Running the scanner in the lite SBOM mode
March 27, 2024
ID 270274
Kaspersky Container Security allows you to start a scanner to check images for vulnerabilities in the lite SBOM mode. In this case, the solution scans a specially created SBOM file, and the results of this scan become available at the CI/CD stage.
Data from listening to and intercepting network traffic must be securely transferred between the CI/CD environment and the solution.
You can generate an artifact for download in the .SPDX, .HTML, or .JSON format to receive the results.
Running a scanner in GitLab
To start the scanner in the lite SBOM mode, when configuring image scanning in CI/CD, edit the .gitlab-ci.yml configuration file as follows:
- Add information about the image of the scanner that is started for image scanning in CI/CD as follows:
scan_image:stage: scannerimage:name:repo.cloud.example.com/repository/company/scanner:v.1.1.1-liteentrypoint: [""]pull_policy: always - Specify the orchestration platform tag as follows:
k8s
In the example provided, the
k8stag is specified for Kubernetes, you can also specify the tag for another supported orchestration platform. - Specify such variables as the build ID, private repository details, pipeline ID and API token for authorization of the CI/CD scanner requests to Kaspersky Container Security as follows:
SCAN_TARGET: ${CI_REGISTRY_IMAGE}:master
COMPANY_EXT_REGISTRY_USERNAME: ${COMPANY_EXT_REGISTRY_USERNAME}
COMPANY_EXT_REGISTRY_PASSWORD: ${COMPANY_EXT_REGISTRY_PASSWORD}
BUILD_NUMBER: ${CI_JOB_ID}
BUILD_PIPELINE: ${CI_PIPELINE_ID}
API_TOKEN:
<API token value> - If necessary, specify a variable to check the data receiving server in CI/CD using the CA certificate of the Ingress controller:
API_CA_CERT: ${KCS_CA_CERT}
If the
API_CA_CERTvariable is not set, scanning will start but will not be completed. - Specify the web address of the API host server for Kaspersky Container Security:
API_BASE_URL:
<web address> - Specify the command to create an SBOM file when the scanner is started in one of the following supported formats:
- To generate an artifact in the .JSON format:
script:
- /bin/sh /entrypoint.sh $SCAN_TARGET --stdout > artifact-result.json
artifacts:
paths:
- artifact-result.json
- To generate an artifact in the .HTML format:
script:
- /bin/sh /entrypoint.sh $SCAN_TARGET --html --stdout > artifact-result.html
artifacts:
paths:
- artifact-result.html
- To generate an artifact in the .SPDX format:
script:
- /bin/sh /entrypoint.sh $SCAN_TARGET --spdx --stdout > artifact-result.spdx
artifacts:
paths:
- artifact-result.spdx
- To generate an artifact in the .JSON format:
Running a scanner in Docker
To start the scanner in lite SBOM mode in Docker:
- Specify the web address of the API host server for Kaspersky Container Security:
-e API_BASE_URL=https://company.inno.local
- Specify the value of the variable to skip checking the data receiving server using the CA certificate of the Ingress controller:
-e SKIP_API_SERVER_VALIDATION=true
- Specify the API token for authorization of the CI/CD scanner requests to Kaspersky Container Security as follows:
API_TOKEN:
<API token value> - Specify the information to run the scanner that contains databases of vulnerabilities and other malicious objects:
repo.kcs.company.com/images/scanner:v1.1.1-with-db
- If you need to generate an artifact for downloading in the .SPDX, .HTML, or .JSON format, specify the following:
-
<artifact format>--stdout> result.<file format>For example:
- Press the Enter key to start the scanner.
If a domain name resolution error -
Name does not resolve- appears when calling the scanner, you must specify the address before theAPI_BASE_URLvariable before the internal DNS server of your organization. For example:--dns 10.0.xx.x
API_BASE_URL: https://company.inno.local/
Scan results can be obtained in the format you specified and can also be viewed in the Resources → CI/CD section.
