diff options
Diffstat (limited to 'doc/user/application_security/container_scanning/index.md')
-rw-r--r-- | doc/user/application_security/container_scanning/index.md | 54 |
1 files changed, 49 insertions, 5 deletions
diff --git a/doc/user/application_security/container_scanning/index.md b/doc/user/application_security/container_scanning/index.md index 27b22fb925c..68ad2d427dd 100644 --- a/doc/user/application_security/container_scanning/index.md +++ b/doc/user/application_security/container_scanning/index.md @@ -187,6 +187,10 @@ using environment variables. ### Overriding the Container Scanning template +CAUTION: **Deprecation:** +Beginning in GitLab 13.0, the use of [`only` and `except`](../../../ci/yaml/README.md#onlyexcept-basic) +is no longer supported. When overriding the template, you must use [`rules`](../../../ci/yaml/README.md#rules) instead. + If you want to override the job definition (for example, change properties like `variables`), you need to declare a `container_scanning` job after the template inclusion and specify any additional keys under it. For example: @@ -212,11 +216,46 @@ If you want to whitelist specific vulnerabilities, you'll need to: ### Running Container Scanning in an offline environment -Container Scanning can be executed on an offline GitLab Ultimate installation by using the following process: +For self-managed GitLab instances in an environment with limited, restricted, or intermittent access +to external resources through the internet, some adjustments are required for the Container Scanning job to +successfully run. For more information, see [Offline environments](../offline_deployments/index.md). + +#### Requirements for offline Container Scanning + +To use Container Scanning in an offline environment, you need: + +- GitLab Runner with the [`docker` or `kubernetes` executor](#requirements). +- To configure a local Docker Container Registry with copies of the Container Scanning [analyzer](https://gitlab.com/gitlab-org/security-products/analyzers/klar) images, found in the [Container Scanning container registry](https://gitlab.com/gitlab-org/security-products/analyzers/klar/container_registry). + +NOTE: **Note:** +GitLab Runner has a [default `pull policy` of `always`](https://docs.gitlab.com/runner/executors/docker.html#using-the-always-pull-policy), +meaning the runner may try to pull remote images even if a local copy is available. Set GitLab +Runner's [`pull_policy` to `if-not-present`](https://docs.gitlab.com/runner/executors/docker.html#using-the-if-not-present-pull-policy) +in an offline environment if you prefer using only locally available Docker images. + +#### Make GitLab Container Scanning analyzer images available inside your Docker registry -1. Host the following Docker images on a [local Docker container registry](../../packages/container_registry/index.md): - - [arminc/clair-db vulnerabilities database](https://hub.docker.com/r/arminc/clair-db) - - GitLab klar analyzer: `registry.gitlab.com/gitlab-org/security-products/analyzers/klar` +For Container Scanning, import and host the following images from `registry.gitlab.com` to your +offline [local Docker container registry](../../packages/container_registry/index.md): + +- [arminc/clair-db vulnerabilities database](https://hub.docker.com/r/arminc/clair-db) +- GitLab klar analyzer: `registry.gitlab.com/gitlab-org/security-products/analyzers/klar` + +The process for importing Docker images into a local offline Docker registry depends on +**your network security policy**. Please consult your IT staff to find an accepted and approved +process by which external resources can be imported or temporarily accessed. + +Note that these scanners are [updated periodically](../index.md#maintenance-and-update-of-the-vulnerabilities-database) +with new definitions, so consider if you are able to make periodic updates yourself. +You can read more specific steps on how to do this [below](#automating-container-scanning-vulnerability-database-updates-with-a-pipeline). + +For details on saving and transporting Docker images as a file, see Docker's documentation on +[`docker save`](https://docs.docker.com/engine/reference/commandline/save/), [`docker load`](https://docs.docker.com/engine/reference/commandline/load/), +[`docker export`](https://docs.docker.com/engine/reference/commandline/export/), and [`docker import`](https://docs.docker.com/engine/reference/commandline/import/). + +#### Set Container Scanning CI job variables to use local Container Scanner analyzers + +Container Scanning can be executed on an offline GitLab Ultimate installation using the following process: 1. [Override the container scanning template](#overriding-the-container-scanning-template) in your `.gitlab-ci.yml` file to refer to the Docker images hosted on your local Docker container registry: @@ -234,7 +273,12 @@ Container Scanning can be executed on an offline GitLab Ultimate installation by self-signed certificate, then you must set `DOCKER_INSECURE: "true"` in the above `container_scanning` section of your `.gitlab-ci.yml`. -It may be worthwhile to set up a [scheduled pipeline](../../../ci/pipelines/schedules.md) to automatically build a new version of the vulnerabilities database on a preset schedule. You can use the following `.gitlab-yml.ci` as a template: +#### Automating Container Scanning vulnerability database updates with a pipeline + +It can be worthwhile to set up a [scheduled pipeline](../../../ci/pipelines/schedules.md) to +automatically build a new version of the vulnerabilities database on a preset schedule. Automating +this with a pipeline means you won't have to do it manually each time. You can use the following +`.gitlab-yml.ci` as a template: ```yaml image: docker:stable |