Container Scanning - CS_IMAGE doesn't support group variables

Everyone can contribute. Help move this issue forward while earning points, leveling up and collecting rewards.

• Close this issue

I am trying to scan containers in AWS ECS with predefined url for CS_IMAGE. The predefined url is stored in a group variable in our company. When I run this, it fails:

container_scanning:
  before_script:
    - ruby -r open-uri -e "IO.copy_stream(URI.open('https://awscli.amazonaws.com/awscli-exe-linux-x86_64.zip'), 'awscliv2.zip')"
    - unzip awscliv2.zip
    - sudo ./aws/install
    - aws --version
    - source env/.development
    - export AWS_ECR_PASSWORD=$(aws ecr get-login-password --region region)

include:
  - template: Security/Container-Scanning.gitlab-ci.yml

variables: 
    CS_IMAGE: $AWS_REGISTRY/<image>:latest
    CS_REGISTRY_USER: AWS
    CS_REGISTRY_PASSWORD: "$AWS_ECR_PASSWORD"

The job is failing with this message:

* GET https://index.docker.io/v2/<image>/manifests/latest: UNAUTHORIZED: authentication required; [map[Action:pull Class: Name:<image> Type:repository]]

When I hardcode the url into CS_IMAGE, it works fine.

The workaround I found for this is:

container_scanning:
  before_script:
    - ruby -r open-uri -e "IO.copy_stream(URI.open('https://awscli.amazonaws.com/awscli-exe-linux-x86_64.zip'), 'awscliv2.zip')"
    - unzip awscliv2.zip
    - sudo ./aws/install
    - aws --version
    - source env/.development
    - export AWS_ECR_PASSWORD=$(aws ecr get-login-password --region region)
    - export CS_IMAGE=$AWS_REGISTRY/<image>:latest

include:
  - template: Security/Container-Scanning.gitlab-ci.yml

variables: 
    CS_REGISTRY_USER: AWS
    CS_REGISTRY_PASSWORD: "$AWS_ECR_PASSWORD"

Yet I don't feel too happy with that and I believe this should be fixed 😸