Skip to content

GitLab example for the new scan engine #23

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
manuelbcd merged 4 commits into from
Aug 31, 2022
Merged

GitLab example for the new scan engine #23

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
4 commits
Select commit Hold shift + click to select a range
f0ec107
Add new scan pipeline for GitLab and reorganize folders
manuelbcd Aug 17, 2022
770dbf2
Documentation
manuelbcd Aug 17, 2022
75952d5
Fix documentation (last)
manuelbcd Aug 17, 2022
911135d
Update index.md
manuelbcd Aug 26, 2022
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 2 additions & 0 deletions .gitignore
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1 +1,3 @@
docs/_site/**

.DS_Store
2 changes: 1 addition & 1 deletion docs/index.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -136,7 +136,7 @@ In this [repository](https://github.com/sysdiglabs/secure-inline-scan-examples/)
* [Build and scan](https://github.com/sysdiglabs/secure-inline-scan-examples/tree/main/jenkins/jenkins-build-and-scan)
* [Build, push and scan from repository](https://github.com/sysdiglabs/secure-inline-scan-examples/tree/main/jenkins/jenkins-build-push-scan-from-repo)
* [Build, push and scan using Openshift internal registry](https://github.com/sysdiglabs/secure-inline-scan-examples/tree/main/jenkins/jenkins-openshift-internal-registry)
* [Gitlab](https://github.com/sysdiglabs/secure-inline-scan-examples/tree/main/gitlab)
* GitLab with the [new scan engine](https://github.com/sysdiglabs/secure-inline-scan-examples/tree/main/gitlab/new-scan-engine), or using the [legacy engine](https://github.com/sysdiglabs/secure-inline-scan-examples/tree/main/gitlab/old-scan-engine)
* [GitHub](https://github.com/sysdiglabs/secure-inline-scan-examples/tree/main/github)
* [Tekton](https://github.com/sysdiglabs/secure-inline-scan-examples/tree/main/tekton)
* [Tekton alpha API](https://github.com/sysdiglabs/secure-inline-scan-examples/tree/main/tekton/alpha)
Expand Down
53 changes: 53 additions & 0 deletions gitlab/new-scan-engine/.gitlab-ci.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,53 @@
variables:
SYSDIG_SECURE_ENDPOINT: "https://us2.app.sysdig.com"
CI_REGISTRY_HOST: "docker.io"
CI_REGISTRY_NAME: "my-registry"
CI_IMAGE_NAME: "my-image"
CI_IMAGE_TAG: "my-tag"

stages:
- build
- scan
- push

image:build:
stage: build
image:
name: gcr.io/kaniko-project/executor:debug
entrypoint: [""]
script:
- /kaniko/executor --dockerfile Dockerfile --destination $CI_REGISTRY_HOST/$CI_REGISTRY_NAME/$CI_IMAGE_NAME:$CI_IMAGE_TAG --no-push --oci-layout-path $(pwd)/build/ --tarPath $(pwd)/build/$CI_IMAGE_TAG.tar
artifacts:
paths:
- build/
expire_in: 1 days

image:scan:
stage: scan
before_script:
- export SECURE_API_TOKEN=$SYSDIG_SECURE_TOKEN
script:
- mkdir reports
- curl -LO https://download.sysdig.com/scanning/bin/sysdig-cli-scanner/$(curl -L -s https://download.sysdig.com/scanning/sysdig-cli-scanner/latest_version.txt)/linux/amd64/sysdig-cli-scanner
- chmod +x ./sysdig-cli-scanner
- ./sysdig-cli-scanner --console-log --apiurl $SYSDIG_SECURE_ENDPOINT file://$(pwd)/build/$CI_IMAGE_TAG.tar
artifacts:
paths:
- reports
- build/
expire_in: 1 days
when: always
needs:
- image:build

image:push:
stage: push
image:
name: gcr.io/go-containerregistry/crane:debug
entrypoint: [""]
script:
- crane auth login -u $CI_REGISTRY_USER -p $CI_REGISTRY_PASSWORD $CI_REGISTRY_HOST
- crane push build/$CI_IMAGE_TAG.tar $CI_REGISTRY_HOST/$CI_REGISTRY_NAME/$CI_IMAGE_NAME:$CI_IMAGE_TAG
needs:
- image:scan

0 gitlab/Dockerfile → gitlab/new-scan-engine/Dockerfile
View file
Open in desktop
File renamed without changes.
44 changes: 44 additions & 0 deletions gitlab/new-scan-engine/README.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,44 @@
# GitLab CI Demo

In this demo we will use GitLab pipelines. We will need to split this pipeline into three different jobs
1. Kaniko: Tool used to build docker image
2. Sysdig-cli-scanner: Scan docker images for vulnerabilities using the new scan engine developed by Sysding in 2022
3. Crane: Push container image to a remote registry

## Setup
In GitLab repo settings add variables
`CI_REGISTRY_USER`: Docker username
`CI_REGISTRY_PASSWORD`: Docker user password
`SYSDIG_SECURE_TOKEN`: Sysdig Token

Modify the gitlab-ci.yml file to build the image
```
CI_REGISTRY_HOST: "docker.io"
CI_REGISTRY_NAME: my-registry
CI_IMAGE_NAME: "my-image"
CI_IMAGE_TAG: "latest"
```

The variables are to build the full image url
`$CI_REGISTRY_HOST/$CI_REGISTRY_NAME/$CI_IMAGE_NAME:$CI_IMAGE_TAG`
We would expect
`docker.io/my-registry/my-image:latest`

## Understanding the stages
In order to get around using Docker in docker, these additional stages are necessary

There are three pipeline stages
1. Build
2. Scan
3. Push

### Build
The build stage is using Kaniko. We use a method to build the container to an oci format tarball, saved to the current working directory in `build/` directory. It is not pushed to a remote registry.
We then save the `build/` directory as an artifact.

### Scan
The scan stage is using `sysdig-cli-scanner`. This stage uses a the latest Sysdig scanning method documented here [Sysdig Secure - Vulnerabilities](https://docs.sysdig.com/en/docs/sysdig-secure/vulnerabilities/pipeline/)
We then save the `build/` directory as an artifact for the next step as well as the `report/` directory to review the PDF scan results later.

### Push
The push stage is using `crane`. It simply authenticates to your docker registry and pushes the conatiner from the Build stage to the remote registry
0 gitlab/.gitlab-ci.yml → gitlab/old-scan-engine/.gitlab-ci.yml
View file
Open in desktop
File renamed without changes.
1 change: 1 addition & 0 deletions gitlab/old-scan-engine/Dockerfile
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1 @@
FROM alpine
6 changes: 4 additions & 2 deletions gitlab/README.md → gitlab/old-scan-engine/README.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,11 +1,13 @@
# GitLab CI Demo - No DinD

> :warning: **Outdated example**: This example is using the legacy scan engine. Please use the [latest example for the new scan engine](../new-scan-engine/README.md) instead.

![Gitlab job](gitlab.png)

In this demo we will use GitLab pipelines without requiring privileged containers, or docker in docker.
We will need to split this pipeline into three different jobs
1. Kaniko: Tool used to build docker image
2. Sysdig-inline-scan: Scan docker images for vulnerabilities
2. Sysdig-inline-scan (deprecated): Scan docker images for vulnerabilities
3. Crane: Push container image to a remote registry

## Setup
Expand Down Expand Up @@ -40,7 +42,7 @@ The build stage is using Kaniko. We use a method to build the container to an oc
We then save the `build/` directory as an artifact.

### Scan
The scan stage is using `sysdig-inline-scan:2`. This stage uses a newer Sysdig scanning method without the docker daemon dependencies.
The scan stage is using `sysdig-inline-scan:2` (deprecated). This stage uses a scanning method without the docker daemon dependencies ([Documentation](https://docs.sysdig.com/en/docs/sysdig-secure/scanning/integrate-with-cicd-tools/)).
We then save the `build/` directory as an artifact for the next step as well as the `report/` directory to review the PDF scan results later.

### Push
Expand Down
0 gitlab/gitlab.png → gitlab/old-scan-engine/gitlab.png
View file
Open in desktop
File renamed without changes