Configuring image and configuration file scan settings

To scan images or repositories (to scan configuration files) used in the CI/CD process, add a stage to the CI/CD pipeline that runs the Kaspersky Container Security Scanner. The scanning results are forwarded to the Kaspersky Container Security Server and are displayed in the Management Console in the Inventory → CI/CD section.

Data from listening to and intercepting network traffic must be securely transferred between the CI/CD environment and the solution.

Example of configuring integration with GitLab CI/CD

This example uses a specific scanner image with the built-in vulnerability databases located in the image registry of the Kaspersky Container Security manufacturer.

To use the image scanning feature in the GitLab CI/CD process, you should enable the use of the GitLab Container Registry.

Integration configuration includes the following steps:

1. Authorization of GitLab CI/CD in the image registry of the Kaspersky Container Security manufacturer.
   1. On the cluster operator's workstation, prepare a Base64 hash of the authorization data by running the following command:

      printf "login:password" | openssl base64 -A

      where login and password are the user name and password of an account in the image registry of the Kaspersky Container Security manufacturer.

   2. In the GitLab CI/CD environment variables, create the DOCKER_AUTH_CONFIG variable (in the GitLab repository select Settings → CI/CD, click the Expand button to expand Variables, and then click the Add variable button).
   3. Specify the variable in the following form:

      {

      "auths": {

      "repo.cloud.example.com": {

      "auth": "base64hash"

      }

      }

      }

      where base64hash is the string obtained in step 1a.

2. Authorization of requests from GitLab CI/CD when sending data to Kaspersky Container Security.
   1. Copy the API token on the My profile page.
   2. Specify the copied API token value in the API_TOKEN variable in the .gitlab-ci.yml configuration file.
3. Adding the image scanning stage to the CI/CD process.

   To add scanning to the CI/CD pipeline, you should add the following lines to the .gitlab-ci.yml file:

   1. Add information about the scanner image that contains databases of vulnerabilities and other malicious objects after the code build stage in the following form:

      scan_image:

      stage: scanner

      image:

      name: repo.cloud.example.com/repository/company/scanner:v1.1.1-with-db

      entrypoint: [""]

      pull_policy: always

      We recommend that you specify always for the pull_policy parameter to receive relevant builds with updated databases of vulnerabilities and other malicious objects for each scan.

   2. Specify the tag, build ID, pipeline ID and API token for authorization of the CI/CD scanner requests to Kaspersky Container Security as follows:

      SCAN_TARGET: ${CI_REGISTRY_IMAGE}:master

      BUILD_NUMBER: ${CI_JOB_ID}

      BUILD_PIPELINE: ${CI_PIPELINE_ID}

      API_TOKEN: <API token value>

      The example here contains the master tag, you can also specify another tag.

   3. If you configure scanning for a private repository, specify the authorization data to ensure the scanner can access an image. The authorization data can be set as variables.

      COMPANY_EXT_REGISTRY_USERNAME: ${COMPANY_EXT_REGISTRY_USERNAME}

      COMPANY_EXT_REGISTRY_PASSWORD: ${COMPANY_EXT_REGISTRY_PASSWORD}

   4. If necessary, specify a variable to check the data receiving server in CI/CD using the CA certificate of the Ingress controller:

      API_CA_CERT: ${KCS_CA_CERT}

      The CA certificate of the Ingress controller is specified in the text field as a string in the .PEM format:

      ----- BEGIN CERTIFICATE ----- \ n ... <certificate details> ... \ n ----- END CERTIFICATE -----

      If the API_CA_CERT variable is not set, scanning will start but will not be completed.

      Use of the CA certificate of the Ingress controller allows the scanner running in CI/CD to verify the authenticity of the data receiving server.

      If you use a self-signed certificate, or want to skip checking the data receiving server using the CA certificate of the Ingress controller, specify the value of the variable to skip the check as follows:

      SKIP_API_SERVER_VALIDATION: 'true'

   5. Specify the web address of the API host server for Kaspersky Container Security:

      API_BASE_URL: <web address>

      script:

      - /bin/sh /entrypoint.sh $SCAN_TARGET --stdout > artifact-result.json

      artifacts:

      paths:

      - artifact-result.json

After configuring integration with an external registry, you can scan images within the CI/CD process, including scanning in SBOM mode. Scan results can be viewed in Resources → CI/CD, or downloaded in the .SPDX, .JSON, and .HTML formats.