Skip to content
Projects
Groups
Snippets
Help
Loading...
Help
Support
Keyboard shortcuts
?
Submit feedback
Contribute to GitLab
Sign in / Register
Toggle navigation
G
gitlab-ce
Project overview
Project overview
Details
Activity
Releases
Repository
Repository
Files
Commits
Branches
Tags
Contributors
Graph
Compare
Issues
0
Issues
0
List
Boards
Labels
Milestones
Merge Requests
1
Merge Requests
1
Analytics
Analytics
Repository
Value Stream
Wiki
Wiki
Snippets
Snippets
Members
Members
Collapse sidebar
Close sidebar
Activity
Graph
Create a new issue
Commits
Issue Boards
Open sidebar
nexedi
gitlab-ce
Commits
300d3273
Commit
300d3273
authored
Sep 16, 2019
by
Adam Cohen
Committed by
Achilleas Pipinellis
Sep 16, 2019
Browse files
Options
Browse Files
Download
Email Patches
Plain Diff
Replace clair-scanner with klar in container scanning docs
parent
77af2ae9
Changes
1
Show whitespace changes
Inline
Side-by-side
Showing
1 changed file
with
26 additions
and
5 deletions
+26
-5
doc/user/application_security/container_scanning/index.md
doc/user/application_security/container_scanning/index.md
+26
-5
No files found.
doc/user/application_security/container_scanning/index.md
View file @
300d3273
...
@@ -11,7 +11,7 @@ in [GitLab Ultimate](https://about.gitlab.com/pricing/) 10.4.
...
@@ -11,7 +11,7 @@ in [GitLab Ultimate](https://about.gitlab.com/pricing/) 10.4.
If you are using
[
GitLab CI/CD
](
../../../ci/README.md
)
, you can check your Docker
If you are using
[
GitLab CI/CD
](
../../../ci/README.md
)
, you can check your Docker
images (or more precisely the containers) for known vulnerabilities by using
images (or more precisely the containers) for known vulnerabilities by using
[
Clair
](
https://github.com/coreos/clair
)
and
[
clair-scanner
](
https://github.com/arminc/clair-scanne
r
)
,
[
Clair
](
https://github.com/coreos/clair
)
and
[
klar
](
https://github.com/optiopay/kla
r
)
,
two open source tools for Vulnerability Static Analysis for containers.
two open source tools for Vulnerability Static Analysis for containers.
You can take advantage of Container Scanning by either
[
including the CI job
](
#configuration
)
in
You can take advantage of Container Scanning by either
[
including the CI job
](
#configuration
)
in
...
@@ -90,10 +90,6 @@ artifact available. Behind the scenes, the
...
@@ -90,10 +90,6 @@ artifact available. Behind the scenes, the
[
GitLab Container Scanning analyzer
](
https://gitlab.com/gitlab-org/security-products/container-scanning
)
[
GitLab Container Scanning analyzer
](
https://gitlab.com/gitlab-org/security-products/container-scanning
)
is used and runs the scans.
is used and runs the scans.
If you want to whitelist some specific vulnerabilities, you can do so by defining
them in a YAML file named
`clair-whitelist.yml`
. Read more in the
[
Clair documentation
](
https://github.com/arminc/clair-scanner/blob/master/README.md#example-whitelist-yaml-file
)
.
## Example
## Example
The following is a sample
`.gitlab-ci.yml`
that will build your Docker Image, push it to the container registry and run Container Scanning.
The following is a sample
`.gitlab-ci.yml`
that will build your Docker Image, push it to the container registry and run Container Scanning.
...
@@ -124,6 +120,31 @@ build:
...
@@ -124,6 +120,31 @@ build:
-
docker push $IMAGE
-
docker push $IMAGE
```
```
## Vulnerability Whitelisting
If you want to whitelist specific vulnerabilities, you'll need to:
1.
Set
`GIT_STRATEGY: fetch`
in your
`.gitlab-ci.yml`
file by following the instructions described in the
[
overriding the Container Scanning template
](
#overriding-the-container-scanning-template
)
section of this document.
1.
Define the whitelisted vulnerabilities in a YAML file named
`clair-whitelist.yml`
which must use the format described
in the
[
following whitelist example file
](
https://github.com/arminc/clair-scanner/blob/v12/example-whitelist.yaml
)
.
1.
Add the
`clair-whitelist.yml`
file to the git repository of your project
### Overriding the Container Scanning template
If you want to override the job definition (for example, change properties like
`variables`
), you need to declare a
`container_scanning`
job after the
template inclusion and specify any additional keys under it. For example:
```
yaml
include
:
-
template
:
Container-Scanning.gitlab-ci.yml
container_scanning
:
variables
:
GIT_STRATEGY
:
fetch
```
## Security Dashboard
## Security Dashboard
The Security Dashboard is a good place to get an overview of all the security
The Security Dashboard is a good place to get an overview of all the security
...
...
Write
Preview
Markdown
is supported
0%
Try again
or
attach a new file
Attach a file
Cancel
You are about to add
0
people
to the discussion. Proceed with caution.
Finish editing this message first!
Cancel
Please
register
or
sign in
to comment