Feature Request: Integration of Virtual Machine Scanning in GitLab
Everyone can contribute. Help move this issue forward while earning points, leveling up and collecting rewards.
Problem to solve
While GitLab provides robust tools for application and container security, there is a gap when it comes to VM scanning within GitLab CI/CD pipelines. Currently, organizations must rely on external tools to perform VM scans, which can complicate the security processes and fragment the security posture management. As virtual machines continue to be a critical part of many IT infrastructures, integrating VM scanning directly into GitLab could streamline security workflows and enhance visibility into the security status of both application and infrastructure layers.
Proposal
GitLab should integrate virtual machine scanning capabilities into its platform. This could be achieved by leveraging existing tools like Trivy, which already offers an experimental capability for scanning VM images: https://aquasecurity.github.io/trivy/v0.35/docs/vm/ Theoretically it is already possible to deploy a GitLab runner on a virtual machine, define a CI job that executes a filesystem Trivy scan on that runner, and then collect the results. Offering an integration with Trivy's VM scanning tool would provide a seamless and centralized way to manage security assessments across both applications and their operating environments.
Intended users
DevSecOps Engineers
Security Professionals
System Administrators