Add CS_VULNERABILITY_THRESHOLD var to Container Scanning
Problem to solve
By default, the allow_failure
configuration option for Container Scanning is set to true. This means that if the Container Scanning job fails, the pipeline will continue executing. If a customer prefers to alter this behaviour and have the pipeline fail in the event that vulnerabilities have been found, they'll need to override the Container Scanning template as follows:
include:
template: Container-Scanning.gitlab-ci.yml
container_scanning:
allow_failure: false
script:
- apk add jq
- /analyzer run
- [ `jq '.vulnerabilities | length' gl-container-scanning-report.json` -eq 0 ]
This approach is fragile because it exposes internals of the Container Scanning tool, as well as couples the implementation to the Operating System of the Docker image, and also provides unnecessary friction for changing this behaviour.
In order to provide increased flexibility we should add a new environment variable to Container Scanning to allow them to easily customize the exit code of a Container Scanning job.
Intended users
- Sasha (Software Developer)
- Devon (DevOps Engineer)
- Sidney (Systems Administrator)
- Sam (Security Analyst)
- Simone (Software Engineer in Test)
Further details
Add a new CS_VULNERABILITY_THRESHOLD
environment variable to container scanning which will represent the number of vulnerabilities that are allowed to occur before the Container Scanning tool returns a 1
exit code.
The CS_VULNERABILITY_THRESHOLD
environment variable will have the following behaviour:
- If
CS_VULNERABILITY_THRESHOLD
has not been set, it will default to0
which means that Container Scanning will not return a non-zero exit code when vulnerabilities have been found - If
CS_VULNERABILITY_THRESHOLD
has been set to a value > 0, then Container Scanning will return a1
exit code if the number of vulnerabilities encountered surpasses this value. For example, if theCS_VULNERABILITY_THRESHOLD
has been set to5
, then a1
exit code will be returned as soon as6
vulnerabilities have been discovered.
Proposal
-
Update environment.go in the GitLab Container Scanning
project to remove the hardcodedenvVarVulnerabilityThreshold
and allow this option to be configured. This value will be passed onto the klar binary asCLAIR_THRESHOLD
. -
Update the Available Variables section of the Container Scanning documentation to include the new CS_VULNERABILITY_THRESHOLD
variable -
Add a new Configuring allow_failure
section to the Container Scanning documentation, explaining how toallow_failure
functions by default and how to override the behaviour by setting theCS_VULNERABILITY_THRESHOLD
to cause a pipeline to halt if vulnerabilities have been found. -
Add a test to the Container Scanning test project to show that this new CS_VULNERABILITY_THRESHOLD
variable functions as expected
What is the type of buyer?
This page may contain information related to upcoming products, features and functionality. It is important to note that the information presented is for informational purposes only, so please do not rely on the information for purchasing or planning purposes. Just like with all projects, the items mentioned on the page are subject to change or delay, and the development, release, and timing of any products, features, or functionality remain at the sole discretion of GitLab Inc.