This GitLab instance reached the end of its service life. It won't be possible to create new users or projects.

Please read the deprecation notice for more information concerning the deprecation timeline

Visit (internal network only) to import your old projects to the new GitLab platform 📥

Static Application Security Testing for Docker containers with GitLab CI/CD

You can check your Docker images (or more precisely the containers) for known vulnerabilities by using Clair and clair-scanner, two open source tools for Vulnerability Static Analysis for containers.

All you need is a GitLab Runner with the Docker executor (the shared Runners on will work fine). You can then add a new job to .gitlab-ci.yml, called sast:container:

  image: docker:latest
    DOCKER_DRIVER: overlay2
    ## Define two new variables based on GitLab's CI/CD predefined variables
  allow_failure: true
    - docker:dind
    - docker run -d --name db arminc/clair-db:latest
    - docker run -p 6060:6060 --link db:postgres -d --name clair arminc/clair-local-scan:v2.0.1
    - apk add -U wget ca-certificates
    - wget
    - mv clair-scanner_linux_amd64 clair-scanner
    - chmod +x clair-scanner
    - touch clair-whitelist.yml
    - ./clair-scanner -c http://docker:6060 --ip $(hostname -i) -r gl-sast-container-report.json -l clair.log -w clair-whitelist.yml ${CI_APPLICATION_REPOSITORY}:${CI_APPLICATION_TAG} || true
    paths: [gl-sast-container-report.json]

The above example will create a sast:container job in your CI/CD pipeline, pull the image from the Container Registry (whose name is defined from the two CI_APPLICATION_ variables) and scan it for possible vulnerabilities. The report will be saved as an artifact that you can later download and analyze.

If you want to whitelist some specific vulnerabilities, you can do so by defining them in a YAML file, in our case its named clair-whitelist.yml.

TIP: Tip: Starting with GitLab Enterprise Edition Ultimate 10.4, this information will be automatically extracted and shown right in the merge request widget. To do so, the CI/CD job must be named sast:container and the artifact path must be gl-sast-container-report.json. Learn more on application security testing results shown in merge requests.