Merge branch 'container_security_focus_on_trivy' into 'master'

Reference Trivy rather than Container-Scanning See merge request gitlab-org/gitlab!60331

Merge branch 'container_security_focus_on_trivy' into 'master'
Reference Trivy rather than Container-Scanning See merge request gitlab-org/gitlab!60331
cb248b47 · Nick Gaskill · cf2ca269 · db3aca9c · cb248b47 · cb248b47
Commit cb248b47 authored Apr 27, 2021 by Nick Gaskill
2 changed files
--- a/doc/user/application_security/container_scanning/index.md
+++ b/doc/user/application_security/container_scanning/index.md
@@ -24,10 +24,8 @@ displays them in a merge request, you can use GitLab to audit your Docker-based
 GitLab provides integration with two different open-source tools for vulnerability static analysis
 in containers:
-| GitLab Project | Open-source tool |
+- [Clair](https://github.com/quay/claircore)
-| --- | --- |
+- [Trivy](https://github.com/aquasecurity/trivy)
-|[Klar Analyzer](https://gitlab.com/gitlab-org/security-products/analyzers/klar/)| [Klar](https://github.com/optiopay/klar)|
-|[Container-Scanning](https://gitlab.com/gitlab-org/security-products/analyzers/container-scanning)|[Trivy](https://github.com/aquasecurity/trivy)|
 To integrate GitLab with security scanners other than those listed here, see
 [Security scanner integration](../../../development/integrations/secure.md).
@@ -57,10 +55,10 @@ To enable container scanning in your pipeline, you need the following:
  shared runners on GitLab.com, then this is already the case.
 - An image matching the following supported distributions (depending on the analyzer being used):
-  | GitLab Analyzer | Supported distributions |
+  | Scanning Engine | Supported distributions |
  | --- | --- |
-  |[Klar](https://gitlab.com/gitlab-org/security-products/analyzers/klar/)| [Claircore](https://quay.github.io/claircore/)|
+  | [Clair](https://github.com/quay/claircore) | [Supported operating systems and languages](https://quay.github.io/claircore/) |
-  |[Container-Scanning](https://gitlab.com/gitlab-org/security-products/analyzers/container-scanning)|[OS](https://aquasecurity.github.io/trivy/latest/vuln-detection/os/) & [Application](https://aquasecurity.github.io/trivy/latest/vuln-detection/library/)|
+  | [Trivy](https://github.com/aquasecurity/trivy) | Supported [operating systems](https://aquasecurity.github.io/trivy/latest/vuln-detection/os/) and [languages](https://aquasecurity.github.io/trivy/latest/vuln-detection/library/) |
 - [Build and push](../../packages/container_registry/index.md#build-and-push-by-using-gitlab-cicd)
  your Docker image to your project's container registry. The name of the Docker image should use
@@ -168,7 +166,7 @@ The variables you set in your `.gitlab-ci.yml` overwrite those in
 This example [includes](../../../ci/yaml/README.md#include) the container scanning template and
 enables verbose output for both analyzers:
-Klar:
+Clair:
 ```yaml
 include:
@@ -178,7 +176,7 @@ variables:
  CLAIR_TRACE: true
 ```
-Container-Scanning:
+Trivy:
 ```yaml
 include:
@@ -210,27 +208,27 @@ You can [configure](#customizing-the-container-scanning-settings) both analyzers
 | CI/CD Variable                 | Default       | Description | Supported by|
 | ------------------------------ | ------------- | ----------- | ------------ |
 | `ADDITIONAL_CA_CERT_BUNDLE`    | `""`          | Bundle of CA certs that you want to trust. See [Using a custom SSL CA certificate authority](#using-a-custom-ssl-ca-certificate-authority) for more details. | Both |
-| `CLAIR_DB_CONNECTION_STRING`   | `postgresql://postgres:password@clair-vulnerabilities-db:5432/postgres?sslmode=disable&statement_timeout=60000` | This variable represents the [connection string](https://www.postgresql.org/docs/9.3/libpq-connect.html#AEN39692) to the [PostgreSQL server hosting the vulnerability definitions](https://hub.docker.com/r/arminc/clair-db) database. **Do not change this** unless you're running the image locally as described in [Running the standalone container scanning tool](#running-the-standalone-container-scanning-tool). The host value for the connection string must match the [alias](https://gitlab.com/gitlab-org/gitlab/-/blob/898c5da43504eba87b749625da50098d345b60d6/lib/gitlab/ci/templates/Security/Container-Scanning.gitlab-ci.yml#L23) value of the `Container-Scanning.gitlab-ci.yml` template file, which defaults to `clair-vulnerabilities-db`. | Klar |
