Container Scanning automatic authentication for GitLab Dependency Proxy
Everyone can contribute. Help move this issue forward while earning points, leveling up and collecting rewards.
Summary
When scanning images via Dependency Proxy the scan will fail reporting The image <image url> could not be found despite being the correct path to the image.
Steps to reproduce
- Enable Dependency Proxy on a group.
- Run the following pipeline:
include:
- template: Jobs/Container-Scanning.gitlab-ci.yml
container_scanning:
variables:
CS_IMAGE: ${CI_DEPENDENCY_PROXY_DIRECT_GROUP_IMAGE_PREFIX}/alpine:latest- Container scan will fail
Example Project
https://gitlab.com/gitlab-gold/chriss/container-scanning
What is the current bug behavior?
Scanning images via Dependency Proxy without specifying CS_REGISTRY_USER and CS_REGISTRY_PASSWORD results in Trivy failing to scan.
What is the expected correct behavior?
We document the following:
If you use the GitLab Container Registry, the
CS_REGISTRY_USERandCS_REGISTRY_PASSWORDconfiguration variables are set automatically and you can skip this configuration.
As we provide automatic use of CS_REGISTRY_USER and CS_REGISTRY_PASSWORD for Container Registry we should do the same for Dependency Proxy.
Relevant logs and/or screenshots
[ERROR] [2023-04-27 11:56:49 +0000] [container-scanning] > The image gitlab.com:443/gitlab-gold/chriss/dependency_proxy/containers/alpine:latest could not be found. To change the image being scanned, use the CS_IMAGE environment variable. For details, see https://docs.gitlab.com/ee/user/application_security/container_scanning/#available-cicd-variablesOutput of checks
This bug happens on GitLab.com
Workaround
Set CS_REGISTRY_USER and CS_REGISTRY_PASSWORD using the Dependency Proxy username and password:
container_scanning:
variables:
# SECURE_LOG_LEVEL: debug
CS_REGISTRY_USER: ${CI_DEPENDENCY_PROXY_USER}
CS_REGISTRY_PASSWORD: ${CI_DEPENDENCY_PROXY_PASSWORD}
CS_IMAGE: ${CI_DEPENDENCY_PROXY_DIRECT_GROUP_IMAGE_PREFIX}/alpine:latestIt may be simpler to document this, however we should provide a consistent experience using both Container Registry and Dependency Proxy.