Container Scanning does not ingest dotenv
Container Scanning uses the CS_IMAGE
variable to set the image to be scanned. This works well when you know the image name in advance or can hard code the variable.
Problem
If I am building an image via a template and the name for that image could vary based on project, I have to set dotenv to get the variable for the image name out to other jobs. For container scanning, the Container-Scanning.gitlab-ci.yml
has dependencies: []
. Because dotenv is classified as an artifact and not a true environment variable, the container scanning job will never see that variable.
Example
Job that is extended by every team needing to build a docker container. Image name is passed in as a variable, generally derived from upstream job.
Container Scanning job still pulls default CS_IMAGE
because it cannot consume the dotenv
Proposed Solution
Remove the hardcoded dependencies: []
line. This can be set by anyone the wants to ingest the template. If it is set in the template, it can't be removed if included.