+| `CLAIR_DB_CONNECTION_STRING`   | `postgresql://postgres:password@clair-vulnerabilities-db:5432/postgres?sslmode=disable&statement_timeout=60000` | This variable represents the [connection string](https://www.postgresql.org/docs/9.3/libpq-connect.html#AEN39692) to the [PostgreSQL server hosting the vulnerability definitions](https://hub.docker.com/r/arminc/clair-db) database. **Do not change this** unless you're running the image locally as described in [Running the standalone container scanning tool](#running-the-standalone-container-scanning-tool). The host value for the connection string must match the [alias](https://gitlab.com/gitlab-org/gitlab/-/blob/898c5da43504eba87b749625da50098d345b60d6/lib/gitlab/ci/templates/Security/Container-Scanning.gitlab-ci.yml#L23) value of the `Container-Scanning.gitlab-ci.yml` template file, which defaults to `clair-vulnerabilities-db`. | Clair |
-| `CLAIR_DB_IMAGE`               | `arminc/clair-db:latest` | The Docker image name and tag for the [PostgreSQL server hosting the vulnerability definitions](https://hub.docker.com/r/arminc/clair-db). It can be useful to override this value with a specific version (for example, to provide a consistent set of vulnerabilities for integration testing purposes, or to refer to a locally hosted vulnerability database for an on-premise offline installation). | Klar |
+| `CLAIR_DB_IMAGE`               | `arminc/clair-db:latest` | The Docker image name and tag for the [PostgreSQL server hosting the vulnerability definitions](https://hub.docker.com/r/arminc/clair-db). It can be useful to override this value with a specific version (for example, to provide a consistent set of vulnerabilities for integration testing purposes, or to refer to a locally hosted vulnerability database for an on-premise offline installation). | Clair |
-| `CLAIR_DB_IMAGE_TAG`           | `latest`      | (**DEPRECATED - use `CLAIR_DB_IMAGE` instead**) The Docker image tag for the [PostgreSQL server hosting the vulnerability definitions](https://hub.docker.com/r/arminc/clair-db). It can be useful to override this value with a specific version (for example, to provide a consistent set of vulnerabilities for integration testing purposes). | Klar |
+| `CLAIR_DB_IMAGE_TAG`           | `latest`      | (**DEPRECATED - use `CLAIR_DB_IMAGE` instead**) The Docker image tag for the [PostgreSQL server hosting the vulnerability definitions](https://hub.docker.com/r/arminc/clair-db). It can be useful to override this value with a specific version (for example, to provide a consistent set of vulnerabilities for integration testing purposes). | Clair |
-| `CLAIR_OUTPUT`                 | `Unknown`     | Severity level threshold. Vulnerabilities with severity level higher than or equal to this threshold are output. Supported levels are `Unknown`, `Negligible`, `Low`, `Medium`, `High`, `Critical`, and `Defcon1`. | Klar |
+| `CLAIR_OUTPUT`                 | `Unknown`     | Severity level threshold. Vulnerabilities with severity level higher than or equal to this threshold are output. Supported levels are `Unknown`, `Negligible`, `Low`, `Medium`, `High`, `Critical`, and `Defcon1`. | Clair |
-| `CLAIR_TRACE`                  | `"false"`     | Set to true to enable more verbose output from the Clair server process. | Klar |
+| `CLAIR_TRACE`                  | `"false"`     | Set to true to enable more verbose output from the Clair server process. | Clair |
-| `CLAIR_VULNERABILITIES_DB_URL` | `clair-vulnerabilities-db` | (**DEPRECATED - use `CLAIR_DB_CONNECTION_STRING` instead**) This variable is explicitly set in the [services section](https://gitlab.com/gitlab-org/gitlab/-/blob/898c5da43504eba87b749625da50098d345b60d6/lib/gitlab/ci/templates/Security/Container-Scanning.gitlab-ci.yml#L23) of the `Container-Scanning.gitlab-ci.yml` file and defaults to `clair-vulnerabilities-db`. This value represents the address that the [PostgreSQL server hosting the vulnerability definitions](https://hub.docker.com/r/arminc/clair-db) is running on. **Do not change this** unless you're running the image locally as described in [Running the standalone container scanning tool](#running-the-standalone-container-scanning-tool). | Klar |
