Container Scanning
DETAILS: Tier: Free, Premium, Ultimate Offering: GitLab.com, Self-managed, GitLab Dedicated
- Changed the major analyzer version from
4
to5
in GitLab 15.0.- Moved from GitLab Ultimate to GitLab Free in 15.0.
- Container Scanning variables that reference Docker renamed in GitLab 15.4.
- Container Scanning template moved from
Security/Container-Scanning.gitlab-ci.yml
toJobs/Container-Scanning.gitlab-ci.yml
in GitLab 15.6.
Your application's Docker image may itself be based on Docker images that contain known vulnerabilities. By including an extra Container Scanning job in your pipeline that scans for those vulnerabilities and displays them in a merge request, you can use GitLab to audit your Docker-based apps.
- For an overview, see Container Scanning.
- For a video walkthrough, see How to set up Container Scanning using GitLab.
- For an introductory tutorial, see Scan a Docker container for vulnerabilities.
Container Scanning is often considered part of Software Composition Analysis (SCA). SCA can contain aspects of inspecting the items your code uses. These items typically include application and system dependencies that are almost always imported from external sources, rather than sourced from items you wrote yourself.
GitLab offers both Container Scanning and Dependency Scanning to ensure coverage for all of these dependency types. To cover as much of your risk area as possible, we encourage you to use all of our security scanners. For a comparison of these features, see Dependency Scanning compared to Container Scanning.
GitLab integrates with the Trivy security scanner to perform vulnerability static analysis in containers.
WARNING: The Grype analyzer is no longer maintained, except for limited fixes as explained in our statement of support. The existing current major version for the Grype analyzer image will continue to be updated with the latest advisory database, and operating system packages until GitLab 19.0, at which point the analyzer will stop working.
To integrate GitLab with security scanners other than those listed here, see Security scanner integration.
You can enable container scanning by doing one of the following:
-
Include the CI job in your existing
.gitlab-ci.yml
file. - Implicitly use Auto Container Scanning, provided by Auto DevOps.
GitLab compares the found vulnerabilities between the source and target branches, and shows the information directly in the merge request.
Capabilities
Capability | In Free and Premium | In Ultimate |
---|---|---|
Configure Scanners | {check-circle} Yes | {check-circle} Yes |
Customize Settings (Variables, Overriding, offline environment support, etc) | {check-circle} Yes | {check-circle} Yes |
View JSON Report as a CI job artifact | {check-circle} Yes | {check-circle} Yes |
Generate a CycloneDX SBOM JSON report as a CI job artifact | {check-circle} Yes | {check-circle} Yes |
Ability to enable container scanning via an MR in the GitLab UI | {check-circle} Yes | {check-circle} Yes |
UBI Image Support | {check-circle} Yes | {check-circle} Yes |
Support for Trivy | {check-circle} Yes | {check-circle} Yes |
Inclusion of GitLab Advisory Database | Limited to the time-delayed content from GitLab advisories-communities project | Yes - all the latest content from Gemnasium DB |
Presentation of Report data in Merge Request and Security tab of the CI pipeline job | {dotted-circle} No | {check-circle} Yes |
Interaction with Vulnerabilities such as merge request approvals | {dotted-circle} No | {check-circle} Yes |
Solutions for vulnerabilities (auto-remediation) | {dotted-circle} No | {check-circle} Yes |
Support for the vulnerability allow list | {dotted-circle} No | {check-circle} Yes |
Access to Security Dashboard page | {dotted-circle} No | {check-circle} Yes |
Access to Dependency List page | {dotted-circle} No | {check-circle} Yes |
Prerequisites
To enable container scanning in your pipeline, you need the following:
- GitLab CI/CD pipeline must include the
test
stage, which is available unless overridden with thestages
keyword. -
GitLab Runner with the
docker
orkubernetes
executor on Linux/amd64. - Docker
18.09.03
or later installed on the same computer as the runner. If you're using the instance runners on GitLab.com, then this is already the case. - An image matching the supported distributions.
- Build and push the Docker image to your project's container registry.
- If you're using a third-party container registry, you might need to provide authentication
credentials through the
CS_REGISTRY_USER
andCS_REGISTRY_PASSWORD
configuration variables. For more details on how to use these variables, see authenticate to a remote registry.
Configuration
To enable container scanning, add the
Container-Scanning.gitlab-ci.yml
template
to your .gitlab-ci.yml
file:
include:
- template: Jobs/Container-Scanning.gitlab-ci.yml
The included template:
- Creates a
container_scanning
job in your CI/CD pipeline. - Pulls the built Docker image from your project's container registry (see prerequisites) and scans it for possible vulnerabilities.
