Skip to content

G
gitlab-ce
Commit df5802d7 authored by Olivier Gonzalez's avatar Olivier Gonzalez Committed by Achilleas Pipinellis
Browse files
Options

Rename SAST for Docker to Container Scanning in EE documentation

parent 75690134
Hide whitespace changes
Inline Side-by-side
Showing with 107 additions and 102 deletions
doc/ci/examples/README.md
View file @ df5802d7
......@@ -47,8 +47,11 @@ There's also a collection of repositories with [example projects](https://gitlab
## Static Application Security Testing (SAST)
- **(Ultimate)** [Scan your code for vulnerabilities](sast.md)
- [Scan your Docker images for vulnerabilities](sast_docker.md)
**(Ultimate)** [Scan your code for vulnerabilities](sast.md)
## Container Scanning
[Scan your Docker images for vulnerabilities](container_scanning.md)
## Dynamic Application Security Testing (DAST)
......
doc/ci/examples/container_scanning.md 0 → 100644
View file @ df5802d7
# Container Scanning with GitLab CI/CD
You can check your Docker images (or more precisely the containers) for known
vulnerabilities by using [Clair](https://github.com/coreos/clair) and
[clair-scanner](https://github.com/arminc/clair-scanner), two open source tools
for Vulnerability Static Analysis for containers.
All you need is a GitLab Runner with the Docker executor (the shared Runners on
GitLab.com will work fine). You can then add a new job to `.gitlab-ci.yml`,
called `sast:container`:
```yaml
sast:container:
image: docker:latest
variables:
DOCKER_DRIVER: overlay2
## Define two new variables based on GitLab's CI/CD predefined variables
## https://docs.gitlab.com/ee/ci/variables/#predefined-variables-environment-variables
CI_APPLICATION_REPOSITORY: $CI_REGISTRY_IMAGE/$CI_COMMIT_REF_SLUG
CI_APPLICATION_TAG: $CI_COMMIT_SHA
allow_failure: true
services:
- docker:dind
script:
- docker run -d --name db arminc/clair-db:latest
- docker run -p 6060:6060 --link db:postgres -d --name clair arminc/clair-local-scan:v2.0.1
- apk add -U wget ca-certificates
- docker pull ${CI_APPLICATION_REPOSITORY}:${CI_APPLICATION_TAG}
- wget https://github.com/arminc/clair-scanner/releases/download/v8/clair-scanner_linux_amd64
- mv clair-scanner_linux_amd64 clair-scanner
- chmod +x clair-scanner
- touch clair-whitelist.yml
- ./clair-scanner -c http://docker:6060 --ip $(hostname -i) -r gl-sast-container-report.json -l clair.log -w clair-whitelist.yml ${CI_APPLICATION_REPOSITORY}:${CI_APPLICATION_TAG} || true
artifacts:
paths: [gl-sast-container-report.json]
```
The above example will create a `sast:container` job in your CI/CD pipeline, pull
the image from the [Container Registry](../../user/project/container_registry.md)
(whose name is defined from the two `CI_APPLICATION_` variables) and scan it
for possible vulnerabilities. The report will be saved as an artifact that you
can later download and analyze.
If you want to whitelist some specific vulnerabilities, you can do so by defining
them in a [YAML file](https://github.com/arminc/clair-scanner/blob/master/README.md#example-whitelist-yaml-file),
in our case its named `clair-whitelist.yml`.
TIP: **Tip:**
Starting with [GitLab Ultimate][ee] 10.4, this information will
be automatically extracted and shown right in the merge request widget. To do
so, the CI/CD job must be named `sast:container` and the artifact path must be
`gl-sast-container-report.json`.
[Learn more on container scanning results shown in merge requests](https://docs.gitlab.com/ee/user/project/merge_requests/container_scanning.html).
[ee]: https://about.gitlab.com/products/
doc/ci/examples/sast_docker.md
View file @ df5802d7
# Static Application Security Testing for Docker containers with GitLab CI/CD
You can check your Docker images (or more precisely the containers) for known
vulnerabilities by using [Clair](https://github.com/coreos/clair) and
[clair-scanner](https://github.com/arminc/clair-scanner), two open source tools
for Vulnerability Static Analysis for containers.
