Scanning images from CI/CD

To scan images from CI/CD, in the configuration file used to integrate the repository, specify the API_BASE_URL (web-address of the Kaspersky Container Security API server) and API_TOKEN (token to access API of the Kaspersky Container Security) environment variables for the scanner.

To scan an image from a TAR archive:

Build an image and save it as a TAR archive using any application for creating containerized images.
Start the scan by running a command in the following format:
/scanner image.tar --file --stdout

where:
- <--file> is the file with the image to be scanned
- <--stdout> is output to the security event log
Example of a configuration file with settings for scanning a TAR archive

stages:

- build_tar

- scan_tar

- push_image

build_tar:

stage: build_tar

tags:

- k8s

- docker

image:

name: gcr.io/kaniko-project/executor:v1.9.0-debug

entrypoint: [""]

dependencies:

- scan_source_branch

- scan_source_commit

script:

- mkdir -p /kaniko/.docker

- echo "${DOCKER_AUTH_CONFIG}" > /kaniko/.docker/config.json

- /kaniko/executor

--context "${CI_PROJECT_DIR}"

--dockerfile "${CI_PROJECT_DIR}/Dockerfile"

--destination "${CI_REGISTRY_IMAGE}:${CI_COMMIT_REF_NAME}"

--compressed-caching=false

--build-arg GITLAB_USER=gitlab-ci-token

--build-arg GITLAB_TOKEN=${CI_JOB_TOKEN}

--no-push

--tarPath=image.tar

artifacts:

paths:

- image.tar

expire_in: 2 hours

scan_tar:

stage: scan_tar

tags:

- k8s

- docker

dependencies:

- build_tar

image:

name: "company.gitlab.cloud.net:5050/companydev/example/scanner:master-with-db"

pull_policy: always

entrypoint: [""]

variables:

API_BASE_URL: ${API_BASE_URL}

API_TOKEN: ${API_TOKEN}

API_CA_CERT: ${KCS_CA_CERT}

script:

- /scanner image.tar --file --stdout

artifacts:

paths:

- image.tar

expire_in: 2 hours

push_image:

stage: push_image

tags:

- k8s

image:

name: gcr.io/go-containerregistry/crane:debug

entrypoint: [""]

dependencies:

- scan_tar

script:

- mkdir -p $HOME/.docker

- echo "${DOCKER_AUTH_CONFIG}" > $HOME/.docker/config.json

- /ko-app/crane push image.tar "${CI_REGISTRY_IMAGE}:${CI_COMMIT_REF_NAME}"

To scan an image from a Git repository:

In the configuration file of the Git repository, specify the token for accessing the repository (for example, GitLab requires you to indicate a value for GITLAB_TOKEN).
Start scanning by running a command in the following format:
/scanner [TARGET] [--repo REPO_URL] [--branch BRANCH] [--commit COMMIT] --stdout

where:
- <TARGET> is the path to the file with the image to be scanned
- <--repo> is the web address (URL) of the Git repository
- <--branch> is the branch of the repository to be scanned
- <--commit> is the hash of the commit to be scanned
- <--stdout> is the output to the security event log.
Example of a configuration file with environment variables for scanning an image from a Git repository

stages:

- scan_source_branch

- scan_source_commit

scan_source_branch:

stage: scan_source_branch

image:

name: "company.gitlab.cloud.net:5050/companydev/example/scanner:master-with-db"

pull_policy: always

entrypoint: [""]

tags:

- k8s

- docker

variables:

API_BASE_URL: ${API_BASE_URL}

API_TOKEN: ${API_TOKEN}

API_CA_CERT: ${KCS_CA_CERT}

script:

- GITLAB_TOKEN=${CI_JOB_TOKEN} /scanner --repo ${CI_REPOSITORY_URL} --branch ${CI_COMMIT_BRANCH} --stdout

scan_source_commit:

stage: scan_source_commit

image:

name: "company.gitlab.cloud.net:5050/companydev/example/scanner:master-with-db"

pull_policy: always

entrypoint: [""]

tags:

- k8s

- docker

variables:

API_BASE_URL: ${API_BASE_URL}

API_TOKEN: ${API_TOKEN}

API_CA_CERT: ${KCS_CA_CERT}

script:

- GITLAB_TOKEN=${CI_JOB_TOKEN} /scanner --repo ${CI_REPOSITORY_URL} --commit ${CI_COMMIT_SHA} --stdout

Page top