GitLab saves the results as a Container Scanning report artifact that you can download and analyze later. When downloading, you always receive the most-recent artifact. A CycloneDX SBOM JSON report is also created to report the list of components.
The following is a sample .gitlab-ci.yml
that builds your Docker image, pushes it to the container
registry, and scans the image:
include:
- template: Jobs/Build.gitlab-ci.yml
- template: Jobs/Container-Scanning.gitlab-ci.yml
container_scanning:
variables:
CS_DEFAULT_BRANCH_IMAGE: $CI_REGISTRY_IMAGE/$CI_DEFAULT_BRANCH:$CI_COMMIT_SHA
Setting CS_DEFAULT_BRANCH_IMAGE
avoids duplicate vulnerability findings when an image name differs across branches.
The value of CS_DEFAULT_BRANCH_IMAGE
indicates the name of the scanned image as it appears on the default branch.
For more details on how this deduplication is achieved, see Setting the default branch image.
Customizing the container scanning settings
There may be cases where you want to customize how GitLab scans your containers. For example, you
may want to enable more verbose output, access a Docker registry that requires
authentication, and more. To change such settings, use the variables
parameter in your .gitlab-ci.yml
to set CI/CD variables.
The variables you set in your .gitlab-ci.yml
overwrite those in
Container-Scanning.gitlab-ci.yml
.
This example includes the container scanning template and enables verbose output for the analyzer:
include:
- template: Jobs/Container-Scanning.gitlab-ci.yml
variables:
SECURE_LOG_LEVEL: 'debug'
Scan an image in a remote registry
To scan images located in a registry other than the project's, use the following .gitlab-ci.yml
:
include:
- template: Jobs/Container-Scanning.gitlab-ci.yml
container_scanning:
variables:
CS_IMAGE: example.com/user/image:tag
Authenticate to a remote registry
Scanning an image in a private registry requires authentication. Provide the username in the CS_REGISTRY_USER
variable, and the password in the CS_REGISTRY_PASSWORD
configuration variable.
For example, to scan an image from AWS Elastic Container Registry:
container_scanning:
before_script:
- ruby -r open-uri -e "IO.copy_stream(URI.open('https://awscli.amazonaws.com/awscli-exe-linux-x86_64.zip'), 'awscliv2.zip')"
- unzip awscliv2.zip
- sudo ./aws/install
- aws --version
- export AWS_ECR_PASSWORD=$(aws ecr get-login-password --region region)
include:
- template: Jobs/Container-Scanning.gitlab-ci.yml
variables:
CS_IMAGE: <aws_account_id>.dkr.ecr.<region>.amazonaws.com/<image>:<tag>
CS_REGISTRY_USER: AWS
CS_REGISTRY_PASSWORD: "$AWS_ECR_PASSWORD"
AWS_DEFAULT_REGION: <region>
Authenticating to a remote registry is not supported when FIPS mode is enabled.
Report language-specific findings
The CS_DISABLE_LANGUAGE_VULNERABILITY_SCAN
CI/CD variable controls whether the scan reports
findings related to programming languages. For more information about the supported languages, see Language-specific Packages in the Trivy documentation.
By default, the report only includes packages managed by the Operating System (OS) package manager
(for example, yum
, apt
, apk
, tdnf
). To report security findings in non-OS packages, set
CS_DISABLE_LANGUAGE_VULNERABILITY_SCAN
to "false"
:
include:
- template: Jobs/Container-Scanning.gitlab-ci.yml
container_scanning:
variables:
CS_DISABLE_LANGUAGE_VULNERABILITY_SCAN: "false"
When you enable this feature, you may see duplicate findings in the Vulnerability Report if Dependency Scanning is enabled for your project. This happens because GitLab can't automatically deduplicate findings across different types of scanning tools. To understand which types of dependencies are likely to be duplicated, see Dependency Scanning compared to Container Scanning.
Running jobs in merge request pipelines
See Use security scanning tools with merge request pipelines.
Available CI/CD variables
You can configure analyzers by using the following CI/CD variables.
WARNING: All customization of GitLab security scanning tools should be tested in a merge request before merging these changes to the default branch. Failure to do so can give unexpected results, including a large number of false positives.