+| `CLAIR_VULNERABILITIES_DB_URL` | `clair-vulnerabilities-db` | (**DEPRECATED - use `CLAIR_DB_CONNECTION_STRING` instead**) This variable is explicitly set in the [services section](https://gitlab.com/gitlab-org/gitlab/-/blob/898c5da43504eba87b749625da50098d345b60d6/lib/gitlab/ci/templates/Security/Container-Scanning.gitlab-ci.yml#L23) of the `Container-Scanning.gitlab-ci.yml` file and defaults to `clair-vulnerabilities-db`. This value represents the address that the [PostgreSQL server hosting the vulnerability definitions](https://hub.docker.com/r/arminc/clair-db) is running on. **Do not change this** unless you're running the image locally as described in [Running the standalone container scanning tool](#running-the-standalone-container-scanning-tool). | Clair |
 | `CI_APPLICATION_REPOSITORY`    | `$CI_REGISTRY_IMAGE/$CI_COMMIT_REF_SLUG` | Docker repository URL for the image to be scanned. | Both |
 | `CI_APPLICATION_TAG`           | `$CI_COMMIT_SHA` | Docker repository tag for the image to be scanned. | Both |
 | `CS_ANALYZER_IMAGE`             | `$SECURE_ANALYZERS_PREFIX/$CS_PROJECT:$CS_MAJOR_VERSION`           | Docker image of the analyzer. | Both |
 | `CS_MAJOR_VERSION`             | `3`           | The major version of the Docker image tag. | Both |
 | `CS_PROJECT`             | Depends on `$CS_MAJOR_VERSION`. `klar` if `$CS_MAJOR_VERSION` is set to `1`, `2` or `3`, and `container-scanning` otherwise. | Analyzer project to be used. | Both |
 | `DOCKER_IMAGE`                 | `$CI_APPLICATION_REPOSITORY:$CI_APPLICATION_TAG` | The Docker image to be scanned. If set, this variable overrides the `$CI_APPLICATION_REPOSITORY` and `$CI_APPLICATION_TAG` variables. | Both |
-| `DOCKER_INSECURE`              | `"false"`     | Allow [Klar](https://github.com/optiopay/klar) to access secure Docker registries using HTTPS with bad (or self-signed) SSL certificates. | Klar |
+| `DOCKER_INSECURE`              | `"false"`     | Allow [Klar](https://github.com/optiopay/klar) to access secure Docker registries using HTTPS with bad (or self-signed) SSL certificates. | Clair |
-| `DOCKER_PASSWORD`              | `$CI_REGISTRY_PASSWORD` | Password for accessing a Docker registry requiring authentication. | Klar |
+| `DOCKER_PASSWORD`              | `$CI_REGISTRY_PASSWORD` | Password for accessing a Docker registry requiring authentication. | Clair |
-| `DOCKER_USER`                  | `$CI_REGISTRY_USER` | Username for accessing a Docker registry requiring authentication. | Klar |
+| `DOCKER_USER`                  | `$CI_REGISTRY_USER` | Username for accessing a Docker registry requiring authentication. | Clair |
 | `DOCKERFILE_PATH`              | `Dockerfile`  | The path to the `Dockerfile` to use for generating remediations. By default, the scanner looks for a file named `Dockerfile` in the root directory of the project. You should configure this variable only if your `Dockerfile` is in a non-standard location, such as a subdirectory. See [Solutions for vulnerabilities](#solutions-for-vulnerabilities-auto-remediation) for more details. | Both |
-| `KLAR_TRACE`                   | `"false"`     | Set to true to enable more verbose output from Klar. | Klar |
+| `KLAR_TRACE`                   | `"false"`     | Set to true to enable more verbose output from Klar. | Clair |
-| `REGISTRY_INSECURE`            | `"false"`     | Allow [Klar](https://github.com/optiopay/klar) to access insecure registries (HTTP only). Should only be set to `true` when testing the image locally. | Klar |
+| `REGISTRY_INSECURE`            | `"false"`     | Allow [Klar](https://github.com/optiopay/klar) to access insecure registries (HTTP only). Should only be set to `true` when testing the image locally. | Clair |
 | `SECURE_ANALYZERS_PREFIX`      | `"registry.gitlab.com/gitlab-org/security-products/analyzers"` | Set the Docker registry base address from which to download the analyzer. | Both |
 | `SECURE_LOG_LEVEL`             | `info`        | Set the minimum logging level. Messages of this logging level or higher are output. From highest to lowest severity, the logging levels are: `fatal`, `error`, `warn`, `info`, `debug`. [Introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/10880) in GitLab 13.1. | Both |
-| `TRIVY_DEBUG`                  | `"false"`     | Set to true to enable more verbose output from the Trivy process. | Container-Scanning |
+| `TRIVY_DEBUG`                  | `"false"`     | Set to true to enable more verbose output from the Trivy process. | Trivy |
 ### Overriding the container scanning template
@@ -238,7 +236,7 @@ If you want to override the job definition (for example, to change properties li
 must declare and override a job after the template inclusion, and then
 specify any additional keys.
