Specifying secrets when starting a scan

When starting a scan job in the CI/CD process, the registry containing the scanner image (the lite or with-db scanner for the corresponding version of Kaspersky Container Security) can be accessible only after authorization. For authorization, you can pass the required secrets in the scan job.

To be authorized for access to the registry when starting a scan job:

1. Create a secret:

   kubectl create secret docker-registry ci-creds --docker-server=client.repo.example.com --docker-username=username --docker-password=password

2. In the scan job, specify the value of the imagePullSecrets variable:

   imagePullSecrets:

   - name: ci-creds

3. Start the scan job.

   Example of a scan job with secrets for authorization

   kind: Job

   metadata:

   name: my-job

   spec:

   template:

   spec:

   containers:

   - name: my-container

   image: client.repo.example.com/scanner:master

   command: ["/bin/sh"]

   args: ["entrypoint.sh", "apline:latest"]

   env:

   - name: COMPANY_EXT_REGISTRY_USERNAME

   value: another_username

   - name: COMPANY_EXT_REGISTRY_PASSWORD

   value: another_password

   - name: API_BASE_URL

   value: https://some.kcs.env.example

   - name: API_TOKEN

   value: kcs_blablabla

   - name: SKIP_API_SERVER_VALIDATION

   value: 'true'

   imagePullPolicy: Always

   restartPolicy: Never

   imagePullSecrets:

   - name: ci-creds

   backoffLimit: 0

In this example, the scan job contains the following secrets:

• The secret for downloading the scanner image (specified in the imagePullSecrets variable).
• The password for downloading the image to be scanned if access to the relevant registry is restricted (specified in the COMPANY_EXT_REGISTRY_PASSWORD variable).

You can omit these passwords if the registry that the solution gains access to when running a scan job is accessible without authorization.