Cleaning up container scanning template based on customer issues
Why are we doing this work
There has been a couple of issues with customers having difficulty to set the proper variables in relation to container scanning. Depending on the amount of information that they are able to provide it becomes a non-straight forward situation on how to support and help them.
In addition to that, the current number of variables makes various sessions of our documentation a long read.
As we approach a release with breaking changes: (1) removing klar, (2) making trivy the default scanner, (3) adding grype as an optional scanner, (4) updating Container-Scanning.gitlab-ci.yml to support the previous points and some other things.
It seems that we are in a good position to simplify the template in regards to the usage of the scanner by adding a single source of truth. This would reduce the amount of variables to be customized which would imply in a simplification of the documentation, troubleshooting and somehow less magic
Before digging too deep into it I am considering something like the following:
diff --git a/lib/gitlab/ci/templates/Security/Container-Scanning.gitlab-ci.yml b/lib/gitlab/ci/templates/Security/Container-Scanning.gitlab-ci.yml
index c628e30b2c7..614762051af 100644
--- a/lib/gitlab/ci/templates/Security/Container-Scanning.gitlab-ci.yml
+++ b/lib/gitlab/ci/templates/Security/Container-Scanning.gitlab-ci.yml
@@ -1,60 +1,28 @@
# Read more about this feature here: https://docs.gitlab.com/ee/user/application_security/container_scanning/
variables:
- # Setting this variable will affect all Security templates
- # (SAST, Dependency Scanning, ...)
- SECURE_ANALYZERS_PREFIX: "registry.gitlab.com/gitlab-org/security-products/analyzers"
- CS_MAJOR_VERSION: 3
+ # CS_ANALYZER_IMAGE is an undocumented variable used internally to allow QA to
+ # override the analyzer image with a custom value. This may be subject to change or
+ # breakage across GitLab releases.
+ CS_ANALYZER_IMAGE: "registry.gitlab.com/gitlab-org/security-products/analyzers/container-scanning:4"
+ # Override the GIT_STRATEGY variable in your `.gitlab-ci.yml` file and set it to `fetch` if you want to provide a `vulnerability-allowlist.yml`
+ # file. See https://docs.gitlab.com/ee/user/application_security/container_scanning/index.html#overriding-the-container-scanning-template
+ # for details
+ GIT_STRATEGY: none
-.cs_common:
+container_scanning:
stage: test
image: "$CS_ANALYZER_IMAGE"
- variables:
- # Override the GIT_STRATEGY variable in your `.gitlab-ci.yml` file and set it to `fetch` if you want to provide a `clair-whitelist.yml`
- # file. See https://docs.gitlab.com/ee/user/application_security/container_scanning/index.html#overriding-the-container-scanning-template
- # for details
- GIT_STRATEGY: none
- # CS_ANALYZER_IMAGE is an undocumented variable used internally to allow QA to
- # override the analyzer image with a custom value. This may be subject to change or
- # breakage across GitLab releases.
- CS_ANALYZER_IMAGE: $SECURE_ANALYZERS_PREFIX/$CS_PROJECT:$CS_MAJOR_VERSION
- allow_failure: true
- artifacts:
- reports:
- container_scanning: gl-container-scanning-report.json
- dependencies: []
-
-container_scanning:
- extends: .cs_common
- variables:
- # By default, use the latest clair vulnerabilities database, however, allow it to be overridden here with a specific image
- # to enable container scanning to run offline, or to provide a consistent list of vulnerabilities for integration testing purposes
- CLAIR_DB_IMAGE_TAG: "latest"
- CLAIR_DB_IMAGE: "$SECURE_ANALYZERS_PREFIX/clair-vulnerabilities-db:$CLAIR_DB_IMAGE_TAG"
- CS_PROJECT: 'klar'
- services:
- - name: $CLAIR_DB_IMAGE
- alias: clair-vulnerabilities-db
- script:
- - /analyzer run
- rules:
- - if: $CONTAINER_SCANNING_DISABLED
- when: never
- - if: $CI_COMMIT_BRANCH &&
- $GITLAB_FEATURES =~ /\bcontainer_scanning\b/ &&
- $CS_MAJOR_VERSION =~ /^[0-3]$/
-
-container_scanning_new:
- extends: .cs_common
- variables:
- CS_PROJECT: 'container-scanning'
script:
- gtcs scan
artifacts:
paths: [gl-container-scanning-report.json]
+ reports:
+ container_scanning: gl-container-scanning-report.json
+ allow_failure: true
+ dependencies: []
rules:
- if: $CONTAINER_SCANNING_DISABLED
when: never
- if: $CI_COMMIT_BRANCH &&
- $GITLAB_FEATURES =~ /\bcontainer_scanning\b/ &&
- $CS_MAJOR_VERSION !~ /^[0-3]$/
+ $GITLAB_FEATURES =~ /\bcontainer_scanning\b/
It is also desired to change GCS to run on merge request only pipeline as described here
Relevant links
Non-functional requirements
-
Documentation: -
Feature flag: -
Performance: -
Testing:
Implementation plan
-
Refactor container scanning template to a single job based mostly on CS_ANALYZER_IMAGE
-
GIT_STRATEGY
should be kept for its default valuenone
and it is relation to other features (remediation, allowlist) -
CS_ANALYZER_IMAGE
to be defaulted to"registry.gitlab.com/gitlab-org/security-products/analyzers/container-scanning:4"
-
Update documentation