-This example sets `GIT_STRATEGY` to `fetch` to be considered by both Klar and Container-Scanning:
+This example sets `GIT_STRATEGY` to `fetch` to be considered by both Clair and Trivy:
 ```yaml
 include:
@@ -249,7 +247,7 @@ include:
    GIT_STRATEGY: fetch
 ```
-This example sets `KLAR_TRACE` to `true`, which is specific to Klar:
+This example sets `KLAR_TRACE` to `true`, which is specific to Clair:
 ```yaml
 include:
@@ -260,7 +258,7 @@ container_scanning:
    CLAIR_TRACE: true
 ```
-This example sets `TRIVY_DEBUG` to `true`, which is specific to Container-Scanning:
+This example sets `TRIVY_DEBUG` to `true`, which is specific to Trivy:
 ```yaml
 include:
@@ -290,16 +288,16 @@ taking the following steps:
   - Remove the `CS_ANALYZER_IMAGE` variable from your CI file. The job scope is `.cs_common`. Note
     that instead of overriding this variable, you can use `CS_MAJOR_VERSION`.
-1. Remove any variables that are only applicable to Klar. For a complete list of these variables,
+1. Remove any variables that are only applicable to Clair. For a complete list of these variables,
   see the [available variables](#available-variables).
 1. Make any [necessary customizations](#customizing-the-container-scanning-settings) to the
-   `Container-Scanning` scanner. We strongly recommended that you minimize customizations, as they
+   `Trivy` scanner. We strongly recommended that you minimize customizations, as they
   might require changes in future GitLab major releases.
 **Troubleshooting**
 Prior to the GitLab 14.0 release, any variable defined under the scope `container_scanning` is not
-considered for Container-Scanning. Verify that all variables for the Container-Scanning analyzer are
+considered for the Trivy scanner. Verify that all variables for Trivy are
 either defined as a global variable, or under `.cs_common` and `container_scanning_new`.
 ### Using a custom SSL CA certificate authority
@@ -422,8 +420,8 @@ To use container scanning in an offline environment, you need:
 | GitLab Analyzer | Container Registry |
 | --- | --- |
-|[Klar](https://gitlab.com/gitlab-org/security-products/analyzers/klar/)| [registry URL](https://gitlab.com/gitlab-org/security-products/analyzers/klar/container_registry) |
+| [Klar](https://gitlab.com/gitlab-org/security-products/analyzers/klar/) (used to run Clair) | [Klar container registry](https://gitlab.com/gitlab-org/security-products/analyzers/klar/container_registry) |
-|[Container-Scanning](https://gitlab.com/gitlab-org/security-products/analyzers/container-scanning)|[registry URL](https://gitlab.com/gitlab-org/security-products/analyzers/container-scanning/container_registry/1741162)|
+| [Container-Scanning](https://gitlab.com/gitlab-org/security-products/analyzers/container-scanning) (used to run Trivy) | [Container-Scanning container registry](https://gitlab.com/gitlab-org/security-products/analyzers/container-scanning/container_registry/1741162) |
 Note that GitLab Runner has a [default `pull policy` of `always`](https://docs.gitlab.com/runner/executors/docker.html#using-the-always-pull-policy),
 meaning the runner tries to pull Docker images from the GitLab container registry even if a local
@@ -436,24 +434,24 @@ enables the use of updated scanners in your CI/CD pipelines.
