Support tar file scanning
What does this MR do?
Implements support for scanning image tar archives and not only images.
Some customers build their containers locally into tarball files (.tar archives). They want to scan those files rather than upload them to a registry and scan through there.
There is an existing workaround for this where we prepend --input to the image name ending in .tar. This works because we directly execute Trivy and Trivy supports tar archives through the --input flag.
We enable users to add a scheme to CS_IMAGE, either docker:// or archive://, to specify the type of image provided. When prepending archive:// to CS_IMAGE we add the --input flag to the Trivy command and Trivy treats the value as a tar/tarball file. So:
- When scanning an archive, we should prepend
archive://toCS_IMAGE. - The following value in
CS_IMAGEshould be set to a path to an image archive to scan.
Relates to Archive File Scanning for Container Scanning (gitlab-org/gitlab#501077 - closed).
This is the result of a successful pipeline in a Vulnerability Report:
The name of the image is the tar file name. Separately, we will implement a CS_IMAGE_DISPLAY_NAME variable to enable specifying the display name and avoid presenting a file path.
What are the relevant issue numbers?
gitlab-org/gitlab#501077 (closed)
Does this MR meet the acceptance criteria?
-
Changelog entry added -
Documentation created/updated for GitLab EE, if necessary -
Documentation created/updated for this project, if necessary -
Documentation reviewed by technical writer or follow-up review issue created -
Tests added for this feature/bug -
Job definition updated, if necessary -
Conforms to the code review guidelines -
Conforms to the Go guidelines -
Security reports checked/validated by reviewer