SPIKE: How do we scan images used in .gitlab-ci.yml files
Proposal
The GitLab CI configs (and CI configs in general) are an area that could benefit from security analysis. The configuration is in large part another piece of code that is in the critical path of many projects, so we should look at how we would scan these config as code manifests for vulnerabilities, and/or insecure coding practices.
There are some existing tools that are tangentially related, and may be able to assist here.
Container Scanning
In our CI job configs, we declare images in two different places: the image
key and the services
key.
We could parse the values of these keys, and pass them onto container scanning for further analysis.
Some challenges exist here, primarily when it comes to expanding variables in a config value like golang:${GO_VERSION}
.
SAST
The script sections of the CI job config can be passed into static analysis
Secret detection
It's possible that secret detection can also be leveraged here. Specifically, we could inspect CI job logs for any leaked secrets caused by the misuse of masked variables.
Links
-
Trivy issue 3067 - mentions scanning the images in
.gitlab-ci.yml
files.- aquasecurity/go-dep-parser#144: Work to support scanning this.