Match container-scanning vulnerabilities in dependencies (!76939) · Merge requests · GitLab.org / GitLab

Alan (Maciej) Paruszewski requested to merge 348489-add-container-scanning-dependencies-to-dependency-list into master Dec 16, 2021

What does this MR do and why?

We have recently added ability to list dependencies found in container-scanning analyzer, however we have missed one important detail: we also want to show for which dependencies we have found vulnerabilities. This MR addresses that.

Screenshots or screen recordings

How to set up and validate locally

Create new project.
Create gitlab-ci.yml file and paste content:

include:
   - template: Security/Container-Scanning.gitlab-ci.yml

variables:
   CS_DISABLE_LANGUAGE_VULNERABILITY_SCAN: "false"
   DOCKER_IMAGE: "dnurmi/testrepo:jarjar"
   CS_ANALYZER_IMAGE: "registry.gitlab.com/gitlab-org/security-products/analyzers/container-scanning:348489-fix-location-image-for-trivy-language-scan"

Run pipeline and go to Security & Compliance -> Dependency list. You should see information about vulnerabilities there.

MR acceptance checklist

This checklist encourages us to confirm any changes have been analyzed to reduce risks in quality, performance, reliability, security, and maintainability.

I have evaluated the MR acceptance checklist for this MR.

Related to #348489 (closed)

Match container-scanning vulnerabilities in dependencies

What does this MR do and why?

Screenshots or screen recordings

How to set up and validate locally

MR acceptance checklist

Merge request reports