Skip to content
Projects
Groups
Snippets
Help
Loading...
Help
Support
Keyboard shortcuts
?
Submit feedback
Contribute to GitLab
Sign in / Register
Toggle navigation
G
gitlab-ce
Project overview
Project overview
Details
Activity
Releases
Repository
Repository
Files
Commits
Branches
Tags
Contributors
Graph
Compare
Issues
0
Issues
0
List
Boards
Labels
Milestones
Merge Requests
0
Merge Requests
0
Analytics
Analytics
Repository
Value Stream
Wiki
Wiki
Snippets
Snippets
Members
Members
Collapse sidebar
Close sidebar
Activity
Graph
Create a new issue
Commits
Issue Boards
Open sidebar
Jérome Perrin
gitlab-ce
Commits
f2f7bb2b
Commit
f2f7bb2b
authored
Mar 15, 2018
by
Olivier Gonzalez
Browse files
Options
Browse Files
Download
Email Patches
Plain Diff
Rename SAST for Docker to Container Scanning in documentation. Refs gitlab-org/gitlab-ee#5017
parent
1b1475cb
Changes
4
Show whitespace changes
Inline
Side-by-side
Showing
4 changed files
with
64 additions
and
60 deletions
+64
-60
doc/ci/examples/README.md
doc/ci/examples/README.md
+5
-2
doc/ci/examples/container_scanning.md
doc/ci/examples/container_scanning.md
+55
-0
doc/ci/examples/sast_docker.md
doc/ci/examples/sast_docker.md
+1
-55
doc/topics/autodevops/index.md
doc/topics/autodevops/index.md
+3
-3
No files found.
doc/ci/examples/README.md
View file @
f2f7bb2b
...
@@ -47,8 +47,11 @@ There's also a collection of repositories with [example projects](https://gitlab
...
@@ -47,8 +47,11 @@ There's also a collection of repositories with [example projects](https://gitlab
## Static Application Security Testing (SAST)
## Static Application Security Testing (SAST)
-
**(Ultimate)**
[
Scan your code for vulnerabilities
](
https://docs.gitlab.com/ee/ci/examples/sast.html
)
**(Ultimate)**
[
Scan your code for vulnerabilities
](
https://docs.gitlab.com/ee/ci/examples/sast.html
)
-
[
Scan your Docker images for vulnerabilities
](
sast_docker.md
)
## Container Scanning
[
Scan your Docker images for vulnerabilities
](
container_scanning.md
)
## Dynamic Application Security Testing (DAST)
## Dynamic Application Security Testing (DAST)
...
...
doc/ci/examples/container_scanning.md
0 → 100644
View file @
f2f7bb2b
# Container Scanning with GitLab CI/CD
You can check your Docker images (or more precisely the containers) for known
vulnerabilities by using
[
Clair
](
https://github.com/coreos/clair
)
and
[
clair-scanner
](
https://github.com/arminc/clair-scanner
)
, two open source tools
for Vulnerability Static Analysis for containers.
All you need is a GitLab Runner with the Docker executor (the shared Runners on
GitLab.com will work fine). You can then add a new job to
`.gitlab-ci.yml`
,
called
`sast:container`
:
```
yaml
sast:container:
image
:
docker:latest
variables
:
DOCKER_DRIVER
:
overlay2
## Define two new variables based on GitLab's CI/CD predefined variables
## https://docs.gitlab.com/ee/ci/variables/#predefined-variables-environment-variables
CI_APPLICATION_REPOSITORY
:
$CI_REGISTRY_IMAGE/$CI_COMMIT_REF_SLUG
CI_APPLICATION_TAG
:
$CI_COMMIT_SHA
allow_failure
:
true
services
:
-
docker:dind
script
:
-
docker run -d --name db arminc/clair-db:latest
-
docker run -p 6060:6060 --link db:postgres -d --name clair arminc/clair-local-scan:v2.0.1
-
apk add -U wget ca-certificates
-
docker pull ${CI_APPLICATION_REPOSITORY}:${CI_APPLICATION_TAG}
-
wget https://github.com/arminc/clair-scanner/releases/download/v8/clair-scanner_linux_amd64
-
mv clair-scanner_linux_amd64 clair-scanner
-
chmod +x clair-scanner
-
touch clair-whitelist.yml
-
./clair-scanner -c http://docker:6060 --ip $(hostname -i) -r gl-sast-container-report.json -l clair.log -w clair-whitelist.yml ${CI_APPLICATION_REPOSITORY}:${CI_APPLICATION_TAG} ||
true
artifacts
:
paths
:
[
gl-sast-container-report.json
]
```
The above example will create a
`sast:container`
job in your CI/CD pipeline, pull
the image from the
[
Container Registry
](
../../user/project/container_registry.md
)
(whose name is defined from the two
`CI_APPLICATION_`
variables) and scan it
for possible vulnerabilities. The report will be saved as an artifact that you
can later download and analyze.
If you want to whitelist some specific vulnerabilities, you can do so by defining
them in a
[
YAML file
](
https://github.com/arminc/clair-scanner/blob/master/README.md#example-whitelist-yaml-file
)
,
in our case its named
`clair-whitelist.yml`
.
TIP:
**Tip:**
Starting with
[
GitLab Ultimate
][
ee
]
10.4, this information will
be automatically extracted and shown right in the merge request widget. To do
so, the CI/CD job must be named
`sast:container`
and the artifact path must be
`gl-sast-container-report.json`
.
[
Learn more on container scanning results shown in merge requests
](
https://docs.gitlab.com/ee/user/project/merge_requests/container_scanning.html
)
.
[
ee
]:
https://about.gitlab.com/products/
doc/ci/examples/sast_docker.md
View file @
f2f7bb2b
# Static Application Security Testing for Docker containers with GitLab CI/CD
This document was moved to
[
another location
](
./container_scanning.md
)
.
\ No newline at end of file
You can check your Docker images (or more precisely the containers) for known
vulnerabilities by using
[
Clair
](
https://github.com/coreos/clair
)
and
[
clair-scanner
](
https://github.com/arminc/clair-scanner
)
, two open source tools
for Vulnerability Static Analysis for containers.
All you need is a GitLab Runner with the Docker executor (the shared Runners on
GitLab.com will work fine). You can then add a new job to
`.gitlab-ci.yml`
,
called
`sast:container`
:
```
yaml
sast:container:
image
:
docker:latest
variables
:
DOCKER_DRIVER
:
overlay2
## Define two new variables based on GitLab's CI/CD predefined variables
## https://docs.gitlab.com/ee/ci/variables/#predefined-variables-environment-variables
CI_APPLICATION_REPOSITORY
:
$CI_REGISTRY_IMAGE/$CI_COMMIT_REF_SLUG
CI_APPLICATION_TAG
:
$CI_COMMIT_SHA
allow_failure
:
true
services
:
-
docker:dind
script
:
-
docker run -d --name db arminc/clair-db:latest
-
docker run -p 6060:6060 --link db:postgres -d --name clair arminc/clair-local-scan:v2.0.1
-
apk add -U wget ca-certificates
-
docker pull ${CI_APPLICATION_REPOSITORY}:${CI_APPLICATION_TAG}
-
wget https://github.com/arminc/clair-scanner/releases/download/v8/clair-scanner_linux_amd64
-
mv clair-scanner_linux_amd64 clair-scanner
-
chmod +x clair-scanner
-
touch clair-whitelist.yml
-
./clair-scanner -c http://docker:6060 --ip $(hostname -i) -r gl-sast-container-report.json -l clair.log -w clair-whitelist.yml ${CI_APPLICATION_REPOSITORY}:${CI_APPLICATION_TAG} ||
true
artifacts
:
paths
:
[
gl-sast-container-report.json
]
```
The above example will create a
`sast:container`
job in your CI/CD pipeline, pull
the image from the
[
Container Registry
](
../../user/project/container_registry.md
)
(whose name is defined from the two
`CI_APPLICATION_`
variables) and scan it
for possible vulnerabilities. The report will be saved as an artifact that you
can later download and analyze.