All you need is a GitLab Runner with the Docker executor (the shared Runners on
GitLab.com will work fine). You can then add a new job to `.gitlab-ci.yml`,
called `sast:container`:
```yaml
sast:container:
image: docker:latest
variables:
DOCKER_DRIVER: overlay2
## Define two new variables based on GitLab's CI/CD predefined variables
## https://docs.gitlab.com/ee/ci/variables/#predefined-variables-environment-variables
CI_APPLICATION_REPOSITORY: $CI_REGISTRY_IMAGE/$CI_COMMIT_REF_SLUG
CI_APPLICATION_TAG: $CI_COMMIT_SHA
allow_failure: true
services:
- docker:dind
script:
- docker run -d --name db arminc/clair-db:latest
- docker run -p 6060:6060 --link db:postgres -d --name clair arminc/clair-local-scan:v2.0.1
- apk add -U wget ca-certificates
- docker pull ${CI_APPLICATION_REPOSITORY}:${CI_APPLICATION_TAG}
- wget https://github.com/arminc/clair-scanner/releases/download/v8/clair-scanner_linux_amd64
- mv clair-scanner_linux_amd64 clair-scanner
- chmod +x clair-scanner
- touch clair-whitelist.yml
- ./clair-scanner -c http://docker:6060 --ip $(hostname -i) -r gl-sast-container-report.json -l clair.log -w clair-whitelist.yml ${CI_APPLICATION_REPOSITORY}:${CI_APPLICATION_TAG} || true
artifacts:
paths: [gl-sast-container-report.json]
```
The above example will create a `sast:container` job in your CI/CD pipeline, pull
the image from the [Container Registry](../../user/project/container_registry.md)
(whose name is defined from the two `CI_APPLICATION_` variables) and scan it
for possible vulnerabilities. The report will be saved as an artifact that you
can later download and analyze.
If you want to whitelist some specific vulnerabilities, you can do so by defining
them in a [YAML file](https://github.com/arminc/clair-scanner/blob/master/README.md#example-whitelist-yaml-file),
in our case its named `clair-whitelist.yml`.
TIP: **Tip:**
Starting with [GitLab Ultimate][ee] 10.4, this information will
be automatically extracted and shown right in the merge request widget. To do
so, the CI/CD job must be named `sast:container` and the artifact path must be
`gl-sast-container-report.json`.
[Learn more on application security testing results shown in merge requests](../../user/project/merge_requests/sast_docker.md).
[ee]: https://about.gitlab.com/products/
This document was moved to [another location](./container_scanning.md).
doc/topics/autodevops/index.md
View file @ df5802d7
......@@ -20,7 +20,7 @@ project in an easy and automatic way:
1. [Auto Test](#auto-test)
1. [Auto Code Quality](#auto-code-quality)
1. [Auto SAST (Static Application Security Testing)](#auto-sast)
1. [Auto SAST for Docker images](#auto-sast-for-docker-images)
1. [Auto Container Scanning](#auto-container-scanning)
1. [Auto Review Apps](#auto-review-apps)
1. [Auto DAST (Dynamic Application Security Testing)](#auto-dast)
1. [Auto Deploy](#auto-deploy)
......@@ -95,7 +95,7 @@ Auto Deploy, and Auto Monitoring will be silently skipped.
The Auto DevOps base domain is required if you want to make use of [Auto
Review Apps](#auto-review-apps) and [Auto Deploy](#auto-deploy). It is defined
either under the project's CI/CD settings while
either under the project's CI/CD settings while
[enabling Auto DevOps](#enabling-auto-devops) or in instance-wide settings in
the CI/CD section.
It can also be set at the project or group level as a variable, `AUTO_DEVOPS_DOMAIN`.
......@@ -217,7 +217,7 @@ check out.
In GitLab Ultimate, any security warnings are also
[shown in the merge request widget](../../user/project/merge_requests/sast.md).
### Auto SAST for Docker images
### Auto Container Scanning
> Introduced in GitLab 10.4.
......@@ -228,7 +228,7 @@ created, it's uploaded as an artifact which you can later download and
check out.
