Welcome to mirror list, hosted at ThFree Co, Russian Federation.

gitlab.com/gitlab-org/gitlab-foss.git - Unnamed repository; edit this file 'description' to name the repository.
summaryrefslogtreecommitdiff
path: root/doc/user/application_security/container_scanning/index.md
diff options
context:
space:
mode:
Diffstat (limited to 'doc/user/application_security/container_scanning/index.md')
-rw-r--r--doc/user/application_security/container_scanning/index.md34
1 files changed, 22 insertions, 12 deletions
diff --git a/doc/user/application_security/container_scanning/index.md b/doc/user/application_security/container_scanning/index.md
index 323a064c3e4..90e1e4b025c 100644
--- a/doc/user/application_security/container_scanning/index.md
+++ b/doc/user/application_security/container_scanning/index.md
@@ -59,7 +59,7 @@ To enable container scanning in your pipeline, you need the following:
How you enable container scanning depends on your GitLab version:
-- GitLab 11.9 and later: [Include](../../../ci/yaml/README.md#includetemplate) the
+- GitLab 11.9 and later: [Include](../../../ci/yaml/index.md#includetemplate) the
[`Container-Scanning.gitlab-ci.yml` template](https://gitlab.com/gitlab-org/gitlab/-/blob/master/lib/gitlab/ci/templates/Security/Container-Scanning.gitlab-ci.yml)
that comes with your GitLab installation.
- GitLab versions earlier than 11.9: Copy and use the job from the
@@ -73,8 +73,8 @@ Other changes:
[`centos:centos8`](https://hub.docker.com/_/centos)
as the new base. It also removes the use of the [start.sh](https://gitlab.com/gitlab-org/security-products/analyzers/klar/-/merge_requests/77)
script and instead executes the analyzer by default. Any customizations made to the
- `container_scanning` job's [`before_script`](../../../ci/yaml/README.md#before_script)
- and [`after_script`](../../../ci/yaml/README.md#after_script)
+ `container_scanning` job's [`before_script`](../../../ci/yaml/index.md#before_script)
+ and [`after_script`](../../../ci/yaml/index.md#after_script)
blocks may not work with the new version. To roll back to the previous [`alpine:3.11.3`](https://hub.docker.com/_/alpine)-based
Docker image, you can specify the major version through the [`CS_MAJOR_VERSION`](#available-cicd-variables)
variable.
@@ -101,7 +101,7 @@ The included template:
(see [requirements](#requirements)) and scans it for possible vulnerabilities.
GitLab saves the results as a
-[Container Scanning report artifact](../../../ci/yaml/README.md#artifactsreportscontainer_scanning)
+[Container Scanning report artifact](../../../ci/yaml/index.md#artifactsreportscontainer_scanning)
that you can download and analyze later. When downloading, you always receive the most-recent
artifact.
@@ -130,12 +130,12 @@ include:
There may be cases where you want to customize how GitLab scans your containers. For example, you
may want to enable more verbose output, access a Docker registry that requires
-authentication, and more. To change such settings, use the [`variables`](../../../ci/yaml/README.md#variables)
+authentication, and more. To change such settings, use the [`variables`](../../../ci/yaml/index.md#variables)
parameter in your `.gitlab-ci.yml` to set [CI/CD variables](#available-cicd-variables).
The variables you set in your `.gitlab-ci.yml` overwrite those in
`Container-Scanning.gitlab-ci.yml`.
-This example [includes](../../../ci/yaml/README.md#include) the container scanning template and
+This example [includes](../../../ci/yaml/index.md#include) the container scanning template and
enables verbose output for the analyzer:
```yaml
@@ -172,6 +172,21 @@ Support depends on the scanner:
- [Grype](https://github.com/anchore/grype#grype)
- [Trivy](https://aquasecurity.github.io/trivy/latest/vuln-detection/os/) (Default).
+#### UBI-based images
+
+> [Introduced](https://gitlab.com/groups/gitlab-org/-/epics/5775) in [GitLab Ultimate](https://about.gitlab.com/pricing/) 14.1.
+
+GitLab also offers [Red Hat UBI](https://www.redhat.com/en/blog/introducing-red-hat-universal-base-image)
+versions of the container-scanning images. You can therefore replace standard images with UBI-based
+images. To configure the images, set the `CS_ANALYZER_IMAGE` variable to the standard tag plus the
+`-ubi` extension.
+
+| Scanner name | `CS_ANALYZER_IMAGE` |
+| --------------- | ------------------- |
+| Default (Trivy) | `registry.gitlab.com/security-products/container-scanning:4-ubi` |
+| Grype | `registry.gitlab.com/security-products/container-scanning/grype:4-ubi` |
+| Trivy | `registry.gitlab.com/security-products/container-scanning/trivy:4-ubi` |
+
### Overriding the container scanning template
If you want to override the job definition (for example, to change properties like `variables`), you
@@ -189,11 +204,6 @@ container_scanning:
GIT_STRATEGY: fetch
```
-WARNING:
-GitLab 13.0 and later doesn't support [`only` and `except`](../../../ci/yaml/README.md#only--except).
-When overriding the template, you must use [`rules`](../../../ci/yaml/README.md#rules)
-instead.
-
### Change scanners
The container-scanning analyzer can use different scanners, depending on the value of the
@@ -256,7 +266,7 @@ container_scanning:
-----END CERTIFICATE-----
```
-The `ADDITIONAL_CA_CERT_BUNDLE` value can also be configured as a [custom variable in the UI](../../../ci/variables/README.md#custom-cicd-variables), either as a `file`, which requires the path to the certificate, or as a variable, which requires the text representation of the certificate.
+The `ADDITIONAL_CA_CERT_BUNDLE` value can also be configured as a [custom variable in the UI](../../../ci/variables/index.md#custom-cicd-variables), either as a `file`, which requires the path to the certificate, or as a variable, which requires the text representation of the certificate.
### Vulnerability allowlisting
generated by cgit v1.2.3 (git 2.25.1) at 2024-07-15 01:15:13 +0300