容器扫描功能不适用于多张图像

时间:2019-06-18 12:20:08

标签: docker gitlab gitlab-ci gitlab-ci-runner clair

我已经成功为单个Docker映像设置了Container Scanning feature from GitLab。现在,我想使用.gitlab-ci.yml

中的相同CI / CD配置扫描另一张图像

问题

似乎在“合并请求”详细信息页面上不可能有多个“容器扫描”报告。

以下屏幕截图显示了以下配置中两个容器扫描作业的结果。

GitLab Container Scanning report

我们扫描了两个Docker映像,两个映像都有要报告的CVE:

  1. iojs:1.6.3-slim(355个漏洞)
  2. golang:1.3(1139个漏洞)

预期结果

容器扫描报告将总共显示1494个漏洞(355 + 1139)。目前看来,仅包含golang图片的结果。

配置的相关部分

container_scanning_first_image:
  script:
    - docker pull golang:1.3 
    - ./clair-scanner -c http://docker:6060 --ip $(hostname -i) -r gl-container-scanning-report-first-image.json -l clair.log golang:1.3 || true
  artifacts:
    reports:
      container_scanning: gl-container-scanning-report-first-image.json

container_scanning_second_image:
  script:
    - docker pull iojs:1.6.3-slim
    - ./clair-scanner -c http://docker:6060 --ip $(hostname -i) -r gl-container-scanning-report-second-image.json -l clair.log iojs:1.6.3-slim || true
  artifacts:
    reports:
      container_scanning: gl-container-scanning-report-second-image.json

完整配置供参考

image: docker:stable

stages:
  - scan

variables:

  DOCKER_HOST: tcp://docker:2375/
  DOCKER_DRIVER: overlay2

container_scanning_first_image:
  stage: scan
  variables:
    GIT_STRATEGY: none
    DOCKER_SERVICE: docker
    DOCKER_HOST: tcp://${DOCKER_SERVICE}:2375/
    CLAIR_LOCAL_SCAN_VERSION: v2.0.8_fe9b059d930314b54c78f75afe265955faf4fdc1
    NO_PROXY: ${DOCKER_SERVICE},localhost
  allow_failure: true
  services:
    - docker:dind
  script:
    - docker login -u gitlab-ci-token -p $CI_JOB_TOKEN $CI_REGISTRY
    - docker run -d --name db arminc/clair-db:latest
    - docker run -p 6060:6060 --link db:postgres -d --name clair --restart on-failure arminc/clair-local-scan:${CLAIR_LOCAL_SCAN_VERSION}
    - apk add -U wget ca-certificates
    - docker pull golang:1.3 
    - wget https://github.com/arminc/clair-scanner/releases/download/v8/clair-scanner_linux_amd64
    - mv clair-scanner_linux_amd64 clair-scanner
    - chmod +x clair-scanner
    - touch clair-whitelist.yml
    - retries=0
    - echo "Waiting for clair daemon to start"
    - while( ! wget -T 10 -q -O /dev/null http://${DOCKER_SERVICE}:6060/v1/namespaces ) ; do sleep 1 ; echo -n "." ; if [ $retries -eq 10 ] ; then echo " Timeout, aborting." ; exit 1 ; fi ; retries=$(($retries+1)) ; done
    - ./clair-scanner -c http://${DOCKER_SERVICE}:6060 --ip $(hostname -i) -r gl-container-scanning-report-first-image.json -l clair.log golang:1.3 || true
  artifacts:
    paths:
      - gl-container-scanning-report-first-image.json
    reports:
      container_scanning: gl-container-scanning-report-first-image.json
  dependencies: []
  only:
    refs:
      - branches
    variables:
      - $GITLAB_FEATURES =~ /\bcontainer_scanning\b/
  except:
    variables:
      - $CONTAINER_SCANNING_DISABLED

container_scanning_second_image:
  stage: scan
  variables:
    GIT_STRATEGY: none
    DOCKER_SERVICE: docker
    DOCKER_HOST: tcp://${DOCKER_SERVICE}:2375/
    CLAIR_LOCAL_SCAN_VERSION: v2.0.8_fe9b059d930314b54c78f75afe265955faf4fdc1
    NO_PROXY: ${DOCKER_SERVICE},localhost
  allow_failure: true
  services:
    - docker:dind
  script:
    - docker login -u gitlab-ci-token -p $CI_JOB_TOKEN $CI_REGISTRY
    - docker run -d --name db arminc/clair-db:latest
    - docker run -p 6060:6060 --link db:postgres -d --name clair --restart on-failure arminc/clair-local-scan:${CLAIR_LOCAL_SCAN_VERSION}
    - apk add -U wget ca-certificates
    - docker pull iojs:1.6.3-slim
    - wget https://github.com/arminc/clair-scanner/releases/download/v8/clair-scanner_linux_amd64
    - mv clair-scanner_linux_amd64 clair-scanner
    - chmod +x clair-scanner
    - touch clair-whitelist.yml
    - retries=0
    - echo "Waiting for clair daemon to start"
    - while( ! wget -T 10 -q -O /dev/null http://${DOCKER_SERVICE}:6060/v1/namespaces ) ; do sleep 1 ; echo -n "." ; if [ $retries -eq 10 ] ; then echo " Timeout, aborting." ; exit 1 ; fi ; retries=$(($retries+1)) ; done
    - ./clair-scanner -c http://${DOCKER_SERVICE}:6060 --ip $(hostname -i) -r gl-container-scanning-report-second-image.json -l clair.log iojs:1.6.3-slim || true
  artifacts:
    paths:
      - gl-container-scanning-report-second-image.json
    reports:
      container_scanning: gl-container-scanning-report-second-image.json
  dependencies: []
  only:
    refs:
      - branches
    variables:
      - $GITLAB_FEATURES =~ /\bcontainer_scanning\b/
  except:
    variables:
      - $CONTAINER_SCANNING_DISABLED

问题

应该如何配置GitLab容器扫描功能,以便能够报告两个Docker映像的结果?

0 个答案:

没有答案