CI/CD Variable | Default | Description | Scanner |
---|---|---|---|
ADDITIONAL_CA_CERT_BUNDLE |
"" |
Bundle of CA certs that you want to trust. See Using a custom SSL CA certificate authority for more details. | All |
CI_APPLICATION_REPOSITORY |
$CI_REGISTRY_IMAGE/$CI_COMMIT_REF_SLUG |
Docker repository URL for the image to be scanned. | All |
CI_APPLICATION_TAG |
$CI_COMMIT_SHA |
Docker repository tag for the image to be scanned. | All |
CS_ANALYZER_IMAGE |
registry.gitlab.com/security-products/container-scanning:7 |
Docker image of the analyzer. Do not use the :latest tag with analyzer images provided by GitLab. |
All |
CS_DEFAULT_BRANCH_IMAGE |
"" |
The name of the CS_IMAGE on the default branch. See Setting the default branch image for more details. |
All |
CS_DISABLE_DEPENDENCY_LIST |
"false" |
{warning} Removed in GitLab 17.0. | All |
CS_DISABLE_LANGUAGE_VULNERABILITY_SCAN |
"true" |
Disable scanning for language-specific packages installed in the scanned image. | All |
CS_DOCKER_INSECURE |
"false" |
Allow access to secure Docker registries using HTTPS without validating the certificates. | All |
CS_DOCKERFILE_PATH |
Dockerfile |
The path to the Dockerfile to use for generating remediations. By default, the scanner looks for a file named Dockerfile in the root directory of the project. You should configure this variable only if your Dockerfile is in a non-standard location, such as a subdirectory. See Solutions for vulnerabilities for more details. |
All |
CS_IGNORE_STATUSES 1
|
"" |
Force the analyzer to ignore vulnerability findings with specified statuses in a comma-delimited list. For trivy , the following values are allowed: unknown,not_affected,affected,fixed,under_investigation,will_not_fix,fix_deferred,end_of_life . |
All |
CS_IGNORE_UNFIXED |
"false" |
Ignore vulnerabilities that are not fixed. | All |
CS_IMAGE |
$CI_APPLICATION_REPOSITORY:$CI_APPLICATION_TAG |
The Docker image to be scanned. If set, this variable overrides the $CI_APPLICATION_REPOSITORY and $CI_APPLICATION_TAG variables. |
All |
CS_IMAGE_SUFFIX |
"" |
Suffix added to CS_ANALYZER_IMAGE . If set to -fips , FIPS-enabled image is used for scan. See FIPS-enabled images for more details. |
All |
CS_QUIET |
"" |
If set, this variable disables output of the vulnerabilities table in the job log. Introduced in GitLab 15.1. | All |
CS_REGISTRY_INSECURE |
"false" |
Allow access to insecure registries (HTTP only). Should only be set to true when testing the image locally. Works with all scanners, but the registry must listen on port 80/tcp for Trivy to work. |
All |
CS_REGISTRY_PASSWORD |
$CI_REGISTRY_PASSWORD |
Password for accessing a Docker registry requiring authentication. The default is only set if $CS_IMAGE resides at $CI_REGISTRY . Not supported when FIPS mode is enabled. |
All |
CS_REGISTRY_USER |
$CI_REGISTRY_USER |
Username for accessing a Docker registry requiring authentication. The default is only set if $CS_IMAGE resides at $CI_REGISTRY . Not supported when FIPS mode is enabled. |
All |
CS_SEVERITY_THRESHOLD |
UNKNOWN |
Severity level threshold. The scanner outputs vulnerabilities with severity level higher than or equal to this threshold. Supported levels are UNKNOWN , LOW , MEDIUM , HIGH , and CRITICAL . |
Trivy |
CS_TRIVY_JAVA_DB |
"ghcr.io/aquasecurity/trivy-java-db" |
Specify an alternate location for the trivy-java-db vulnerability database. | Trivy |
SECURE_LOG_LEVEL |
info |
Set the minimum logging level. Messages of this logging level or higher are output. From highest to lowest severity, the logging levels are: fatal , error , warn , info , debug . |
All |
TRIVY_TIMEOUT |
5m0s |
Set the timeout for the scan. | Trivy |
-
Fix status information is highly dependent on accurate fix availability data from the software vendor and container image operating system package metadata. It is also subject to interpretation by individual container scanners. In cases where a container scanner misreports the availability of a fixed package for a vulnerability, using `CS_IGNORE_STATUSES` can lead to false positive or false negative filtering of findings when this setting is enabled.
Supported distributions
The following Linux distributions are supported:
- Alma Linux
- Alpine Linux
- Amazon Linux
- CentOS
- CBL-Mariner
- Debian
- Distroless
- Oracle Linux
- Photon OS
- Red Hat (RHEL)
- Rocky Linux
- SUSE
- Ubuntu
FIPS-enabled images
GitLab also offers FIPS-enabled Red Hat UBI
versions of the container-scanning images. You can therefore replace standard images with FIPS-enabled
images. To configure the images, set the CS_IMAGE_SUFFIX
to -fips
or modify the CS_ANALYZER_IMAGE
variable to the
standard tag plus the -fips
extension.
