在GitLab中将容器扫描添加到CI

时间:2020-05-15 18:50:27

标签: git gitlab gitlab-ci

因此,我尝试在gitlab中设置容器扫描,我尝试了很多方法,但似乎都没有用,我错过了什么?

我的gitlab版本是:GitLab Community Edition 12.9.4

计算机中的gitlab-runner是:Version: 12.10.2

这是我的.gitlab-ci.yml 

variables:
  vulnerable_tag: vulnerable
  non_vulnerable_tag: non_vulnerable
  IMAGE_NAME: test
  CLAIR_OUTPUT: High 

stages:
    - build
    - test

build:
  image: docker
  stage: build
  variables:
    IMAGE_NAME: test
    IMAGE_TAG: $CI_REGISTRY_IMAGE/$CI_COMMIT_REF_SLUG:$CI_COMMIT_SHA
  script:
    - uname -a
    - docker build -t $IMAGE_NAME .
    - docker run -d -p 80:80 $IMAGE_NAME 
    - docker ps
    - curl localhost
    - mkdir output
    - echo $IMAGE_NAME"/"$CI_COMMIT_REF_SLUG":"$CI_COMMIT_SHA >> output/file.txt
  tags:
    - testingtag
#  artifacts:
#    paths: 
#      - output/

stop_container:
  stage: test
  script:
    - docker stop $(docker ps -q)

是一个简单的nginx容器,仅显示简单的index.hmtl

我尝试过的内容(.gitlab-ci.yml中的所有内容)都无效

include:
  - template: Container-Scanning.gitlab-ci.yml

这是文档所说的内容以及应该如何工作,但是会引发错误This GitLab CI configuration is invalid: Included file `Container-Scanning.gitlab-ci.yml` is empty or does not exist! 

include:
 - remote: 'https://gitlab.com/gitlab-org/gitlab/-/raw/master/lib/gitlab/ci/templates/Security/Container-Scanning.gitlab-ci.yml'

这不会引发任何错误,但是什么也不做。 (链接是相同的Container-Scanning.gitlab-ci.yml,但以纯文本格式)

最后,将Container-Scanning.gitlab-ci.yml的内容添加为作业

# Read more about this feature here: https://docs.gitlab.com/ee/user/application_security/container_scanning/

variables:
  # Setting this variable will affect all Security templates
  # (SAST, Dependency Scanning, ...)
  SECURE_ANALYZERS_PREFIX: "registry.gitlab.com/gitlab-org/security-products/analyzers"

  CS_MAJOR_VERSION: 2

container_scanning:
  stage: test
  image: $SECURE_ANALYZERS_PREFIX/klar:$CS_MAJOR_VERSION
  variables:
    # By default, use the latest clair vulnerabilities database, however, allow it to be overridden here with a specific image
    # to enable container scanning to run offline, or to provide a consistent list of vulnerabilities for integration testing purposes
    CLAIR_DB_IMAGE_TAG: "latest"
    CLAIR_DB_IMAGE: "$SECURE_ANALYZERS_PREFIX/clair-vulnerabilities-db:$CLAIR_DB_IMAGE_TAG"
    # Override the GIT_STRATEGY variable in your `.gitlab-ci.yml` file and set it to `fetch` if you want to provide a `clair-whitelist.yml`
    # file. See https://docs.gitlab.com/ee/user/application_security/container_scanning/index.html#overriding-the-container-scanning-template
    # for details
    GIT_STRATEGY: none
  allow_failure: true
  services:
    - name: $CLAIR_DB_IMAGE
      alias: clair-vulnerabilities-db
  script:
    - /analyzer run
  artifacts:
    reports:
      container_scanning: gl-container-scanning-report.json
  dependencies: []
  rules:
    - if: $CONTAINER_SCANNING_DISABLED
      when: never
    - if: $CI_COMMIT_BRANCH &&
          $GITLAB_FEATURES =~ /\bcontainer_scanning\b/

CI不存在就跳过该工作

2 个答案:

答案 0 :(得分:0)

如果您检查模板的路径,其中包括Security,则以下代码应该起作用:

include:
  - template: Securtiy/Container-Scanning.gitlab-ci.yml

答案 1 :(得分:0)

GitLab社区版不包含容器扫描功能。目前,仅at the top of this page中所述的Ultimate和Gold订阅中提供。

如果未检测到容器扫描功能,那么CI配置GitLab的这一部分也将跳过整个扫描步骤,因为您正在运行社区版,所以不会:

  rules:  
    - if: $CONTAINER_SCANNING_DISABLED  
      when: never  
    - if: $CI_COMMIT_BRANCH &&  
          $GITLAB_FEATURES =~ /\bcontainer_scanning\b/
相关问题
最新问题