Adherence check - Container Scanning
Problem to solve
To adhere to regulatory standards and to provide evidence of compliance, I need to be able to generate a report for auditors detailing the last date/time each of my repositories were scanned by each security scanner. I would leverage this data to also action against projects that are out of compliance to bring them into compliance and ensure that scanners are properly enabled/enforced to run.
Proposal
Add an adherence check for the "GitLab Standard" that checks that Container Scanning is enabled on the project.
Container Scanning can be enabled to configure Container Scanning for the current project. For more details, https://docs.gitlab.com/ee/user/application_security/container_scanning/index.html#enable-container-scanning-through-an-automatic-merge-request
Implementation plan
Designs
Activity
cloned from #440715
changed milestone to %Backlog
added to epic &12661
marked this issue as blocking #442141
mentioned in epic &12661
We can check whether container scanning is enabled for a project by checking if the corresponding artifact got generated for a pipeline which ran on the default branch of the repository. Similar to what we are doing for sast scanner in !163579 (merged). The file_type for the artifact will be
container_scanning.Edited by Hitesh Raghuvanshi
Hi team
I have an Ultimate, SaaS customer interested in this feature.
Use Case: Wanting to scan containers locally with multiple containers
Is there a roadmap for this being available?
We are currently working on reworking the adherence report in this epic Custom compliance frameworks (&13295). Once that is complete the scanner checks are next for us to add.
cc @khornergit
added customer label
assigned to @reneehendricksen
unassigned @reneehendricksen