Skip to content
Projects
Groups
Snippets
Help
Loading...
Help
Support
Keyboard shortcuts
?
Submit feedback
Contribute to GitLab
Sign in / Register
Toggle navigation
G
gitlab-ce
Project overview
Project overview
Details
Activity
Releases
Repository
Repository
Files
Commits
Branches
Tags
Contributors
Graph
Compare
Issues
0
Issues
0
List
Boards
Labels
Milestones
Merge Requests
1
Merge Requests
1
Analytics
Analytics
Repository
Value Stream
Wiki
Wiki
Snippets
Snippets
Members
Members
Collapse sidebar
Close sidebar
Activity
Graph
Create a new issue
Commits
Issue Boards
Open sidebar
nexedi
gitlab-ce
Commits
557c4fbd
Commit
557c4fbd
authored
Dec 15, 2017
by
Dmitriy Zaporozhets
Committed by
Achilleas Pipinellis
Jan 12, 2018
Browse files
Options
Browse Files
Download
Email Patches
Plain Diff
Add sast image documentation to CI examples
Signed-off-by:
Dmitriy Zaporozhets
<
dmitriy.zaporozhets@gmail.com
>
parent
9fb1b38c
Changes
2
Hide whitespace changes
Inline
Side-by-side
Showing
2 changed files
with
49 additions
and
1 deletion
+49
-1
doc/ci/examples/README.md
doc/ci/examples/README.md
+2
-1
doc/ci/examples/sast-image.md
doc/ci/examples/sast-image.md
+47
-0
No files found.
doc/ci/examples/README.md
View file @
557c4fbd
...
...
@@ -43,7 +43,8 @@ There's also a collection of repositories with [example projects](https://gitlab
### Static Application Security Testing (SAST)
Scan your code for vulnerabilities with GitLab
[
Static Application Security Testing (SAST)
](
sast.md
)
.
-
[
Scan your code for vulnerabilities
](
sast.md
)
-
[
Scan your docker image for vulnerabilities
](
sast-image.md
)
### Dynamic Application Security Testing (DAST)
...
...
doc/ci/examples/sast-image.md
0 → 100644
View file @
557c4fbd
# Static application security testing of your docker image with GitLab CI/CD
NOTE:
**Note:**
In order to use this tool, a
[
GitLab Enterprise Edition Ultimate
][
ee
]
license
is needed.
All you need is a GitLab Runner with the Docker executor (the shared Runners on
GitLab.com will work fine). You can then add a new job to
`.gitlab-ci.yml`
,
called
`sast:image`
:
```
yaml
sast:image:
image
:
docker:latest
variables
:
DOCKER_DRIVER
:
overlay2
allow_failure
:
true
services
:
-
docker:dind
script
:
-
setup_docker
-
docker run -d --name db arminc/clair-db:latest
-
docker run -p 6060:6060 --link db:postgres -d --name clair arminc/clair-local-scan:v2.0.1
-
apk update && apk add ca-certificates wget && update-ca-certificates
-
docker pull ${CI_APPLICATION_REPOSITORY}:${CI_APPLICATION_TAG}
-
wget https://github.com/arminc/clair-scanner/releases/download/v6/clair-scanner_linux_386
-
mv clair-scanner_linux_386 clair-scanner
-
chmod +x clair-scanner
-
touch clair-whitelist.yml
-
./clair-scanner -c http://docker:6060 --ip $(hostname -i) -r gl-clair-report.json -l clair.log -w clair-whitelist.yml ${CI_APPLICATION_REPOSITORY}:${CI_APPLICATION_TAG} ||
true
artifacts
:
paths
:
[
gl-clair-report.json
]
```
The above example will create a
`sast:image`
job in your CI pipeline and will allow
you to download and analyze the report artifact in JSON format.
TODO: TELL ABOUT WHITELISTING HERE.
TIP:
**Tip:**
Starting with GitLab Enterprise Edition Ultimate 10.3, this information will
be automatically extracted and shown right in the merge request widget. To do
so, the CI job must be named
`sast:image`
and the artifact path must be
`gl-clair-report.json`
.
[
Learn more on application security testing results shown in merge requests
](
../../user/project/merge_requests/sast-image.md
)
.
[
ee
]:
https://about.gitlab.com/gitlab-ee/
Write
Preview
Markdown
is supported
0%
Try again
or
attach a new file
Attach a file
Cancel
You are about to add
0
people
to the discussion. Proceed with caution.
Finish editing this message first!
Cancel
Please
register
or
sign in
to comment