Configuring image and configuration file scan settings

To scan images or repositories (in order to scan configuration files) used in the CI/CD process, add a stage to the CI/CD pipeline that runs the Kaspersky Container Security scanner. The scanning results are forwarded to the Kaspersky Container Security Server and are displayed in the Management console in the Resources → CI/CD section.

Data from listening to and intercepting network traffic must be securely transferred between the CI/CD environment and the product.

Example of configuring integration with GitLab CI/CD

This example uses a specific scanner image with the built-in vulnerability databases located in the image registry of the Kaspersky Container Security manufacturer.

To use the image scanning feature in the GitLab CI/CD process, you should enable the use of the GitLab Container Registry.

Integration configuration includes the following steps:

1. Authorization of GitLab CI/CD in the image registry of the Kaspersky Container Security manufacturer.
   1. On the cluster operator's workstation, prepare a Base64 hash of the authorization data by running the following command:

      printf "login:password" | openssl base64 -A

      where login and password are the user name and password of an account in the image registry of the Kaspersky Container Security manufacturer.

   2. In the GitLab CI/CD environment variables, create the DOCKER_AUTH_CONFIG variable (in the GitLab repository select Settings → CI/CD, click the Expand button to expand Variables, and then click the Add variable button).
   3. Specify the variable in the following form:

      {

      "auths": {

      "repo.cloud.tronsec.ru": {

      "auth": "base64hash"

      }

      }

      }

      where base64hash is the string obtained in step 1a.

2. Authorization of requests from GitLab CI/CD when sending data to Kaspersky Container Security.
   1. On the cluster operator's workstation, prepare a Base64 hash of the authorization data by running the following command:

      printf "login:password" | openssl base64 -A

      where login and password are the user name and password of an account in the image registry of the Kaspersky Container Security manufacturer.

   2. Specify the resulting hash in the API_TOKEN variable in the .gitlab-ci.yml configuration file.
3. Adding the image scanning stage to the CI/CD process.

   To add scanning to the CI/CD pipeline, you should add the following lines to the .gitlab-ci.yml file:

   1. Add the information about the image for scanning after the build preparation as follows:

      scan_image:

      stage: scanner

      image:

      name: repo.cloud.tronsec.ru/repository/tron-customer/scanner:v1.0.1-with-db

      entrypoint: [""]

   2. Specify the tag and token for authorization of the CI/CD scanner requests to Kaspersky Container Security as follows:

      variables:

      SCAN_TARGET: ${CI_REGISTRY_IMAGE}:master

      API_TOKEN: base64hash

      The example below contains the master tag, you can also specify another tag.

   3. If you configure scanning for a private repository, specify the authorization data to ensure the scanner access to an image. The authorization data can be set as variables.

      TRON_EXT_REGISTRY_USERNAME: ${TRON_EXT_REGISTRY_USERNAME}

      TRON_EXT_REGISTRY_PASSWORD: ${TRON_EXT_REGISTRY_PASSWORD}

   4. Specify the domain name of the Kaspersky Container Security Management console in your corporate network:

      API_BASE_URL: <domain name>

      script:

      - /bin/sh /entrypoint.sh $SCAN_TARGET --stdout > artifact-result.json

      artifacts:

      paths:

      - artifact-result.json