Design: Allow Container Scanning to scan multiple container images for a single change
Problem to solve
Scan multiple containers in one scan as some changes might impact and introduce security issues in multiple containers.
Once these reports are available, this is how UX will be affected:
- The same vulnerability type may be found across multiple images. This would result in multiple vulnerability objects (same type, but different images) being created and displayed.
- The results from container scanning on the vulnerability list will show results from all images. The user currently wouldn’t be able to view only specific/individual image results.
Proposal
Allow multiple container scanning reports for a single change.
UX:
- allow users to filter by all or specific images
- display the name of the image for filter selection
Permissions and Security
Same as current
Documentation
Update
Testing
setup regression test and project
What does success look like, and how can we measure that?
What is the type of buyer?
Links / references
ZD https://gitlab.zendesk.com/agent/tickets/99266
Conclusion
As discussed in Multiple CI jobs, we can define multiple CI jobs in a single .gitlab-ci.yml
file to trigger multiple parallel container scanning jobs, and leverage the existing rails merge-report code to combine all the resulting individual reports into a single report which is then presented as vulnerabilities in the Security Dashboard and pipeline security tab in the UI.
Multi-image container scanning is already partially supported, as shown in this .gitlab-ci.yml file and this passing pipeline.
However, for full support, we'll need to handle the following:
-
Update the fingerprint used by container scanning so that the same vulnerability found in multiple distinct Docker images will not be de-duplicated and will instead be included in the final report, tied to the particualr image it was found in. We'll also need to migrate all existing container scanning vulnerability database entries to use the new fingerprint. See this discussion for more details. -
Handle (or simply document) edge cases for handling remediations in a container scan involving multiple Docker images. See 3. Scanning a mixture of prebuilt and built images with a single Dockerfile
-
Store the Docker image name for a pipeline in the database to allow the frontend to display a drop down menu enabling the user to filter the vulnerability results for a particular Docker image. In addition to storing the Docker image name in the database, we may need to add a new API call to allow the frontend code to retrieve these values. See Backend changes required for supporting UI for more details -
Implement the frontend UI changes to allow filtering the vulnerability results for a particular Docker image. This will allow a user to filter the list of vulnerabilities to only display those from a single Docker image by selecting the corresponding Docker image name from a sub-menu in the Report type->Container Scanning
drop down menu.
Product
- release post item - No not hitting the bar of new/novel solution, although it is a user facing improvement.