Wrap Clair scanner execution into our own container scanning tool

Problem to solve

Currently the Container Scanning feature relies directly on Clair scanner. This has several drawbacks as it require to update the job definition (which is painful for our users):

• we can't easily update how we execute the tool
• we can't extend the report to our needs
• we can't switch to another tool or add a new one

Target audience

All customers using Container Scanning.

Further details

By using our own wrapper we'll be free to update a lot of aspect of the feature and cleanly version our changes.

Proposal

Create https://gitlab.com/gitlab-org/security-products/container-scanning (as for SAST, dependency-scanning and DAST.

This project will execute Clair scanner under the hood and generates a report compatible with our Common Analyzers API.

NB: The report generated by Clair must be filtered to remove the whitelisted items. See https://gitlab.com/gitlab-org/gitlab-ee/issues/9251 for more details.

This also implies to adapt the frontend to handle this new report structure as some places are still using the artifact directly.

Since this new project is maintained by the ~Secure team, its release process should be covered in the release project.

What does success look like, and how can we measure that?

Container Scanning job definition uses our own wrapper tool.

Links / references

Execution

• [ ] Create a test project for Container Scanning under https://gitlab.com/gitlab-org/security-products/tests, WIP MR is already in progress (execution status here) extracted into a separate issue: #10915 (closed)
• Create a project for Container Scanning (copy structure from DAST)
• Update the Container Scanning vendored template to use the Container Scanning Docker image (copy approach from License Management)
• Update the release and QA process to include the new Container Scanning tool