Skip to content

Cleaning up container scanning template based on customer issues

Why are we doing this work

There has been a couple of issues with customers having difficulty to set the proper variables in relation to container scanning. Depending on the amount of information that they are able to provide it becomes a non-straight forward situation on how to support and help them.

In addition to that, the current number of variables makes various sessions of our documentation a long read.

As we approach a release with breaking changes: (1) removing klar, (2) making trivy the default scanner, (3) adding grype as an optional scanner, (4) updating Container-Scanning.gitlab-ci.yml to support the previous points and some other things.

It seems that we are in a good position to simplify the template in regards to the usage of the scanner by adding a single source of truth. This would reduce the amount of variables to be customized which would imply in a simplification of the documentation, troubleshooting and somehow less magic 😎

Before digging too deep into it I am considering something like the following:

diff --git a/lib/gitlab/ci/templates/Security/Container-Scanning.gitlab-ci.yml b/lib/gitlab/ci/templates/Security/Container-Scanning.gitlab-ci.yml
index c628e30b2c7..614762051af 100644
--- a/lib/gitlab/ci/templates/Security/Container-Scanning.gitlab-ci.yml
+++ b/lib/gitlab/ci/templates/Security/Container-Scanning.gitlab-ci.yml
@@ -1,60 +1,28 @@
 # Read more about this feature here: https://docs.gitlab.com/ee/user/application_security/container_scanning/

 variables:
-  # Setting this variable will affect all Security templates
-  # (SAST, Dependency Scanning, ...)
-  SECURE_ANALYZERS_PREFIX: "registry.gitlab.com/gitlab-org/security-products/analyzers"
-  CS_MAJOR_VERSION: 3
+  # CS_ANALYZER_IMAGE is an undocumented variable used internally to allow QA to
+  # override the analyzer image with a custom value. This may be subject to change or
+  # breakage across GitLab releases.
+  CS_ANALYZER_IMAGE: "registry.gitlab.com/gitlab-org/security-products/analyzers/container-scanning:4"
+  # Override the GIT_STRATEGY variable in your `.gitlab-ci.yml` file and set it to `fetch` if you want to provide a `vulnerability-allowlist.yml`
+  # file. See https://docs.gitlab.com/ee/user/application_security/container_scanning/index.html#overriding-the-container-scanning-template
+  # for details
+  GIT_STRATEGY: none

-.cs_common:
+container_scanning:
   stage: test
   image: "$CS_ANALYZER_IMAGE"
-  variables:
-    # Override the GIT_STRATEGY variable in your `.gitlab-ci.yml` file and set it to `fetch` if you want to provide a `clair-whitelist.yml`
-    # file. See https://docs.gitlab.com/ee/user/application_security/container_scanning/index.html#overriding-the-container-scanning-template
-    # for details
-    GIT_STRATEGY: none
-    # CS_ANALYZER_IMAGE is an undocumented variable used internally to allow QA to
-    # override the analyzer image with a custom value. This may be subject to change or
-    # breakage across GitLab releases.
-    CS_ANALYZER_IMAGE: $SECURE_ANALYZERS_PREFIX/$CS_PROJECT:$CS_MAJOR_VERSION
-  allow_failure: true
-  artifacts:
-    reports:
-      container_scanning: gl-container-scanning-report.json
-  dependencies: []
-
-container_scanning:
-  extends: .cs_common
-  variables:
-    # By default, use the latest clair vulnerabilities database, however, allow it to be overridden here with a specific image
-    # to enable container scanning to run offline, or to provide a consistent list of vulnerabilities for integration testing purposes
-    CLAIR_DB_IMAGE_TAG: "latest"
-    CLAIR_DB_IMAGE: "$SECURE_ANALYZERS_PREFIX/clair-vulnerabilities-db:$CLAIR_DB_IMAGE_TAG"
-    CS_PROJECT: 'klar'
-  services:
-    - name: $CLAIR_DB_IMAGE
-      alias: clair-vulnerabilities-db
-  script:
-    - /analyzer run
-  rules:
-    - if: $CONTAINER_SCANNING_DISABLED
-      when: never
-    - if: $CI_COMMIT_BRANCH &&
-          $GITLAB_FEATURES =~ /\bcontainer_scanning\b/ &&
-          $CS_MAJOR_VERSION =~ /^[0-3]$/
-
-container_scanning_new:
-  extends: .cs_common
-  variables:
-    CS_PROJECT: 'container-scanning'
   script:
     - gtcs scan
   artifacts:
     paths: [gl-container-scanning-report.json]
+    reports:
+      container_scanning: gl-container-scanning-report.json
+  allow_failure: true
+  dependencies: []
   rules:
     - if: $CONTAINER_SCANNING_DISABLED
       when: never
     - if: $CI_COMMIT_BRANCH &&
-          $GITLAB_FEATURES =~ /\bcontainer_scanning\b/ &&
-          $CS_MAJOR_VERSION !~ /^[0-3]$/
+          $GITLAB_FEATURES =~ /\bcontainer_scanning\b/

It is also desired to change GCS to run on merge request only pipeline as described here

Relevant links

Non-functional requirements

  • Documentation:
  • Feature flag:
  • Performance:
  • Testing:

Implementation plan

  • Refactor container scanning template to a single job based mostly on CS_ANALYZER_IMAGE
  • GIT_STRATEGY should be kept for its default value none and it is relation to other features (remediation, allowlist)
  • CS_ANALYZER_IMAGE to be defaulted to "registry.gitlab.com/gitlab-org/security-products/analyzers/container-scanning:4"
  • Update documentation
Edited by Thiago Figueiró