In GitLab Ultimate, any security warnings are also
[shown in the merge request widget](../../user/project/merge_requests/sast_docker.md).
[shown in the merge request widget](../../user/project/merge_requests/container_scanning.md).
### Auto Review Apps
......
doc/user/project/merge_requests/container_scanning.md 0 → 100644
View file @ df5802d7
# Container Scanning
> [Introduced][ee-3672] in [GitLab Ultimate][ee] 10.4.
## Overview
If you are using [GitLab CI/CD][ci], you can analyze your Docker images for known
vulnerabilities using [Clair](https://github.com/coreos/clair),
a Vulnerability Static Analysis tool for containers.
Going a step further, GitLab can show the vulnerability list right in the merge
request widget area.
![Container Scanning Widget](img/container_scanning.png)
## Use cases
If you distribute your application with Docker, then there's a great chance
that your image is based on other Docker images that may in turn contain some
known vulnerabilities that could be exploited.
Having an extra job in your pipeline that checks for those vulnerabilities,
and the fact that they are displayed inside a merge request, makes it very easy
to perform audits for your Docker-based apps.
## How it works
In order for the report to show in the merge request, you need to specify a
`sast:container` job (exact name) that will analyze the code and upload the
resulting `gl-sast-container-report.json` file as an artifact (exact filename).
GitLab will then check this file and show the information inside the merge request.
For more information on how the `sast:container` job should look like, check the
example on [analyzing a Docker image for vulnerabilities][cc-docs].
[ee-3672]: https://gitlab.com/gitlab-org/gitlab-ee/merge_requests/3672
[ee]: https://about.gitlab.com/products/
[ci]: ../../../ci/README.md
[cc-docs]: ../../../ci/examples/container_scanning.md
doc/user/project/merge_requests/index.md
View file @ df5802d7
......@@ -228,7 +228,7 @@ merge request widget area.
[Read more about Static Application Security Testing reports.](sast.md)
## Static Application Security Testing for Docker containers
## Container Scanning
> Introduced in [GitLab Ultimate][products] 10.4.
......@@ -237,7 +237,7 @@ vulnerabilities.
Going a step further, GitLab can show the vulnerability report right in the
merge request widget area.
[Read more about SAST Docker images reports.](sast_docker.md)
[Read more about Container Scanning reports.](container_scanning.md)
## Dynamic Application Security Testing
......
doc/user/project/merge_requests/sast_docker.md
View file @ df5802d7
# Static Application Security Testing for Docker containers
> [Introduced][ee-3672] in [GitLab Ultimate][ee] 10.4.
## Overview
If you are using [GitLab CI/CD][ci], you can analyze your Docker images for known
vulnerabilities using [Clair](https://github.com/coreos/clair),
a Vulnerability Static Analysis tool for containers.
Going a step further, GitLab can show the vulnerability list right in the merge
request widget area.
![SAST Docker Widget](img/sast_docker.png)
## Use cases
If you distribute your application with Docker, then there's a great chance
that your image is based on other Docker images that may in turn contain some
known vulnerabilities that could be exploited.
Having an extra job in your pipeline that checks for those vulnerabilities,
and the fact that they are displayed inside a merge request, makes it very easy
to perform audits for your Docker-based apps.
## How it works
In order for the report to show in the merge request, you need to specify a
`sast:container` job (exact name) that will analyze the code and upload the
resulting `gl-sast-container-report.json` file as an artifact (exact filename).
GitLab will then check this file and show the information inside the merge request.
For more information on how the `sast:container` job should look like, check the
example on [analyzing a Docker image for vulnerabilities][cc-docs].
[ee-3672]: https://gitlab.com/gitlab-org/gitlab-ee/merge_requests/3672
[ee]: https://about.gitlab.com/products/
[ci]: ../../../ci/README.md
[cc-docs]: ../../../ci/examples/sast_docker.md
This document was moved to [another location](./container_scanning.md).
\ No newline at end of file
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment
GitLab Nexedi Edition | About GitLab | About Nexedi | 沪ICP备2021021310号-2 | 沪ICP备2021021310号-7