NOTE:
The -fips
flag is automatically added to CS_ANALYZER_IMAGE
when FIPS mode is
enabled in the GitLab instance.
Container scanning of images in authenticated registries is not supported when FIPS mode
is enabled. When CI_GITLAB_FIPS_MODE
is "true"
, and CS_REGISTRY_USER
or CS_REGISTRY_PASSWORD
is set,
the analyzer exits with an error and does not perform the scan.
Enable Container Scanning through an automatic merge request
To enable Container Scanning in a project, create a merge request from the Security Configuration page:
- In the project where you want to enable Container Scanning, go to Secure > Security configuration.
- In the Container Scanning row, select Configure with a merge request.
This automatically creates a merge request with the changes necessary to enable Container Scanning. To complete the configuration, review and merge this merge request.
The configuration tool works best with no existing .gitlab-ci.yml
file, or with a minimal
configuration file. If you have a complex GitLab configuration file, it may not be parsed
successfully and an error may occur.
Overriding the container scanning template
If you want to override the job definition (for example, to change properties like variables
), you
must declare and override a job after the template inclusion, and then
specify any additional keys.
This example sets GIT_STRATEGY
to fetch
:
include:
- template: Jobs/Container-Scanning.gitlab-ci.yml
container_scanning:
variables:
GIT_STRATEGY: fetch
Setting the default branch image
By default, container scanning assumes that the image naming convention stores any branch-specific identifiers in the image tag rather than the image name. When the image name differs between the default branch and the non-default branch, previously-detected vulnerabilities show up as newly detected in merge requests.
When the same image has different names on the default branch and a non-default branch, you can use
the CS_DEFAULT_BRANCH_IMAGE
variable to indicate what that image's name is on the default branch.
GitLab then correctly determines if a vulnerability already exists when running scans on non-default
branches.
As an example, suppose the following:
- Non-default branches publish images with the naming convention
$CI_REGISTRY_IMAGE/$CI_COMMIT_BRANCH:$CI_COMMIT_SHA
. - The default branch publishes images with the naming convention
$CI_REGISTRY_IMAGE:$CI_COMMIT_SHA
.
In this example, you can use the following CI/CD configuration to ensure that vulnerabilities aren't duplicated:
include:
- template: Jobs/Container-Scanning.gitlab-ci.yml
container_scanning:
variables:
CS_DEFAULT_BRANCH_IMAGE: $CI_REGISTRY_IMAGE:$CI_COMMIT_SHA
before_script:
- export CS_IMAGE="$CI_REGISTRY_IMAGE/$CI_COMMIT_BRANCH:$CI_COMMIT_SHA"
- |
if [ "$CI_COMMIT_BRANCH" == "$CI_DEFAULT_BRANCH" ]; then
export CS_IMAGE="$CI_REGISTRY_IMAGE:$CI_COMMIT_SHA"
fi
CS_DEFAULT_BRANCH_IMAGE
should remain the same for a given CS_IMAGE
. If it changes, then a
duplicate set of vulnerabilities are created, which must be manually dismissed.
When using Auto DevOps, CS_DEFAULT_BRANCH_IMAGE
is
automatically set to $CI_REGISTRY_IMAGE/$CI_DEFAULT_BRANCH:$CI_APPLICATION_TAG
.
Using a custom SSL CA certificate authority
You can use the ADDITIONAL_CA_CERT_BUNDLE
CI/CD variable to configure a custom SSL CA certificate authority, which is used to verify the peer when fetching Docker images from a registry which uses HTTPS. The ADDITIONAL_CA_CERT_BUNDLE
value should contain the text representation of the X.509 PEM public-key certificate. For example, to configure this value in the .gitlab-ci.yml
file, use the following:
container_scanning:
variables:
ADDITIONAL_CA_CERT_BUNDLE: |
-----BEGIN CERTIFICATE-----
MIIGqTCCBJGgAwIBAgIQI7AVxxVwg2kch4d56XNdDjANBgkqhkiG9w0BAQsFADCB
...
jWgmPqF3vUbZE0EyScetPJquRFRKIesyJuBFMAs=
-----END CERTIFICATE-----
The ADDITIONAL_CA_CERT_BUNDLE
value can also be configured as a custom variable in the UI, either as a file
, which requires the path to the certificate, or as a variable, which requires the text representation of the certificate.