If you want to whitelist some specific vulnerabilities, you can do so by defining
them in a
[
YAML file
](
https://github.com/arminc/clair-scanner/blob/master/README.md#example-whitelist-yaml-file
)
,
in our case its named
`clair-whitelist.yml`
.
TIP:
**Tip:**
Starting with
[
GitLab Ultimate
][
ee
]
10.4, this information will
be automatically extracted and shown right in the merge request widget. To do
so, the CI/CD job must be named
`sast:container`
and the artifact path must be
`gl-sast-container-report.json`
.
[
Learn more on application security testing results shown in merge requests
](
https://docs.gitlab.com/ee/user/project/merge_requests/sast_docker.html
)
.
[
ee
]:
https://about.gitlab.com/products/
doc/topics/autodevops/index.md
View file @
f2f7bb2b
...
@@ -20,7 +20,7 @@ project in an easy and automatic way:
...
@@ -20,7 +20,7 @@ project in an easy and automatic way:
1.
[
Auto Test
](
#auto-test
)
1.
[
Auto Test
](
#auto-test
)
1.
[
Auto Code Quality
](
#auto-code-quality
)
1.
[
Auto Code Quality
](
#auto-code-quality
)
1.
[
Auto SAST (Static Application Security Testing)
](
#auto-sast
)
1.
[
Auto SAST (Static Application Security Testing)
](
#auto-sast
)
1.
[
Auto
SAST for Docker images
](
#auto-sast-for-docker-images
)
1.
[
Auto
Container Scanning
](
#auto-container-scanning
)
1.
[
Auto Review Apps
](
#auto-review-apps
)
1.
[
Auto Review Apps
](
#auto-review-apps
)
1.
[
Auto DAST (Dynamic Application Security Testing)
](
#auto-dast
)
1.
[
Auto DAST (Dynamic Application Security Testing)
](
#auto-dast
)
1.
[
Auto Deploy
](
#auto-deploy
)
1.
[
Auto Deploy
](
#auto-deploy
)
...
@@ -217,7 +217,7 @@ check out.
...
@@ -217,7 +217,7 @@ check out.
In GitLab Ultimate, any security warnings are also
In GitLab Ultimate, any security warnings are also
[
shown in the merge request widget
](
https://docs.gitlab.com/ee/user/project/merge_requests/sast.html
)
.
[
shown in the merge request widget
](
https://docs.gitlab.com/ee/user/project/merge_requests/sast.html
)
.
### Auto
SAST for Docker images
### Auto
Container Scanning
> Introduced in GitLab 10.4.
> Introduced in GitLab 10.4.
...
@@ -228,7 +228,7 @@ created, it's uploaded as an artifact which you can later download and
...
@@ -228,7 +228,7 @@ created, it's uploaded as an artifact which you can later download and
check out.
check out.
In GitLab Ultimate, any security warnings are also
In GitLab Ultimate, any security warnings are also
[
shown in the merge request widget
](
https://docs.gitlab.com/ee/user/project/merge_requests/
sast_docker
.html
)
.
[
shown in the merge request widget
](
https://docs.gitlab.com/ee/user/project/merge_requests/
container_scanning
.html
)
.
### Auto Review Apps
### Auto Review Apps
...
...
Write
Preview
Markdown
is supported
0%
Try again
or
attach a new file
Attach a file
Cancel
You are about to add
0
people
to the discussion. Proceed with caution.
Finish editing this message first!
Cancel
Please
register
or
sign in
to comment