Skip to content

[CS For Registry] Add CS pipeline event on registry push

Description

  1. Initiate a container scanning pipeline job upon a new image push event to the registry if the following conditions are met:
    1. Security configuration is enabled.
    2. Feature flag is enabled.
    3. The tag is "latest".
  2. The feature should be behind FF CS_FOR_REGISTRY.
  3. Introduce a new CS configuration (env variable) to identify jobs triggered from registry events.
  4. The scheduling should align with the user's permissions who are pushing to the registry.
  5. Ensure thorough examination of the available CS variables/settings.
  6. Identify and report findings to parent epic regarding the impact of user-set CS configuration (environment variable).
  7. Identify and report findings to parent epic about the overridden customized CI template.
  8. Identify and report to the parent epic regarding what occurs to old components when a new image is pushed with the same tag as per current behavior.

User Impact

This setting should be placed under a development feature flag to ensure no user impact occurs until the FF is enabled. Once the FF is activated, the pipeline should be scheduled for users with enabled security configurations and an image tagged as "latest".

Non-functional requirements

  • Feature flag: The feature should be behind FF.
  • Testing: Add unit tests/specs.

Implementation plan

  1. Add an event to ContainerRegistry::Event model that should trigger on any registry push event.
  2. Add condition supported_tags(latest tag for now) and FF enabled to trigger the cs pipeline.
  3. Check necessary permissions to start the CS job on default branch.
  4. Start the job.
  5. Sample code
Click to expand 
    def schedule_cs_pipeline
      ci_config = {
        'include' => [{ 'template' => 'Security/Container-Scanning.gitlab-ci.yml' }],
        'container_scanning' => {
            'stage' => 'test',
            'variables' => {
            'CS_DISABLE_DEPENDENCY_SCAN' => 'false',
            'GIT_STRATEGY' => 'fetch',
            'SECURE_LOG_LEVEL' => 'debug',
            'CS_IMAGE' => 'debian:bullseye'
          },
        },
      }

      service = Ci::CreatePipelineService.new(project, user, ref: project.default_branch_or_main)
      response = service.execute(:push, content: ci_config.to_yaml)

      pipeline = response.payload

      puts pipeline.created_successfully?
    end
  1. Make sure the tracking happens for all tags pushed for an image with latest tag.

Verification steps

  1. Turn on the FF.
  2. Upload an image to the registry tagged as 'latest'.
  3. Verify that a new pipeline is scheduled including a Container Scanning task for the uploaded image.
  4. Disable the FF feature.
  5. Upload an image to the registry tagged as 'latest'.
  6. Confirm that the pipeline remains unscheduled.
Edited by Aditya Tiwari