Vulnerability allowlisting
DETAILS: Tier: Ultimate Offering: GitLab.com, Self-managed, GitLab Dedicated
To allowlist specific vulnerabilities, follow these steps:
- Set
GIT_STRATEGY: fetch
in your.gitlab-ci.yml
file by following the instructions in overriding the container scanning template. - Define the allowlisted vulnerabilities in a YAML file named
vulnerability-allowlist.yml
. This must use the format described invulnerability-allowlist.yml
data format. - Add the
vulnerability-allowlist.yml
file to the root folder of your project's Git repository.
vulnerability-allowlist.yml
data format
The vulnerability-allowlist.yml
file is a YAML file that specifies a list of CVE IDs of vulnerabilities that are allowed to exist, because they're false positives, or they're not applicable.
If a matching entry is found in the vulnerability-allowlist.yml
file, the following happens:
- The vulnerability is not included when the analyzer generates the
gl-container-scanning-report.json
file. - The Security tab of the pipeline does not show the vulnerability. It is not included in the JSON file, which is the source of truth for the Security tab.
Example vulnerability-allowlist.yml
file:
generalallowlist:
CVE-2019-8696:
CVE-2014-8166: cups
CVE-2017-18248:
images:
registry.gitlab.com/gitlab-org/security-products/dast/webgoat-8.0@sha256:
CVE-2018-4180:
your.private.registry:5000/centos:
CVE-2015-1419: libxml2
CVE-2015-1447:
This example excludes from gl-container-scanning-report.json
:
- All vulnerabilities with CVE IDs: CVE-2019-8696, CVE-2014-8166, CVE-2017-18248.
- All vulnerabilities found in the
registry.gitlab.com/gitlab-org/security-products/dast/webgoat-8.0@sha256
container image with CVE ID CVE-2018-4180. - All vulnerabilities found in
your.private.registry:5000/centos
container with CVE IDs CVE-2015-1419, CVE-2015-1447.
File format
-
generalallowlist
block allows you to specify CVE IDs globally. All vulnerabilities with matching CVE IDs are excluded from the scan report. -
images
block allows you to specify CVE IDs for each container image independently. All vulnerabilities from the given image with matching CVE IDs are excluded from the scan report. The image name is retrieved from one of the environment variables used to specify the Docker image to be scanned, such as$CI_APPLICATION_REPOSITORY:$CI_APPLICATION_TAG
orCS_IMAGE
. The image provided in this block must match this value and must not include the tag value. For example, if you specify the image to be scanned usingCS_IMAGE=alpine:3.7
, then you would usealpine
in theimages
block, but you cannot usealpine:3.7
.You can specify container image in multiple ways:
- as image name only (such as
centos
). - as full image name with registry hostname (such as
your.private.registry:5000/centos
). - as full image name with registry hostname and sha256 label (such as
registry.gitlab.com/gitlab-org/security-products/dast/webgoat-8.0@sha256
).
- as image name only (such as
NOTE:
The string after CVE ID (cups
and libxml2
in the previous example) is an optional comment format. It has no impact on the handling of vulnerabilities. You can include comments to describe the vulnerability.
Container scanning job log format
You can verify the results of your scan and the correctness of your vulnerability-allowlist.yml
file by looking
at the logs that are produced by the container scanning analyzer in container_scanning
job details.
The log contains a list of found vulnerabilities as a table, for example:
+------------+-------------------------+------------------------+-----------------------+------------------------------------------------------------------------+
| STATUS | CVE SEVERITY | PACKAGE NAME | PACKAGE VERSION | CVE DESCRIPTION |
+------------+-------------------------+------------------------+-----------------------+------------------------------------------------------------------------+
| Approved | High CVE-2019-3462 | apt | 1.4.8 | Incorrect sanitation of the 302 redirect field in HTTP transport metho |
| | | | | d of apt versions 1.4.8 and earlier can lead to content injection by a |
| | | | | MITM attacker, potentially leading to remote code execution on the ta |
| | | | | rget machine. |
+------------+-------------------------+------------------------+-----------------------+------------------------------------------------------------------------+
| Unapproved | Medium CVE-2020-27350 | apt | 1.4.8 | APT had several integer overflows and underflows while parsing .deb pa |
| | | | | ckages, aka GHSL-2020-168 GHSL-2020-169, in files apt-pkg/contrib/extr |
| | | | | acttar.cc, apt-pkg/deb/debfile.cc, and apt-pkg/contrib/arfile.cc. This |
| | | | | issue affects: apt 1.2.32ubuntu0 versions prior to 1.2.32ubuntu0.2; 1 |
| | | | | .6.12ubuntu0 versions prior to 1.6.12ubuntu0.2; 2.0.2ubuntu0 versions |
| | | | | prior to 2.0.2ubuntu0.2; 2.1.10ubuntu0 versions prior to 2.1.10ubuntu0 |
| | | | | .1; |
+------------+-------------------------+------------------------+-----------------------+------------------------------------------------------------------------+
| Unapproved | Medium CVE-2020-3810 | apt | 1.4.8 | Missing input validation in the ar/tar implementations of APT before v |
| | | | | ersion 2.1.2 could result in denial of service when processing special |
| | | | | ly crafted deb files. |
+------------+-------------------------+------------------------+-----------------------+------------------------------------------------------------------------+
Vulnerabilities in the log are marked as Approved
when the corresponding CVE ID is added to the vulnerability-allowlist.yml
file.
