Container scanning does not support public docker registries
Summary
Container scanning does not support public docker registries like the ones available through docker.io.
Steps to reproduce
- Create a project with a
.gitlab-ci.yml - Add the following content to the file above:
include:
- template: Security/Container-Scanning.gitlab-ci.yml
variables:
DOCKER_IMAGE: python:3.4-alpine- Run the pipeline and check the content of the
container_scanningjob.
Example Project
This pipeline can be used as an example.
What is the current bug behavior?
After the job has ended with failure the log will show:
GET https://auth.docker.io/token?scope=repository%3Alibrary%2Fpython%3Apull&service=registry.docker.io: unsupported status code 401; body: {"details":"incorrect username or password"}What is the expected correct behavior?
The container scanner should be able to access the image and run the analyzer similar to the following:
[INFO] [2021-07-28 18:43:52 +0000] [] ▶ Scanning container python:3.4-alpine for vulnerabilities with severity level UNKNOWN or higher, with gcs 4.3.5 and Trivy Version: 0.19.2, advisories updated at 2021-07-28Relevant logs and/or screenshots
Raw logs can be found here
Output of checks
Results of GitLab environment info
Expand for output related to GitLab environment info
(For installations with omnibus-gitlab package run and paste the output of: `sudo gitlab-rake gitlab:env:info`) (For installations from source run and paste the output of: `sudo -u git -H bundle exec rake gitlab:env:info RAILS_ENV=production`)
Results of GitLab application Check
Expand for output related to the GitLab application check
(For installations with omnibus-gitlab package run and paste the output of:
sudo gitlab-rake gitlab:check SANITIZE=true)(For installations from source run and paste the output of:
sudo -u git -H bundle exec rake gitlab:check RAILS_ENV=production SANITIZE=true)(we will only investigate if the tests are passing)
Possible fixes
Only use CI_REGISTRY_USER / CI_REGISTRY_PASSWORD by default if image.domain == env['CI_REGISTRY'], and otherwise use anonymous auth.