Send vulnerability report using a network request instead of parsing log for operational container scanning
Why are we doing this work
Operational Container Scanning(OCS) implemented in gitlab-agent uses Trivy k8s to scan container images in a k8 cluster. The vulnerability report is retrieved by parsing the logs of the Trivy K8s output as implemented in this MR Switch from starboard operator to Trivy k8s (gitlab-org/cluster-integration/gitlab-agent!909 - merged). Parsing logs can be flaky especially if the logs contain errors or other previously unknown components. Hence, this issue is meant to explore a more robust approach to retrieve the vulnerability report.
Trivy k8s can be configured to output* a JSON file containing the vulnerability report. This file can potentially be sent to the gitlab-agent
pod via a k8 service with a network request. This approach would be more robust but might potentially be more complex to implement.
*See the -o flag of the trivy documentation
NOTE that this approach requires deprecation. See below for more context
Implementation plan
- Add a k8 service in
gitlab-agent's
helm chart for receiving http requests containing the report file.-
Deprecation required This requires existing users to install a
k8 service
for OCS to function properly and as such is not backward compatible.
-
Deprecation required This requires existing users to install a
- Add a
http server
ingitlab-agent
starboard vulnerability module to listen forcreate vulnerability report file requests
- Create a custom Trivy docker image based on the Trivy image that
- Starts a trivy scan and writes the output to a JSON report file eg
result.json
:- Example trivy command and args to achieve this:
trivy k8s Pod --report=summary --scanners=vuln --db-repository registry.gitlab.com/gitlab-org/security-products/dependencies/trivy-db-glad --namespace default --format json --output result.json
- When scan completes, it will run a custom script that sends the report file to the service exposed above.
- Exit the pod when file has been sent
- Note that this custom docker image needs to be hosted from a container registry so that it can be fetched when
gitlab-agent
starts a Trivy k8s scan. This will require an additional stage in theci pipeline
.
- Note that this custom docker image needs to be hosted from a container registry so that it can be fetched when
- Starts a trivy scan and writes the output to a JSON report file eg
- Update parsing logic to not read the Trivy scanner pod logs.
- Retain logic to delete the pod once the Pod has failed or succeeded.
- Add logic to process vulnerability report and transmit to gitlab for the
vulnerability report file
received by the http server - Add logic to resolve no longer detected vulnerabilties.