Running container scanning in an offline environment
For self-managed GitLab instances in an environment with limited, restricted, or intermittent access to external resources through the internet, some adjustments are required for the container scanning job to successfully run. For more information, see Offline environments.
Requirements for offline container Scanning
To use container scanning in an offline environment, you need:
- GitLab Runner with the
docker
orkubernetes
executor. - To configure a local Docker container registry with copies of the container scanning images. You can find these images in their respective registries:
GitLab Analyzer | Container registry |
---|---|
Container-Scanning | Container-Scanning container registry |
GitLab Runner has a default pull policy
of always
,
meaning the runner tries to pull Docker images from the GitLab container registry even if a local
copy is available. The GitLab Runner pull_policy
can be set to if-not-present
in an offline environment if you prefer using only locally available Docker images. However, we
recommend keeping the pull policy setting to always
if not in an offline environment, as this
enables the use of updated scanners in your CI/CD pipelines.
Support for Custom Certificate Authorities
Support for custom certificate authorities for Trivy was introduced in version 4.0.0.
Make GitLab container scanning analyzer images available inside your Docker registry
For container scanning, import the following images from registry.gitlab.com
into your
local Docker container registry:
registry.gitlab.com/security-products/container-scanning:7
registry.gitlab.com/security-products/container-scanning/trivy:7
The process for importing Docker images into a local offline Docker registry depends on your network security policy. Consult your IT staff to find an accepted and approved process by which you can import or temporarily access external resources. These scanners are periodically updated, and you may be able to make occasional updates on your own.
For more information, see the specific steps on how to update an image with a pipeline.
For details on saving and transporting Docker images as a file, see the Docker documentation on
docker save
, docker load
,
docker export
, and docker import
.
Set container scanning CI/CD variables to use local container scanner analyzers
-
Override the container scanning template in your
.gitlab-ci.yml
file to refer to the Docker images hosted on your local Docker container registry:include: - template: Jobs/Container-Scanning.gitlab-ci.yml container_scanning: image: $CI_REGISTRY/namespace/container-scanning
-
If your local Docker container registry is running securely over
HTTPS
, but you're using a self-signed certificate, then you must setCS_DOCKER_INSECURE: "true"
in the abovecontainer_scanning
section of your.gitlab-ci.yml
.
Automating container scanning vulnerability database updates with a pipeline
We recommend that you set up a scheduled pipeline
to fetch the latest vulnerabilities database on a preset schedule.
Automating this with a pipeline means you do not have to do it manually each time. You can use the
following .gitlab-ci.yml
example as a template.
variables:
SOURCE_IMAGE: registry.gitlab.com/security-products/container-scanning:7
TARGET_IMAGE: $CI_REGISTRY/namespace/container-scanning
image: docker:latest
update-scanner-image:
services:
- docker:dind
script:
- docker pull $SOURCE_IMAGE
- docker tag $SOURCE_IMAGE $TARGET_IMAGE
- echo "$CI_REGISTRY_PASSWORD" | docker login $CI_REGISTRY --username $CI_REGISTRY_USER --password-stdin
- docker push $TARGET_IMAGE
The above template works for a GitLab Docker registry running on a local installation. However, if
you're using a non-GitLab Docker registry, you must change the $CI_REGISTRY
value and the
docker login
credentials to match your local registry's details.
Scan images in external private registries
To scan an image in an external private registry, you must configure access credentials so the container scanning analyzer can authenticate itself before attempting to access the image to scan.
If you use the GitLab Container Registry,
the CS_REGISTRY_USER
and CS_REGISTRY_PASSWORD
configuration variables
are set automatically and you can skip this configuration.
This example shows the configuration needed to scan images in a private Google Container Registry:
include:
- template: Jobs/Container-Scanning.gitlab-ci.yml
container_scanning:
variables:
CS_REGISTRY_USER: _json_key
CS_REGISTRY_PASSWORD: "$GCP_CREDENTIALS"
CS_IMAGE: "gcr.io/path-to-you-registry/image:tag"
Before you commit this configuration, add a CI/CD variable
for GCP_CREDENTIALS
containing the JSON key, as described in the
Google Cloud Platform Container Registry documentation.
