所以我试图在gitlab中设置容器扫描,我尝试了很多方法,但似乎都不起作用,我错过了什么?
我的gitlab版本是:GitLab Community Edition 12.9.4
机器中的gitlab-runner为:Version: 12.10.2
这是我的.gitlab-ci.yml
variables:
vulnerable_tag: vulnerable
non_vulnerable_tag: non_vulnerable
IMAGE_NAME: test
CLAIR_OUTPUT: High
stages:
- build
- test
build:
image: docker
stage: build
variables:
IMAGE_NAME: test
IMAGE_TAG: $CI_REGISTRY_IMAGE/$CI_COMMIT_REF_SLUG:$CI_COMMIT_SHA
script:
- uname -a
- docker build -t $IMAGE_NAME .
- docker run -d -p 80:80 $IMAGE_NAME
- docker ps
- curl localhost
- mkdir output
- echo $IMAGE_NAME"/"$CI_COMMIT_REF_SLUG":"$CI_COMMIT_SHA >> output/file.txt
tags:
- testingtag
# artifacts:
# paths:
# - output/
stop_container:
stage: test
script:
- docker stop $(docker ps -q)
是一个简单的nginx容器,它只显示一个普通索引。
我所尝试的(.gitlab-ci.yml中的所有内容)都不起作用
include:
- template: Container-Scanning.gitlab-ci.yml
这就是文档中所说的,也是它应该如何工作的,但是它抛出了一个错误This GitLab CI configuration is invalid: Included file
Container-Scanning.gitlab-ci.ymlis empty or does not exist!
include:
- remote: 'https://gitlab.com/gitlab-org/gitlab/-/raw/master/lib/gitlab/ci/templates/Security/Container-Scanning.gitlab-ci.yml'
这不会抛出错误,但什么也不做。(链接与Container-Scanning.gitlab-ci.yml
相同,但为明文)
最后,将Container-Scanning.gitlab-ci.yml的内容添加为作业
# Read more about this feature here: https://docs.gitlab.com/ee/user/application_security/container_scanning/
variables:
# Setting this variable will affect all Security templates
# (SAST, Dependency Scanning, ...)
SECURE_ANALYZERS_PREFIX: "registry.gitlab.com/gitlab-org/security-products/analyzers"
CS_MAJOR_VERSION: 2
container_scanning:
stage: test
image: $SECURE_ANALYZERS_PREFIX/klar:$CS_MAJOR_VERSION
variables:
# By default, use the latest clair vulnerabilities database, however, allow it to be overridden here with a specific image
# to enable container scanning to run offline, or to provide a consistent list of vulnerabilities for integration testing purposes
CLAIR_DB_IMAGE_TAG: "latest"
CLAIR_DB_IMAGE: "$SECURE_ANALYZERS_PREFIX/clair-vulnerabilities-db:$CLAIR_DB_IMAGE_TAG"
# Override the GIT_STRATEGY variable in your `.gitlab-ci.yml` file and set it to `fetch` if you want to provide a `clair-whitelist.yml`
# file. See https://docs.gitlab.com/ee/user/application_security/container_scanning/index.html#overriding-the-container-scanning-template
# for details
GIT_STRATEGY: none
allow_failure: true
services:
- name: $CLAIR_DB_IMAGE
alias: clair-vulnerabilities-db
script:
- /analyzer run
artifacts:
reports:
container_scanning: gl-container-scanning-report.json
dependencies: []
rules:
- if: $CONTAINER_SCANNING_DISABLED
when: never
- if: $CI_COMMIT_BRANCH &&
$GITLAB_FEATURES =~ /\bcontainer_scanning\b/
CI跳过此作业,因为它不存在
3条答案
按热度按时间qrjkbowd1#
GitLab community edition不包含容器扫描功能,目前只在旗舰版和金牌订阅中提供,如at the top of this page所示。
此外,这部分CI配置GitLab跳过整个扫描步骤,如果容器扫描功能没有检测到,它不会,因为您正在运行的社区版:
au9on6nz2#
它应该与GitLab 15.0(2022年5月)
在所有层中均可进行容器扫描
Container Scanning可帮助开发人员轻松查找安装在其容器映像中的依赖项中的已知安全漏洞。
在GitLab 15.0中,我们让基本的容器扫描功能在GitLab的每一层都可用。
参见文档和Issue。
不过,以下仅针对搭载GitLab 15.5的旗舰版(2022年10月)
操作容器扫描
GitLab现在正式支持在Kubernetes操作环境或生产环境中对容器映像进行漏洞扫描,您可以通过GitLab Agent for Kubernetes的配置文件设置扫描,也可以通过创建一个scan execution policy来要求扫描以固定的频率运行。
结果显示在项目的漏洞报告页面的操作漏洞选项卡下,以及基础架构〉Kubernetes群集〉代理页面的安全选项卡下。要开始,请确保已安装GitLab Agent for Kubernetes,并且已在代理配置文件或scan execution policy中定义扫描节奏。
参见Documentation和Issue。
du7egjpx3#
如果您检查模板的路径,它包括
Security
,因此下面的代码应该可以工作: