From f0ec10752d6b7eda4071556bf3bc8fb21f390de7 Mon Sep 17 00:00:00 2001 From: manuelbcd Date: Wed, 17 Aug 2022 23:35:30 +0200 Subject: [PATCH 1/4] Add new scan pipeline for GitLab and reorganize folders --- .gitignore | 2 + gitlab/new-scan-engine/.gitlab-ci.yml | 53 ++++++++++++++++++++ gitlab/{ => new-scan-engine}/Dockerfile | 0 gitlab/{ => new-scan-engine}/README.md | 0 gitlab/{ => old-scan-engine}/.gitlab-ci.yml | 0 gitlab/old-scan-engine/Dockerfile | 1 + gitlab/old-scan-engine/README.md | 49 ++++++++++++++++++ gitlab/{ => old-scan-engine}/gitlab.png | Bin 8 files changed, 105 insertions(+) create mode 100644 gitlab/new-scan-engine/.gitlab-ci.yml rename gitlab/{ => new-scan-engine}/Dockerfile (100%) rename gitlab/{ => new-scan-engine}/README.md (100%) rename gitlab/{ => old-scan-engine}/.gitlab-ci.yml (100%) create mode 100644 gitlab/old-scan-engine/Dockerfile create mode 100644 gitlab/old-scan-engine/README.md rename gitlab/{ => old-scan-engine}/gitlab.png (100%) diff --git a/.gitignore b/.gitignore index 8818c1d..94fd8af 100644 --- a/.gitignore +++ b/.gitignore @@ -1 +1,3 @@ docs/_site/** + +.DS_Store diff --git a/gitlab/new-scan-engine/.gitlab-ci.yml b/gitlab/new-scan-engine/.gitlab-ci.yml new file mode 100644 index 0000000..125b5ae --- /dev/null +++ b/gitlab/new-scan-engine/.gitlab-ci.yml @@ -0,0 +1,53 @@ +variables: + SYSDIG_SECURE_ENDPOINT: "https://us2.app.sysdig.com" + CI_REGISTRY_HOST: "docker.io" + CI_REGISTRY_NAME: "my-registry" + CI_IMAGE_NAME: "my-image" + CI_IMAGE_TAG: "my-tag" + +stages: + - build + - scan + - push + +image:build: + stage: build + image: + name: gcr.io/kaniko-project/executor:debug + entrypoint: [""] + script: + - /kaniko/executor --dockerfile Dockerfile --destination $CI_REGISTRY_HOST/$CI_REGISTRY_NAME/$CI_IMAGE_NAME:$CI_IMAGE_TAG --no-push --oci-layout-path $(pwd)/build/ --tarPath $(pwd)/build/$CI_IMAGE_TAG.tar + artifacts: + paths: + - build/ + expire_in: 1 days + +image:scan: + stage: scan + before_script: + - export SECURE_API_TOKEN=$SYSDIG_SECURE_TOKEN + script: + - mkdir reports + - curl -LO https://download.sysdig.com/scanning/bin/sysdig-cli-scanner/$(curl -L -s https://download.sysdig.com/scanning/sysdig-cli-scanner/latest_version.txt)/linux/amd64/sysdig-cli-scanner + - chmod +x ./sysdig-cli-scanner + - ./sysdig-cli-scanner --console-log --apiurl $SYSDIG_SECURE_ENDPOINT file://$(pwd)/build/$CI_IMAGE_TAG.tar + artifacts: + paths: + - reports + - build/ + expire_in: 1 days + when: always + needs: + - image:build + +image:push: + stage: push + image: + name: gcr.io/go-containerregistry/crane:debug + entrypoint: [""] + script: + - crane auth login -u $CI_REGISTRY_USER -p $CI_REGISTRY_PASSWORD $CI_REGISTRY_HOST + - crane push build/$CI_IMAGE_TAG.tar $CI_REGISTRY_HOST/$CI_REGISTRY_NAME/$CI_IMAGE_NAME:$CI_IMAGE_TAG + needs: + - image:scan + diff --git a/gitlab/Dockerfile b/gitlab/new-scan-engine/Dockerfile similarity index 100% rename from gitlab/Dockerfile rename to gitlab/new-scan-engine/Dockerfile diff --git a/gitlab/README.md b/gitlab/new-scan-engine/README.md similarity index 100% rename from gitlab/README.md rename to gitlab/new-scan-engine/README.md diff --git a/gitlab/.gitlab-ci.yml b/gitlab/old-scan-engine/.gitlab-ci.yml similarity index 100% rename from gitlab/.gitlab-ci.yml rename to gitlab/old-scan-engine/.gitlab-ci.yml diff --git a/gitlab/old-scan-engine/Dockerfile b/gitlab/old-scan-engine/Dockerfile new file mode 100644 index 0000000..c3c78df --- /dev/null +++ b/gitlab/old-scan-engine/Dockerfile @@ -0,0 +1 @@ +FROM alpine \ No newline at end of file diff --git a/gitlab/old-scan-engine/README.md b/gitlab/old-scan-engine/README.md new file mode 100644 index 0000000..2f8e403 --- /dev/null +++ b/gitlab/old-scan-engine/README.md @@ -0,0 +1,49 @@ +# GitLab CI Demo - No DinD + +![Gitlab job](gitlab.png) + +> :warning: **Outdated example**: This example is using the legacy scan engine. Please use the new scan engine instead. + +In this demo we will use GitLab pipelines without requiring privileged containers, or docker in docker. +We will need to split this pipeline into three different jobs +1. Kaniko: Tool used to build docker image +2. Sysdig-inline-scan (deprecated): Scan docker images for vulnerabilities +3. Crane: Push container image to a remote registry + +## Setup +In GitLab repo settings add variables +`CI_REGISTRY_USER`: Docker username +`CI_REGISTRY_PASSWORD`: Docker user password +`SYSDIG_SECURE_TOKEN`: Sysdig Token + +Modify the gitlab-ci.yml file to build the image +``` + CI_REGISTRY_HOST: "docker.io" + CI_REGISTRY_NAME: my-registry + CI_IMAGE_NAME: "my-image" + CI_IMAGE_TAG: "latest" +``` + +The variables are to build the full image url +`$CI_REGISTRY_HOST/$CI_REGISTRY_NAME/$CI_IMAGE_NAME:$CI_IMAGE_TAG` +We would expect +`docker.io/my-registry/my-image:latest` + +## Understanding the stages +In order to get around using Docker in docker, these additional stages are necessary + +There are three pipeline stages +1. Build +2. Scan +3. Push + +### Build +The build stage is using Kaniko. We use a method to build the container to an oci format tarball, saved to the current working directory in `build/` directory. It is not pushed to a remote registry. +We then save the `build/` directory as an artifact. + +### Scan +The scan stage is using `sysdig-inline-scan:2` (deprecated). This stage uses a newer Sysdig scanning method without the docker daemon dependencies. +We then save the `build/` directory as an artifact for the next step as well as the `report/` directory to review the PDF scan results later. + +### Push +The push stage is using `crane`. It simply authenticates to your docker registry and pushes the conatiner from the Build stage to the remote registry diff --git a/gitlab/gitlab.png b/gitlab/old-scan-engine/gitlab.png similarity index 100% rename from gitlab/gitlab.png rename to gitlab/old-scan-engine/gitlab.png From 770dbf2380d0ead9bd5feca347b7cbec2d8ef4fa Mon Sep 17 00:00:00 2001 From: manuelbcd Date: Wed, 17 Aug 2022 23:40:02 +0200 Subject: [PATCH 2/4] Documentation --- gitlab/new-scan-engine/README.md | 6 ++---- gitlab/old-scan-engine/README.md | 6 +++--- 2 files changed, 5 insertions(+), 7 deletions(-) diff --git a/gitlab/new-scan-engine/README.md b/gitlab/new-scan-engine/README.md index c1aba8d..f824f98 100644 --- a/gitlab/new-scan-engine/README.md +++ b/gitlab/new-scan-engine/README.md @@ -1,11 +1,9 @@ # GitLab CI Demo - No DinD -![Gitlab job](gitlab.png) - In this demo we will use GitLab pipelines without requiring privileged containers, or docker in docker. We will need to split this pipeline into three different jobs 1. Kaniko: Tool used to build docker image -2. Sysdig-inline-scan: Scan docker images for vulnerabilities +2. Sysdig-cli-scanner: Scan docker images for vulnerabilities using the new scan engine developed by Sysding in 2022 3. Crane: Push container image to a remote registry ## Setup @@ -40,7 +38,7 @@ The build stage is using Kaniko. We use a method to build the container to an oc We then save the `build/` directory as an artifact. ### Scan -The scan stage is using `sysdig-inline-scan:2`. This stage uses a newer Sysdig scanning method without the docker daemon dependencies. +The scan stage is using `sysdig-cli-scanner`. This stage uses a the latest Sysdig scanning method documented here [Sysdig Secure - Vulnerabilities](https://docs.sysdig.com/en/docs/sysdig-secure/vulnerabilities/pipeline/) We then save the `build/` directory as an artifact for the next step as well as the `report/` directory to review the PDF scan results later. ### Push diff --git a/gitlab/old-scan-engine/README.md b/gitlab/old-scan-engine/README.md index 2f8e403..17e64a0 100644 --- a/gitlab/old-scan-engine/README.md +++ b/gitlab/old-scan-engine/README.md @@ -1,8 +1,8 @@ # GitLab CI Demo - No DinD -![Gitlab job](gitlab.png) +> :warning: **Outdated example**: This example is using the legacy scan engine. Please use the [latest example for the new scan engine](../new-scan-engine/README.md) instead. -> :warning: **Outdated example**: This example is using the legacy scan engine. Please use the new scan engine instead. +![Gitlab job](gitlab.png) In this demo we will use GitLab pipelines without requiring privileged containers, or docker in docker. We will need to split this pipeline into three different jobs @@ -42,7 +42,7 @@ The build stage is using Kaniko. We use a method to build the container to an oc We then save the `build/` directory as an artifact. ### Scan -The scan stage is using `sysdig-inline-scan:2` (deprecated). This stage uses a newer Sysdig scanning method without the docker daemon dependencies. +The scan stage is using `sysdig-inline-scan:2` (deprecated). This stage uses a scanning method without the docker daemon dependencies ([Documentation](https://docs.sysdig.com/en/docs/sysdig-secure/scanning/integrate-with-cicd-tools/)). We then save the `build/` directory as an artifact for the next step as well as the `report/` directory to review the PDF scan results later. ### Push From 75952d547cd395ff4dbb30d5dcb0cea18578bfa9 Mon Sep 17 00:00:00 2001 From: manuelbcd Date: Wed, 17 Aug 2022 23:41:31 +0200 Subject: [PATCH 3/4] Fix documentation (last) --- gitlab/new-scan-engine/README.md | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) diff --git a/gitlab/new-scan-engine/README.md b/gitlab/new-scan-engine/README.md index f824f98..d8e7bd1 100644 --- a/gitlab/new-scan-engine/README.md +++ b/gitlab/new-scan-engine/README.md @@ -1,7 +1,6 @@ -# GitLab CI Demo - No DinD +# GitLab CI Demo -In this demo we will use GitLab pipelines without requiring privileged containers, or docker in docker. -We will need to split this pipeline into three different jobs +In this demo we will use GitLab pipelines. We will need to split this pipeline into three different jobs 1. Kaniko: Tool used to build docker image 2. Sysdig-cli-scanner: Scan docker images for vulnerabilities using the new scan engine developed by Sysding in 2022 3. Crane: Push container image to a remote registry From 911135d6c69d61354b8634ea55c112ea48184d2a Mon Sep 17 00:00:00 2001 From: manuelbcd Date: Fri, 26 Aug 2022 23:59:03 +0200 Subject: [PATCH 4/4] Update index.md --- docs/index.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/index.md b/docs/index.md index b790185..f17b77b 100644 --- a/docs/index.md +++ b/docs/index.md @@ -136,7 +136,7 @@ In this [repository](https://github.com/sysdiglabs/secure-inline-scan-examples/) * [Build and scan](https://github.com/sysdiglabs/secure-inline-scan-examples/tree/main/jenkins/jenkins-build-and-scan) * [Build, push and scan from repository](https://github.com/sysdiglabs/secure-inline-scan-examples/tree/main/jenkins/jenkins-build-push-scan-from-repo) * [Build, push and scan using Openshift internal registry](https://github.com/sysdiglabs/secure-inline-scan-examples/tree/main/jenkins/jenkins-openshift-internal-registry) -* [Gitlab](https://github.com/sysdiglabs/secure-inline-scan-examples/tree/main/gitlab) +* GitLab with the [new scan engine](https://github.com/sysdiglabs/secure-inline-scan-examples/tree/main/gitlab/new-scan-engine), or using the [legacy engine](https://github.com/sysdiglabs/secure-inline-scan-examples/tree/main/gitlab/old-scan-engine) * [GitHub](https://github.com/sysdiglabs/secure-inline-scan-examples/tree/main/github) * [Tekton](https://github.com/sysdiglabs/secure-inline-scan-examples/tree/main/tekton) * [Tekton alpha API](https://github.com/sysdiglabs/secure-inline-scan-examples/tree/main/tekton/alpha)