Skip to content

Feature Request: Flexible Image Specification for Container Scan in Pipeline Execution Policies

Everyone can contribute. Help move this issue forward while earning points, leveling up and collecting rewards.

Problem Statement

When using the new Pipeline Execution Policy with Container Scan, there's currently no flexible way to specify the image to be scanned for projects that dynamically generate image tags or handle multiple projects. The current method of manually defining $CS_IMAGE for each project is not scalable for large-scale implementations.

Current Workaround

Customers are currently using a workaround that involves:

  1. Dynamically generating the image tag:

IMAGE_TAG: ${PYTHON_MINOR_VERSION}
  1. Echoing the full image name into a file:

echo

$`{IMAGE_NAME}:`$

{IMAGE_TAG}-${CI_MERGE_REQUEST_IID:-0} \> docker_image.txt
  1. Reading from this file in your scan execution policy:

if [-z "$CS_IMAGE"](-z%20%22$CS_IMAGE%22) then export CS_IMAGE=$(\<docker_image.txt) fi

Proposed Solution

We add the ability to flexibly specify the image for Container Scan in Pipeline Execution Policies. This could be achieved by either:

  1. Allowing variables defined in the local .gitlab-ci.yml file to be used in the Pipeline Execution Policy.
  2. Enabling the passing of artifacts to the .pipeline-policy-post stage, so that files (like our docker_image.txt) can be used to specify the image.

Use Case

This feature would be particularly useful for pipelines designed to scan a large number of projects, where image tags might be generated dynamically based on various factors (e.g., Python version, merge request ID).

Benefits

  • Improved scalability for organizations managing multiple projects
  • Better integration with dynamic CI/CD processes
  • Reduced manual configuration, leading to fewer errors and less maintenance

Additional Context

Some customers prefer to use the provided GitLab component to benefit from ongoing updates and ensure compatibility with GitLab infrastructure. However, if this feature cannot be implemented, they may need to resort to a custom container scan implementation.

Relevant Documentation

Current documentation on customizing enforced jobs: https://docs.gitlab.com/ee/user/application_security/policies/pipeline_execution_policies.html#customize-enforced-jobs-based-on-project-variables

This feature request outlines the current problem, describes your workaround, proposes potential solutions, and explains the benefits of implementing this feature. It also provides context about your preference for using the components provided by GitLab.

Edited by 🤖 GitLab Bot 🤖