 Support for custom certificate authorities was introduced in the following versions:
-| Analyzer | Version |
+| Scanner | Version |
 | -------- | ------- |
-| `klar` | [v2.3.0](https://gitlab.com/gitlab-org/security-products/analyzers/klar/-/releases/v2.3.0) |
+| `Clair` | [v2.3.0](https://gitlab.com/gitlab-org/security-products/analyzers/klar/-/releases/v2.3.0) |
-| `container-scanning` | [4.0.0](https://gitlab.com/gitlab-org/security-products/analyzers/container-scanning/-/releases/4.0.0) |
+| `Trivy` | [4.0.0](https://gitlab.com/gitlab-org/security-products/analyzers/container-scanning/-/releases/4.0.0) |
 #### Make GitLab container scanning analyzer images available inside your Docker registry
 For container scanning, import the following default images from `registry.gitlab.com` into your
 [local Docker container registry](../../packages/container_registry/index.md):
-Klar:
+Clair:
 ```plaintext
 registry.gitlab.com/gitlab-org/security-products/analyzers/klar
 https://hub.docker.com/r/arminc/clair-db
 ```
-Container-Scanning:
+Trivy:
 ```plaintext
 registry.gitlab.com/gitlab-org/security-products/analyzers/container-scanning
@@ -475,7 +473,7 @@ For details on saving and transporting Docker images as a file, see Docker's doc
 1. [Override the container scanning template](#overriding-the-container-scanning-template) in your `.gitlab-ci.yml` file to refer to the Docker images hosted on your local Docker container registry:
-   Klar:
+   Clair:
   ```yaml
   include:
@@ -487,7 +485,7 @@ For details on saving and transporting Docker images as a file, see Docker's doc
       CLAIR_DB_IMAGE: $CI_REGISTRY/namespace/clair-vulnerabilities-db
   ```
-   Container-Scanning:
+   Trivy:
   ```yaml
   include:
@@ -499,11 +497,11 @@ For details on saving and transporting Docker images as a file, see Docker's doc
 1. If your local Docker container registry is running securely over `HTTPS`, but you're using a
   self-signed certificate, then you must set `DOCKER_INSECURE: "true"` in the above
-   `container_scanning` section of your `.gitlab-ci.yml`. This only applies to Klar.
+   `container_scanning` section of your `.gitlab-ci.yml`. This only applies to Clair.
 #### Automating container scanning vulnerability database updates with a pipeline
-For those using Klar, it can be worthwhile to set up a [scheduled pipeline](../../../ci/pipelines/schedules.md)
+For those using Clair, it can be worthwhile to set up a [scheduled pipeline](../../../ci/pipelines/schedules.md)
 to build a new version of the vulnerabilities database on a preset schedule. Automating
 this with a pipeline means you do not have to do it manually each time. You can use the following
 `.gitlab-yml.ci` as a template:
@@ -529,7 +527,7 @@ The above template works for a GitLab Docker registry running on a local install
 ## Running the standalone container scanning tool
-### Klar
+### Clair
 It's possible to run [Klar](https://gitlab.com/gitlab-org/security-products/analyzers/klar)
 against a Docker container without needing to run it within the context of a CI job. To scan an
@@ -563,7 +561,7 @@ image directly, follow these steps:
 The results are stored in `gl-container-scanning-report.json`.
-### Container-Scanning
+### Trivy
 It's possible to run the [GitLab container scanning tool](https://gitlab.com/gitlab-org/security-products/analyzers/container-scanning)
 against a Docker container without needing to run it within the context of a CI job. To scan an
@@ -691,7 +689,7 @@ the security vulnerabilities in your groups, projects and pipelines.
 ## Vulnerabilities database update
-If you're using Klar and want more information about the vulnerabilities database update, see the
+If you're using Clair and want more information about the vulnerabilities database update, see the
 [maintenance table](../index.md#maintenance-and-update-of-the-vulnerabilities-database).
 ## Interacting with the vulnerabilities

--- a/doc/user/application_security/vulnerabilities/severities.md
+++ b/doc/user/application_security/vulnerabilities/severities.md
@@ -61,10 +61,10 @@ the following tables:
 ## Container Scanning
-| GitLab analyzer                                                        | Outputs severity levels? | Native severity level type | Native severity level example                                |
+| GitLab scanner                                                        | Outputs severity levels? | Native severity level type | Native severity level example                                |
 |------------------------------------------------------------------------|--------------------------|----------------------------|--------------------------------------------------------------|
-| [`klar`](https://gitlab.com/gitlab-org/security-products/analyzers/klar) | **{check-circle}** Yes   | String                     | `Negligible`, `Low`, `Medium`, `High`, `Critical`, `Defcon1` |
+| [`clair`](https://gitlab.com/gitlab-org/security-products/analyzers/klar) | **{check-circle}** Yes   | String                     | `Negligible`, `Low`, `Medium`, `High`, `Critical`, `Defcon1` |
-| [`container-scanning`](https://gitlab.com/gitlab-org/security-products/analyzers/container-scanning)| **{check-circle}** Yes | String | `Unknown`, `Low`, `Medium`, `High`, `Critical` |
+| [`trivy`](https://gitlab.com/gitlab-org/security-products/analyzers/container-scanning)| **{check-circle}** Yes | String | `Unknown`, `Low`, `Medium`, `High`, `Critical` |
 ## Fuzz Testing