after another, we can possibly scan all images at once, since Change location fingerprint for Container Scanning has been completed.
Improvements
This change will help prevent regression issues in the future.
Involved components
This page may contain information related to upcoming products, features and functionality. It is important to note that the information presented is for informational purposes only, so please do not rely on the information for purchasing or planning purposes. Just like with all projects, the items mentioned on the page are subject to change or delay, and the development, release, and timing of any products, features, or functionality remain at the sole discretion of GitLab Inc.
Implementation plan
-
backend Add integration tests as _spec.rb
files with corresponding Dockerfiles for each distro (first find proper image tag that contains vulnerability - looks for tags that are not likely to be updated),
Optionally (next step):
-
backend refactor specs and .gitlab-ci.yml
file to accept list of distros that we want to test, then we will be able to quickly add support for new version without creating new spec files,
.scanners-matrix:
parallel:
matrix:
- SCANNER: [trivy, grype]
DOCKERFILE_SOURCE: [Dockerfile, Dockerfile.ubi]
INTEGRATION_TESTS:
- debian:buster
- alpine:3.12.0
- proton:8.4
- almalinux:8.2
- amazonlinux:8.5
- other-distro:111.111