Skip to content

Add cluster image scanning to scan policies

What does this MR do?

In this MR we are adding new scans to Security Policies: Cluster Image Scanning and Container Scanning. This allows us to enforce running Cluster Image Scanning and Container Scanning scans defined in the policy or schedule scans to run periodically.

Video

https://youtu.be/z0p-0XJzbqg

How to setup and validate locally (strongly suggested)

  1. Create new project.
  2. Go to GraphQL Explorer and create new Security Policy project:
mutation {
  securityPolicyProjectCreate(input: { projectPath: "root/cis-policy-test" }) {
    errors
    project {
      webUrl
    }
  }
}
  1. Go to Web IDE of newly created project and start updating the .gitlab/security-policies/policy.yml file and start observing what is happening to jobs defined for pipelines created for the project created in 1. step.

Examples:

Enforce running container_scanning scan when new pipeline is created (manually triggered, from MR, etc.)

---
scan_execution_policy:
- name: Enforce Container scanning
  description: This policy enforces pipeline configuration to have a job with Container scanning scan
  enabled: true
  rules:
  - type: pipeline
    branches:
    - main
  actions:
  - scan: container_scanning

Enforce running cluster_image_scanning scan when new pipeline is created (manually triggered, from MR, etc.) (you need to have CIS_KUBECONFIG CI/CD variable configured (https://docs.gitlab.com/ee/user/application_security/cluster_image_scanning/index.html#configuring-the-cluster))

---
scan_execution_policy:
- name: Enforce Container scanning
  description: This policy enforces pipeline configuration to have a job with Container scanning scan
  enabled: true
  rules:
  - type: pipeline
    branches:
    - main
  actions:
  - scan: cluster_image_scanning

Schedule running cluster_image_scanning scan on provided cadence (it will start scanning cluster defined in GitLab under name production):

---
scan_execution_policy:
- name: Enforce Container scanning
  description: This policy enforces pipeline configuration to have a job with Container scanning scan
  enabled: true
  rules:
  - type: schedule
    cadence: "*/5 * * * *"
    clusters:
      production: {}
  actions:
  - scan: cluster_image_scanning

Schedule running cluster_image_scanning scan on provided cadence (it will start scanning cluster defined in GitLab under name production) - test multiple scenarios: when there is no cluster defined in GitLab, when there is a cluster with different name, etc.:

---
scan_execution_policy:
- name: Enforce Container scanning
  description: This policy enforces pipeline configuration to have a job with Container scanning scan
  enabled: true
  rules:
  - type: schedule
    cadence: "*/5 * * * *"
    clusters:
      production: {}
  actions:
  - scan: container_scanning

Schedule running cluster_image_scanning scan on provided cadence (it will start scanning cluster defined in GitLab under name production) - test if CI variables are added:

---
scan_execution_policy:
- name: Enforce Container scanning
  description: This policy enforces pipeline configuration to have a job with Container scanning scan
  enabled: true
  rules:
  - type: schedule
    cadence: "*/5 * * * *"
    clusters:
      production:
        containers:
        - nginx
        - falco
        resources:
        - nginx-www
        - nginx-admin
        namespaces:
        - gitlab-production
        - cluster-apps
        kinds:
        - deployment
        - daemonset
  actions:
  - scan: container_scanning

Does this MR meet the acceptance criteria?

Conformity

Availability and Testing

Security

Does this MR contain changes to processing or storing of credentials or tokens, authorization and authentication methods or other items described in the security review guidelines? If not, then delete this Security section.

  • [-] Label as security and @ mention @gitlab-com/gl-security/appsec
  • [-] The MR includes necessary changes to maintain consistency between UI, API, email, or other methods
  • [-] Security reports checked/validated by a reviewer from the AppSec team

Related to #330714 (closed)

Edited by Alan (Maciej) Paruszewski

Merge request reports

Loading