Allow container scanning to work with self signed SSL certificates
Problem to solve
Container scanning currently allows the following methods of operation with regards to registries and SSL connectivity:
- Insecurely, by using the REGISTRY_INSECURE environment variable
- Securely, which requires a valid SSL certificate
However, if a client wants to use a self-signed SSL certificate, container scanning will not work properly.
Intended users
- Sasha (Software Developer)
- Devon (DevOps Engineer)
- Sidney (Systems Administrator)
- Sam (Security Analyst)
Further details
This change will make container scanning more flexible for self hosted and air-gapped instances
Proposal
In order to allow the use of self-signed certificates, we need to make the following changes:
- Expose the DOCKER_INSECURE option from
klar
as one of the configurableEnvVarValues in the GitLab container scanning project. - If the
DOCKER_INSECURE=true
value is set, we'll need to add a new-insecure-tls
flag to the clair binary as part of the clairServerArgs
The above two changes will allow a user to pass DOCKER_INSECURE=true
and have the GitLab Container Scanning tool function correctly with registries using a self-signed certificate.
Documentation
-
Update the Available variables section to include the new DOCKER_INSECURE
environment variable -
Update the Running Container Scanning in an offline air-gapped installation section to explain how to use this DOCKER_INSECURE
environment variable with a registry using a self signed SSL certificate. -
Add comments to Add support for self signed docker registry requesting to update the Running container scanning on a local docker image created by a build step in your pipeline section of the Registry Howto
to explain how to run a container scan on a local registry with authentication enabled and a self signed SSL certificate usingDOCKER_INSECURE=true
-
Update the Environment Variables section of the GitLab Container ScanningNot necessary, as we'll be removing this section in the future. Update: This section has now been removed as part of gitlab-org/security-products/analyzers/klar!28 (merged)README
file
What does success look like, and how can we measure that?
GitLab Container Scanning Tool can be used on a locally hosted GitLab instance using a self-signed SSL certificate.
What is the type of buyer?
Edited by Adam Cohen