Commit 34c31163 authored by Nick Gaskill's avatar Nick Gaskill

Merge branch 'docs-trivy-offline' into 'master'

Doc: add Trivy DB update example

See merge request gitlab-org/gitlab!61427
parents 756f560b 98033a19
...@@ -501,29 +501,38 @@ For details on saving and transporting Docker images as a file, see Docker's doc ...@@ -501,29 +501,38 @@ For details on saving and transporting Docker images as a file, see Docker's doc
#### Automating container scanning vulnerability database updates with a pipeline #### Automating container scanning vulnerability database updates with a pipeline
For those using Clair, it can be worthwhile to set up a [scheduled pipeline](../../../ci/pipelines/schedules.md) We recommend that you set up a [scheduled pipeline](../../../ci/pipelines/schedules.md)
to build a new version of the vulnerabilities database on a preset schedule. Automating to fetch the latest vulnerabilities database on a preset schedule. Because the Clair scanner is
this with a pipeline means you do not have to do it manually each time. You can use the following deprecated, the latest vulnerabilities are currently only available for the Trivy scanner.
`.gitlab-yml.ci` as a template: Automating this with a pipeline means you do not have to do it manually each time. You can use the
following `.gitlab-yml.ci` example as a template.
```yaml ```yaml
image: docker:stable variables:
# If using Clair, uncomment the following 2 lines and comment the Trivy lines below
# SOURCE_IMAGE: arminc/clair-db:latest
# TARGET_IMAGE: $CI_REGISTRY/$CI_PROJECT_PATH/clair-vulnerabilities-db
stages: # If using Trivy, uncomment the following 3 lines and comment the Clair lines above
- build CS_MAJOR_VERSION: 4 # ensure that this value matches the one you use in your scanning jobs
SOURCE_IMAGE: registry.gitlab.com/gitlab-org/security-products/analyzers/container-scanning:$CS_MAJOR_VERSION
TARGET_IMAGE: $CI_REGISTRY/$CI_PROJECT_PATH/gitlab-container-scanning
build_latest_vulnerabilities: image: docker:stable
stage: build
update-vulnerabilities-db:
services: services:
- docker:19.03.12-dind - docker:19-dind
script: script:
- docker pull arminc/clair-db:latest - docker pull $SOURCE_IMAGE
- docker tag arminc/clair-db:latest $CI_REGISTRY/namespace/clair-vulnerabilities-db - docker tag $SOURCE_IMAGE $TARGET_IMAGE
- docker login -u "$CI_REGISTRY_USER" -p "$CI_REGISTRY_PASSWORD" $CI_REGISTRY - echo "$CI_REGISTRY_PASSWORD" | docker login $CI_REGISTRY --username $CI_REGISTRY_USER --password-stdin
- docker push $CI_REGISTRY/namespace/clair-vulnerabilities-db - docker push $TARGET_IMAGE
``` ```
The above template works for a GitLab Docker registry running on a local installation, however, if you're using a non-GitLab Docker registry, you need to change the `$CI_REGISTRY` value and the `docker login` credentials to match the details of your local registry. The above template works for a GitLab Docker registry running on a local installation. However, if
you're using a non-GitLab Docker registry, you must change the `$CI_REGISTRY` value and the
`docker login` credentials to match your local registry's details.
## Running the standalone container scanning tool ## Running the standalone container scanning tool
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment