Add sast image documentation to CI examples

Signed-off-by: Dmitriy Zaporozhets <dmitriy.zaporozhets@gmail.com>

Add sast image documentation to CI examples
Signed-off-by: Dmitriy Zaporozhets <dmitriy.zaporozhets@gmail.com>
557c4fbd · Dmitriy Zaporozhets · Achilleas Pipinellis · 9fb1b38c · 557c4fbd · 557c4fbd
Commit 557c4fbd authored Dec 15, 2017 by Dmitriy Zaporozhets Committed by Achilleas Pipinellis Jan 12, 2018
Hide whitespace changes
Inline Side-by-side

Showing with 49 additions and 1 deletion

doc/ci/examples/README.md doc/ci/examples/README.md +2 -1

doc/ci/examples/sast-image.md doc/ci/examples/sast-image.md +47 -0

No files found.
--- a/doc/ci/examples/README.md
+++ b/doc/ci/examples/README.md
@@ -43,7 +43,8 @@ There's also a collection of repositories with [example projects](https://gitlab
 ### Static Application Security Testing (SAST)
-Scan your code for vulnerabilities with GitLab [Static Application Security Testing (SAST)](sast.md).
+- [Scan your code for vulnerabilities](sast.md)
+- [Scan your docker image for vulnerabilities](sast-image.md)
 ### Dynamic Application Security Testing (DAST)

--- a/doc/ci/examples/sast-image.md
+++ b/doc/ci/examples/sast-image.md
+# Static application security testing of your docker image with GitLab CI/CD
+NOTE: **Note:**
+In order to use this tool, a [GitLab Enterprise Edition Ultimate][ee] license
+is needed.
+All you need is a GitLab Runner with the Docker executor (the shared Runners on
+GitLab.com will work fine). You can then add a new job to `.gitlab-ci.yml`,
+called `sast:image`:
+```yaml
+sast:image:
+  image: docker:latest
+  variables:
+    DOCKER_DRIVER: overlay2
+  allow_failure: true
+  services:
+    - docker:dind
+  script:
+    - setup_docker
+    - docker run -d --name db arminc/clair-db:latest
+    - docker run -p 6060:6060 --link db:postgres -d --name clair arminc/clair-local-scan:v2.0.1
+    - apk update && apk add ca-certificates wget && update-ca-certificates
+    - docker pull ${CI_APPLICATION_REPOSITORY}:${CI_APPLICATION_TAG}
+    - wget https://github.com/arminc/clair-scanner/releases/download/v6/clair-scanner_linux_386
+    - mv clair-scanner_linux_386 clair-scanner
+    - chmod +x clair-scanner
+    - touch clair-whitelist.yml
+    - ./clair-scanner -c http://docker:6060 --ip $(hostname -i) -r gl-clair-report.json -l clair.log -w clair-whitelist.yml ${CI_APPLICATION_REPOSITORY}:${CI_APPLICATION_TAG} || true
+  artifacts:
+    paths: [gl-clair-report.json]
+```
+The above example will create a `sast:image` job in your CI pipeline and will allow
+you to download and analyze the report artifact in JSON format.
+TODO: TELL ABOUT WHITELISTING HERE. 
+TIP: **Tip:**
+Starting with GitLab Enterprise Edition Ultimate 10.3, this information will
+be automatically extracted and shown right in the merge request widget. To do
+so, the CI job must be named `sast:image` and the artifact path must be
+`gl-clair-report.json`.
+[Learn more on application security testing results shown in merge requests](../../user/project/merge_requests/sast-image.md).
+[ee]: https://about.gitlab.com/gitlab-ee/