Commit b18bfee3 authored by Heinrich Lee Yu's avatar Heinrich Lee Yu

Merge branch...

Merge branch '345434-extend-container-scanning-template-with-new-dependency-scanning-report' into 'master'

Extend Container Scanning to include dependency scanning report

See merge request gitlab-org/gitlab!75084
parents 969ab7fe c2434983
...@@ -11,7 +11,7 @@ info: To determine the technical writer assigned to the Stage/Group associated w ...@@ -11,7 +11,7 @@ info: To determine the technical writer assigned to the Stage/Group associated w
INFO: INFO:
Want to try out container scanning? Want to try out container scanning?
[Get a free 30-day trial GitLab Ultimate](https://about.gitlab.com/free-trial?glm_source=docs.gitlab.com&glm_content=u-container-scanning-docs). [Get a free 30-day trial of GitLab Ultimate](https://about.gitlab.com/free-trial?glm_source=docs.gitlab.com&glm_content=u-container-scanning-docs).
Your application's Docker image may itself be based on Docker images that contain known Your application's Docker image may itself be based on Docker images that contain known
vulnerabilities. By including an extra job in your pipeline that scans for those vulnerabilities and vulnerabilities. By including an extra job in your pipeline that scans for those vulnerabilities and
...@@ -135,6 +135,7 @@ You can [configure](#customizing-the-container-scanning-settings) analyzers by u ...@@ -135,6 +135,7 @@ You can [configure](#customizing-the-container-scanning-settings) analyzers by u
| `CI_APPLICATION_TAG` | `$CI_COMMIT_SHA` | Docker repository tag for the image to be scanned. | All | | `CI_APPLICATION_TAG` | `$CI_COMMIT_SHA` | Docker repository tag for the image to be scanned. | All |
| `CS_ANALYZER_IMAGE` | `registry.gitlab.com/security-products/container-scanning:4` | Docker image of the analyzer. | All | | `CS_ANALYZER_IMAGE` | `registry.gitlab.com/security-products/container-scanning:4` | Docker image of the analyzer. | All |
| `CS_DEFAULT_BRANCH_IMAGE` | `""` | The name of the `DOCKER_IMAGE` on the default branch. See [Setting the default branch image](#setting-the-default-branch-image) for more details. [Introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/338877) in GitLab 14.5. | All | | `CS_DEFAULT_BRANCH_IMAGE` | `""` | The name of the `DOCKER_IMAGE` on the default branch. See [Setting the default branch image](#setting-the-default-branch-image) for more details. [Introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/338877) in GitLab 14.5. | All |
| `CS_DISABLE_DEPENDENCY_SCAN` | `"true"` | Disable Dependency Scanning for packages installed in the scanned image. [Introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/345434) in GitLab 14.6. | All |
| `CS_DOCKER_INSECURE` | `"false"` | Allow access to secure Docker registries using HTTPS without validating the certificates. | All | | `CS_DOCKER_INSECURE` | `"false"` | Allow access to secure Docker registries using HTTPS without validating the certificates. | All |
| `CS_REGISTRY_INSECURE` | `"false"` | Allow access to insecure registries (HTTP only). Should only be set to `true` when testing the image locally. Works with all scanners, but the registry must listen on port `80/tcp` for Trivy to work. | All | | `CS_REGISTRY_INSECURE` | `"false"` | Allow access to insecure registries (HTTP only). Should only be set to `true` when testing the image locally. Works with all scanners, but the registry must listen on port `80/tcp` for Trivy to work. | All |
| `CS_SEVERITY_THRESHOLD` | `UNKNOWN` | Severity level threshold. The scanner outputs vulnerabilities with severity level higher than or equal to this threshold. Supported levels are Unknown, Low, Medium, High, and Critical. | Trivy | | `CS_SEVERITY_THRESHOLD` | `UNKNOWN` | Severity level threshold. The scanner outputs vulnerabilities with severity level higher than or equal to this threshold. Supported levels are Unknown, Low, Medium, High, and Critical. | Trivy |
......
...@@ -98,8 +98,11 @@ RSpec.describe Security::SecurityOrchestrationPolicies::CiConfigurationService d ...@@ -98,8 +98,11 @@ RSpec.describe Security::SecurityOrchestrationPolicies::CiConfigurationService d
stage: 'test', stage: 'test',
allow_failure: true, allow_failure: true,
artifacts: { artifacts: {
reports: { container_scanning: 'gl-container-scanning-report.json' }, reports: {
paths: ['gl-container-scanning-report.json'] container_scanning: 'gl-container-scanning-report.json',
dependency_scanning: 'gl-dependency-scanning-report.json'
},
paths: ['gl-container-scanning-report.json', 'gl-dependency-scanning-report.json']
}, },
dependencies: [], dependencies: [],
script: ['gtcs scan'], script: ['gtcs scan'],
......
...@@ -38,7 +38,8 @@ container_scanning: ...@@ -38,7 +38,8 @@ container_scanning:
artifacts: artifacts:
reports: reports:
container_scanning: gl-container-scanning-report.json container_scanning: gl-container-scanning-report.json
paths: [gl-container-scanning-report.json] dependency_scanning: gl-dependency-scanning-report.json
paths: [gl-container-scanning-report.json, gl-dependency-scanning-report.json]
dependencies: [] dependencies: []
script: script:
- gtcs scan - gtcs scan
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment