Skip to content

Store container scanning SBoMs as reports

Aditya Tiwari requested to merge 398644-container-scanning-report-update into master

What does this MR do and why?

Add the cyclonedx report artifact:

artifacts:
  reports:
      container_scanning: gl-container-scanning-report.json
      dependency_scanning: gl-dependency-scanning-report.json
      cyclonedx: "**/gl-sbom-*.cdx.json"
    paths: [gl-container-scanning-report.json, gl-dependency-scanning-report.json, "**/gl-sbom-*.cdx.json"]

Describe in detail what your merge request does and why.

Screenshots or screen recordings

Screenshot_2023-03-23_at_3.46.10_PM

Screenshots are required for UI changes, and strongly recommended for all other merge requests.

How to set up and validate locally

  1. Check out this MR in GDK.
  2. Clone this test project in your local gdk.
  3. Set the variable as follows in the project gitlab-ci.yml.
  CS_ANALYZER_IMAGE: registry.gitlab.com/gitlab-org/security-products/analyzers/container-scanning/tmp/trivy:55a702958694e3404c036915ba1ee93aea1e9133
  CI_REGISTRY_IMAGE: registry.gitlab.com/atiwari71/container-scanning-test

This will fetch the container-scanning build with SBOM report feature from this MR.

  1. Run the pipeline and go to the job artifacts, the report will look like as follows:

Screenshot_2023-03-23_at_3.46.10_PM

MR acceptance checklist

This checklist encourages us to confirm any changes have been analyzed to reduce risks in quality, performance, reliability, security, and maintainability.

Related to #398644 (closed)

Edited by Aditya Tiwari

Merge request reports