Add new GitLab CI template for Cluster Image Scanning
Why are we doing this work
We want to allow customers to collect vulnerabilities from images in running Kubernetes clusters so they can understand their current security risk not only for images that are scanned as a part of CI Pipeline, but also for images that were deployed without using GitLab CI.
You can find more about our motivation to work on this issue here.
This issue is about creating new Security template in lib/gitlab/ci/templates/Security/
folder that will use analyzer to get vulnerabilities from connected Kubernetes cluster. You can see a Proof of Concept of this template here: https://gitlab.com/mparuszewski/live-container-scanning-test.
Relevant links
Non-functional requirements
-
Documentation: new template should be documented in https://docs.gitlab.com/ee/user/application_security/#security-scanning-tools - [-] Feature flag: no feature flag is needed as this is something that users will optionally select by including the GitLab CI template
- [-] Performance:
-
Testing: - Test if you can fetch vulnerabilities from kubernetes cluster and prepare JSON report with them in GitLab format,
Implementation plan
-
backend create new template in lib/gitlab/ci/templates/Security/
folder, so customers can include it to fetch vulnerabilities from connected clusters, -
backend remember to add CLUSTER_IMAGE_DISABLED
variable, so user can easily disable this, -
documentation add initial documentation to https://docs.gitlab.com/ee/user/application_security/#security-scanning-tools
Edited by Sashi Kumar Kumaresan