Commit 557c4fbd authored by Dmitriy Zaporozhets's avatar Dmitriy Zaporozhets Committed by Achilleas Pipinellis

Add sast image documentation to CI examples

Signed-off-by: default avatarDmitriy Zaporozhets <dmitriy.zaporozhets@gmail.com>
parent 9fb1b38c
......@@ -43,7 +43,8 @@ There's also a collection of repositories with [example projects](https://gitlab
### Static Application Security Testing (SAST)
Scan your code for vulnerabilities with GitLab [Static Application Security Testing (SAST)](sast.md).
- [Scan your code for vulnerabilities](sast.md)
- [Scan your docker image for vulnerabilities](sast-image.md)
### Dynamic Application Security Testing (DAST)
......
# Static application security testing of your docker image with GitLab CI/CD
NOTE: **Note:**
In order to use this tool, a [GitLab Enterprise Edition Ultimate][ee] license
is needed.
All you need is a GitLab Runner with the Docker executor (the shared Runners on
GitLab.com will work fine). You can then add a new job to `.gitlab-ci.yml`,
called `sast:image`:
```yaml
sast:image:
image: docker:latest
variables:
DOCKER_DRIVER: overlay2
allow_failure: true
services:
- docker:dind
script:
- setup_docker
- docker run -d --name db arminc/clair-db:latest
- docker run -p 6060:6060 --link db:postgres -d --name clair arminc/clair-local-scan:v2.0.1
- apk update && apk add ca-certificates wget && update-ca-certificates
- docker pull ${CI_APPLICATION_REPOSITORY}:${CI_APPLICATION_TAG}
- wget https://github.com/arminc/clair-scanner/releases/download/v6/clair-scanner_linux_386
- mv clair-scanner_linux_386 clair-scanner
- chmod +x clair-scanner
- touch clair-whitelist.yml
- ./clair-scanner -c http://docker:6060 --ip $(hostname -i) -r gl-clair-report.json -l clair.log -w clair-whitelist.yml ${CI_APPLICATION_REPOSITORY}:${CI_APPLICATION_TAG} || true
artifacts:
paths: [gl-clair-report.json]
```
The above example will create a `sast:image` job in your CI pipeline and will allow
you to download and analyze the report artifact in JSON format.
TODO: TELL ABOUT WHITELISTING HERE.
TIP: **Tip:**
Starting with GitLab Enterprise Edition Ultimate 10.3, this information will
be automatically extracted and shown right in the merge request widget. To do
so, the CI job must be named `sast:image` and the artifact path must be
`gl-clair-report.json`.
[Learn more on application security testing results shown in merge requests](../../user/project/merge_requests/sast-image.md).
[ee]: https://about.gitlab.com/gitlab-ee/
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment