在GitLab中为配置项添加容器扫描

5uzkadbs  于 2023-02-07  发布在  Git
关注(0)|答案(3)|浏览(151)

所以我试图在gitlab中设置容器扫描,我尝试了很多方法,但似乎都不起作用,我错过了什么?
我的gitlab版本是:GitLab Community Edition 12.9.4
机器中的gitlab-runner为:Version: 12.10.2
这是我的.gitlab-ci.yml

variables:
  vulnerable_tag: vulnerable
  non_vulnerable_tag: non_vulnerable
  IMAGE_NAME: test
  CLAIR_OUTPUT: High 

stages:
    - build
    - test

build:
  image: docker
  stage: build
  variables:
    IMAGE_NAME: test
    IMAGE_TAG: $CI_REGISTRY_IMAGE/$CI_COMMIT_REF_SLUG:$CI_COMMIT_SHA
  script:
    - uname -a
    - docker build -t $IMAGE_NAME .
    - docker run -d -p 80:80 $IMAGE_NAME 
    - docker ps
    - curl localhost
    - mkdir output
    - echo $IMAGE_NAME"/"$CI_COMMIT_REF_SLUG":"$CI_COMMIT_SHA >> output/file.txt
  tags:
    - testingtag
#  artifacts:
#    paths: 
#      - output/

stop_container:
  stage: test
  script:
    - docker stop $(docker ps -q)

是一个简单的nginx容器,它只显示一个普通索引。
我所尝试的(.gitlab-ci.yml中的所有内容)都不起作用

include:
  - template: Container-Scanning.gitlab-ci.yml

这就是文档中所说的,也是它应该如何工作的,但是它抛出了一个错误This GitLab CI configuration is invalid: Included fileContainer-Scanning.gitlab-ci.ymlis empty or does not exist!

include:
 - remote: 'https://gitlab.com/gitlab-org/gitlab/-/raw/master/lib/gitlab/ci/templates/Security/Container-Scanning.gitlab-ci.yml'

这不会抛出错误,但什么也不做。(链接与Container-Scanning.gitlab-ci.yml相同,但为明文)
最后,将Container-Scanning.gitlab-ci.yml的内容添加为作业

# Read more about this feature here: https://docs.gitlab.com/ee/user/application_security/container_scanning/

variables:
  # Setting this variable will affect all Security templates
  # (SAST, Dependency Scanning, ...)
  SECURE_ANALYZERS_PREFIX: "registry.gitlab.com/gitlab-org/security-products/analyzers"

  CS_MAJOR_VERSION: 2

container_scanning:
  stage: test
  image: $SECURE_ANALYZERS_PREFIX/klar:$CS_MAJOR_VERSION
  variables:
    # By default, use the latest clair vulnerabilities database, however, allow it to be overridden here with a specific image
    # to enable container scanning to run offline, or to provide a consistent list of vulnerabilities for integration testing purposes
    CLAIR_DB_IMAGE_TAG: "latest"
    CLAIR_DB_IMAGE: "$SECURE_ANALYZERS_PREFIX/clair-vulnerabilities-db:$CLAIR_DB_IMAGE_TAG"
    # Override the GIT_STRATEGY variable in your `.gitlab-ci.yml` file and set it to `fetch` if you want to provide a `clair-whitelist.yml`
    # file. See https://docs.gitlab.com/ee/user/application_security/container_scanning/index.html#overriding-the-container-scanning-template
    # for details
    GIT_STRATEGY: none
  allow_failure: true
  services:
    - name: $CLAIR_DB_IMAGE
      alias: clair-vulnerabilities-db
  script:
    - /analyzer run
  artifacts:
    reports:
      container_scanning: gl-container-scanning-report.json
  dependencies: []
  rules:
    - if: $CONTAINER_SCANNING_DISABLED
      when: never
    - if: $CI_COMMIT_BRANCH &&
          $GITLAB_FEATURES =~ /\bcontainer_scanning\b/

CI跳过此作业,因为它不存在

qrjkbowd

qrjkbowd1#

GitLab community edition不包含容器扫描功能,目前只在旗舰版和金牌订阅中提供,如at the top of this page所示。
此外,这部分CI配置GitLab跳过整个扫描步骤,如果容器扫描功能没有检测到,它不会,因为您正在运行的社区版:

rules:  
    - if: $CONTAINER_SCANNING_DISABLED  
      when: never  
    - if: $CI_COMMIT_BRANCH &&  
          $GITLAB_FEATURES =~ /\bcontainer_scanning\b/
au9on6nz

au9on6nz2#

它应该与GitLab 15.0(2022年5月)

在所有层中均可进行容器扫描

Container Scanning可帮助开发人员轻松查找安装在其容器映像中的依赖项中的已知安全漏洞。
在GitLab 15.0中,我们让基本的容器扫描功能在GitLab的每一层都可用。
参见文档和Issue
不过,以下仅针对搭载GitLab 15.5的旗舰版(2022年10月)

操作容器扫描

GitLab现在正式支持在Kubernetes操作环境或生产环境中对容器映像进行漏洞扫描,您可以通过GitLab Agent for Kubernetes的配置文件设置扫描,也可以通过创建一个scan execution policy来要求扫描以固定的频率运行。
结果显示在项目的漏洞报告页面的操作漏洞选项卡下,以及基础架构〉Kubernetes群集〉代理页面的安全选项卡下。要开始,请确保已安装GitLab Agent for Kubernetes,并且已在代理配置文件或scan execution policy中定义扫描节奏。

参见DocumentationIssue

du7egjpx

du7egjpx3#

如果您检查模板的路径,它包括Security,因此下面的代码应该可以工作:

include:
  - template: Security/Container-Scanning.gitlab-ci.yml

相关问题