Also:
- The value of the variable may not fit the masking requirements for the Mask variable option, so the value could be exposed in the job logs.
- Scans may not run in unprotected feature branches if you select the Protect variable option.
- Consider creating credentials with read-only permissions and rotating them regularly if the options aren't selected.
Scanning images in external private registries is not supported when FIPS mode is enabled.
Create and use a Trivy Java database mirror
When the trivy
scanner is used and a jar
file is encountered in a container image being scanned, trivy
downloads an additional trivy-java-db
vulnerability database. By default, the trivy-java-db
database is hosted as an OCI artifact at ghcr.io/aquasecurity/trivy-java-db:1
. If this registry is not accessible, for example in a network-isolated offline GitLab instance, one solution is to mirror the trivy-java-db
to a container registry that can be accessed in the offline instance:
mirror trivy java db:
image:
name: ghcr.io/oras-project/oras:v1.1.0
entrypoint: [""]
script:
- oras login -u $CI_REGISTRY_USER -p $CI_REGISTRY_PASSWORD $CI_REGISTRY
- oras pull ghcr.io/aquasecurity/trivy-java-db:1
- oras push $CI_REGISTRY_IMAGE:1 --config /dev/null:application/vnd.aquasec.trivy.config.v1+json javadb.tar.gz:application/vnd.aquasec.trivy.javadb.layer.v1.tar+gzip
The vulnerability database is not a regular Docker image, so it is not possible to pull it by using docker pull
.
The image shows an error if you go to it in the GitLab UI.
If the above container registry is gitlab.example.com/trivy-java-db-mirror
, then the container scanning job should be configured in the following way. Do not add the tag :1
at the end, it is added by trivy
:
include:
- template: Jobs/Container-Scanning.gitlab-ci.yml
container_scanning:
variables:
CS_TRIVY_JAVA_DB: gitlab.example.com/trivy-java-db-mirror
Running the standalone container scanning tool
It's possible to run the GitLab container scanning tool against a Docker container without needing to run it within the context of a CI job. To scan an image directly, follow these steps:
-
Run Docker Desktop or Docker Machine.
-
Run the analyzer's Docker image, passing the image and tag you want to analyze in the
CI_APPLICATION_REPOSITORY
andCI_APPLICATION_TAG
variables:docker run \ --interactive --rm \ --volume "$PWD":/tmp/app \ -e CI_PROJECT_DIR=/tmp/app \ -e CI_APPLICATION_REPOSITORY=registry.gitlab.com/gitlab-org/security-products/dast/webgoat-8.0@sha256 \ -e CI_APPLICATION_TAG=bc09fe2e0721dfaeee79364115aeedf2174cce0947b9ae5fe7c33312ee019a4e \ registry.gitlab.com/security-products/container-scanning
The results are stored in gl-container-scanning-report.json
.
Reports JSON format
The container scanning tool emits JSON reports which the GitLab Runner
recognizes through the artifacts:reports
keyword in the CI configuration file.
Once the CI job finishes, the Runner uploads these reports to GitLab, which are then available in the CI Job artifacts. In GitLab Ultimate, these reports can be viewed in the corresponding pipeline and become part of the Vulnerability Report.
These reports must follow a format defined in the security report schemas. See:
For more information, see Security scanner integration.
CycloneDX Software Bill of Materials
- Introduced in GitLab 15.11.
In addition to the JSON report file, the Container Scanning tool outputs a CycloneDX Software Bill of Materials (SBOM) for the scanned image. This CycloneDX SBOM is named gl-sbom-report.cdx.json
and is saved in the same directory as the JSON report file
. This feature is only supported when the Trivy
analyzer is used.
This report can be viewed in the Dependency List.
You can download CycloneDX SBOMs the same way as other job artifacts.
Container Scanning For Registry
DETAILS: Tier: Ultimate Offering: GitLab.com, Self-managed, GitLab Dedicated
- Introduced in GitLab 17.1 with a flag named
container_scanning_for_registry_flag
. Disabled by default.
FLAG: The availability of this feature is controlled by a feature flag. For more information, see the history.
When an image is pushed with the latest
tag, a container scanning job is automatically triggered against the default branch of the project.
Unlike regular Container Scanning, the scan results do not include a security report. Instead, Container Scanning for Registry relies on Continuous Vulnerability Scanning to inspect the components detected by the scan.
When security findings are identified, GitLab generates vulnerabilities in the project. These vulnerabilities can be viewed under Container registry vulnerabilities
tab on the Vulnerability Report page.
By default there is a limit of 50
scans per project per day.
Prerequisites
- Ensure that the security configuration Container Scanning For Registry is enabled.
- The project must contain a repository. Note that if you are utilizing an empty project solely for storing container images, this feature won't function as intended. As a workaround, ensure the project has an initial commit on the default branch.
Security Dashboard
The Security Dashboard shows you an overview of all the security vulnerabilities in your groups, projects and pipelines.
Vulnerabilities database
All analyzer images are updated daily.
The images use data from upstream advisory databases:
- AlmaLinux Security Advisory
- Amazon Linux Security Center
- Arch Linux Security Tracker
- SUSE CVRF
- CWE Advisories
- Debian Security Bug Tracker
- GitHub Security Advisory
- Go Vulnerability Database
- CBL-Mariner Vulnerability Data
- NVD
- OSV
- Red Hat OVAL v2
- Red Hat Security Data API
- Photon Security Advisories
- Rocky Linux UpdateInfo
- Ubuntu CVE Tracker (only data sources from mid 2021 and later)
In addition to the sources provided by these scanners, GitLab maintains the following vulnerability databases:
- The proprietary GitLab Advisory Database.
- The open source GitLab Advisory Database (Open Source Edition).
In the GitLab Ultimate tier, the data from the GitLab Advisory Database is merged in to augment the data from the external sources. In the GitLab Premium and Free tiers, the data from the GitLab Advisory Database (Open Source Edition) is merged in to augment the data from the external sources. This augmentation currently only applies to the analyzer images for the Trivy scanner.
Database update information for other analyzers is available in the maintenance table.
Interacting with the vulnerabilities
After a vulnerability is found, you can address it.
Solutions for vulnerabilities (auto-remediation)
DETAILS: Tier: Ultimate Offering: GitLab.com, Self-managed, GitLab Dedicated
Some vulnerabilities can be fixed by applying the solution that GitLab automatically generates.
To enable remediation support, the scanning tool must have access to the Dockerfile
specified by
the CS_DOCKERFILE_PATH
CI/CD variable. To ensure that the scanning tool
has access to this
file, it's necessary to set GIT_STRATEGY: fetch
in
your .gitlab-ci.yml
file by following the instructions described in this document's
overriding the container scanning template section.
Read more about the solutions for vulnerabilities.
Troubleshooting
docker: Error response from daemon: failed to copy xattrs
When the runner uses the docker
executor and NFS is used
(for example, /var/lib/docker
is on an NFS mount), container scanning might fail with
an error like the following:
docker: Error response from daemon: failed to copy xattrs: failed to set xattr "security.selinux" on /path/to/file: operation not supported.
This is a result of a bug in Docker which is now fixed.
To prevent the error, ensure the Docker version that the runner is using is
18.09.03
or higher. For more information, see
issue #10241.
gl-container-scanning-report.json: no matching files
Getting warning message For information on this, see the general Application Security troubleshooting section.
unexpected status code 401 Unauthorized: Not Authorized
when scanning an image from AWS ECR
This might happen when AWS region is not configured and the scanner cannot retrieve an authorization token. When you set SECURE_LOG_LEVEL
to debug
you will see a log message like below:
[35mDEBUG[0m failed to get authorization token: MissingRegion: could not find region configuration
To resolve this, add the AWS_DEFAULT_REGION
to your CI/CD variables:
variables:
AWS_DEFAULT_REGION: <AWS_REGION_FOR_ECR>
unable to open a file: open /home/gitlab/.cache/trivy/ee/db/metadata.json: no such file or directory
The compressed Trivy database is stored in the /tmp
folder of the container and it is extracted to /home/gitlab/.cache/trivy/{ee|ce}/db
at runtime. This error can happen if you have a volume mount for /tmp
directory in your runner configuration.
To resolve this, instead of binding the /tmp
folder, bind specific files or folders in /tmp
(for example /tmp/myfile.txt
).
context deadline exceeded
error
Resolving This error means a timeout occurred. To resolve it, add the TRIVY_TIMEOUT
environment variable to the container_scanning
job with a sufficiently long duration.
Max allowed age is 5 days error
When you try to use the Grype scanner, you might encounter the following error:
1 error occurred: db could not be loaded: the vulnerability database was built 1 week ago (max allowed age is 5 days)
To resolve this issue, in the Container_Scanning job, set the variable GRYPE_DB_VALIDATE_AGE
to false
.
Changes
Changes to the container scanning analyzer can be found in the project's changelog.