Set `CS_DEFAULT_BRANCH_IMAGE` in Auto DevOps template

By default, container scanning assumes that the image naming convention stores any branch-specific identifiers in the image tag rather than the image name. Auto DevOps will use a default naming convention of `$CI_REGISTRY_IMAGE/$CI_COMMIT_REF_SLUG:$CI_COMMIT_SHA`, where the ref slug typically refers to the branch name. This means that vulnerabilities are not correctly correlated across branches. This change adds `CS_DEFAULT_BRANCH_IMAGE` to the Auto DevOps template, which allows images built with the default values to be correctly correlated across branches. If the default values are changed, then `CS_DEFAULT_BRANCH_IMAGE` will need to be changed as well. Changelog: added

Set `CS_DEFAULT_BRANCH_IMAGE` in Auto DevOps template
By default, container scanning assumes that the image naming convention stores any branch-specific identifiers in the image tag rather than the image name. Auto DevOps will use a default naming convention of `$CI_REGISTRY_IMAGE/$CI_COMMIT_REF_SLUG:$CI_COMMIT_SHA`, where the ref slug typically refers to the branch name. This means that vulnerabilities are not correctly correlated across branches. This change adds `CS_DEFAULT_BRANCH_IMAGE` to the Auto DevOps template, which allows images built with the default values to be correctly correlated across branches. If the default values are changed, then `CS_DEFAULT_BRANCH_IMAGE` will need to be changed as well. Changelog: added
77d1224b · Brian Williams · 3c54e2af · 77d1224b · 77d1224b
Commit 77d1224b authored Nov 16, 2021 by Brian Williams
Showing with 9 additions and 1 deletion

doc/topics/autodevops/customize.md doc/topics/autodevops/customize.md +5 -1

lib/gitlab/ci/templates/Auto-DevOps.gitlab-ci.yml lib/gitlab/ci/templates/Auto-DevOps.gitlab-ci.yml +4 -0

No files found.
--- a/doc/topics/autodevops/customize.md
+++ b/doc/topics/autodevops/customize.md
@@ -103,10 +103,14 @@ You can override this behavior by defining specific variables:
 | Image Path | `$CI_REGISTRY_IMAGE/$CI_COMMIT_REF_SLUG` for branch pipelines. `$CI_REGISTRY_IMAGE` for tag pipelines. | `$CI_APPLICATION_REPOSITORY` |
 | Image Tag | `$CI_COMMIT_SHA` for branch pipelines. `$CI_COMMIT_TAG` for tag pipelines. | `$CI_APPLICATION_TAG` |

-These variables also affect Auto Build. If you don't want to build and push an image to 
+These variables also affect Auto Build and Auto Container Scanning. If you don't want to build and push an image to
 `$CI_APPLICATION_REPOSITORY:$CI_APPLICATION_TAG`, consider
 including only `Jobs/Deploy.gitlab-ci.yml`, or [disabling the `build` jobs](#disable-jobs).

+If you use Auto Container Scanning and set a value for `$CI_APPLICATION_REPOSITORY`, then you should
+also update `$CS_DEFAULT_BRANCH_IMAGE`. See [Setting the default branch image](../../user/application_security/container_scanning/index.md#setting-the-default-branch-image)
+for more details.
+
 Here is an example setup in your `.gitlab-ci.yml`:

 ```yaml

--- a/lib/gitlab/ci/templates/Auto-DevOps.gitlab-ci.yml
+++ b/lib/gitlab/ci/templates/Auto-DevOps.gitlab-ci.yml
@@ -53,6 +53,10 @@ variables:
  # KUBE_INGRESS_BASE_DOMAIN is the application deployment domain and should be set as a variable at the group or project level.
  # KUBE_INGRESS_BASE_DOMAIN: domain.example.com

+  # Allows Container-Scanning to correctly correlate image names when using Jobs/Build.gitlab-ci.yml
+  CI_APPLICATION_TAG: $CI_COMMIT_SHA
+  CS_DEFAULT_BRANCH_IMAGE: $CI_REGISTRY_IMAGE/$CI_DEFAULT_BRANCH:$CI_APPLICATION_TAG
+
  POSTGRES_USER: user
  POSTGRES_PASSWORD: testing-password
  POSTGRES_ENABLED: "true"