Configuring image and configuration file scan settings
3 July 2024
ID 259284
To scan images or repositories (in order to scan configuration files) used in the CI/CD process, add a stage to the CI/CD pipeline that runs the Kaspersky Container Security scanner. The scanning results are forwarded to the Kaspersky Container Security Server and are displayed in the Management console in the Resources → CI/CD section.
Data from listening to and intercepting network traffic must be securely transferred between the CI/CD environment and the product.
Example of configuring integration with GitLab CI/CD
This example uses a specific scanner image with the built-in vulnerability databases located in the image registry of the Kaspersky Container Security manufacturer.
To use the image scanning feature in the GitLab CI/CD process, you should enable the use of the GitLab Container Registry.
Integration configuration includes the following steps:
- Authorization of GitLab CI/CD in the image registry of the Kaspersky Container Security manufacturer.
- On the cluster operator's workstation, prepare a Base64 hash of the authorization data by running the following command:
printf "login:password" | openssl base64 -A
where login and password are the user name and password of an account in the image registry of the Kaspersky Container Security manufacturer.
- In the GitLab CI/CD environment variables, create the DOCKER_AUTH_CONFIG variable (in the GitLab repository select Settings → CI/CD, click the Expand button to expand Variables, and then click the Add variable button).
- Specify the variable in the following form:
{
"auths": {
"repo.cloud.tronsec.ru": {
"auth": "base64hash"
}
}
}
where base64hash is the string obtained in step 1a.
- On the cluster operator's workstation, prepare a Base64 hash of the authorization data by running the following command:
- Authorization of requests from GitLab CI/CD when sending data to Kaspersky Container Security.
- On the cluster operator's workstation, prepare a Base64 hash of the authorization data by running the following command:
printf "login:password" | openssl base64 -A
where login and password are the user name and password of an account in the image registry of the Kaspersky Container Security manufacturer.
- Specify the resulting hash in the API_TOKEN variable in the .gitlab-ci.yml configuration file.
- On the cluster operator's workstation, prepare a Base64 hash of the authorization data by running the following command:
- Adding the image scanning stage to the CI/CD process.
To add scanning to the CI/CD pipeline, you should add the following lines to the .gitlab-ci.yml file:
- Add the information about the image for scanning after the build preparation as follows:
scan_image:
stage: scanner
image:
name: repo.cloud.tronsec.ru/repository/tron-customer/scanner:v1.0.1-with-db
entrypoint: [""]
- Specify the tag and token for authorization of the CI/CD scanner requests to Kaspersky Container Security as follows:
variables:
SCAN_TARGET: ${CI_REGISTRY_IMAGE}:master
API_TOKEN: base64hash
The example below contains the
master
tag, you can also specify another tag. - If you configure scanning for a private repository, specify the authorization data to ensure the scanner access to an image. The authorization data can be set as variables.
TRON_EXT_REGISTRY_USERNAME: ${TRON_EXT_REGISTRY_USERNAME}
TRON_EXT_REGISTRY_PASSWORD: ${TRON_EXT_REGISTRY_PASSWORD}
- Specify the domain name of the Kaspersky Container Security Management console in your corporate network:
API_BASE_URL:
<domain name>
script:
- /bin/sh /entrypoint.sh $SCAN_TARGET --stdout > artifact-result.json
artifacts:
paths:
- artifact-result.json
- Add the information about the image for scanning after the build preparation as follows: