Match container-scanning vulnerabilities in dependencies
What does this MR do and why?
We have recently added ability to list dependencies found in container-scanning
analyzer, however we have missed one important detail: we also want to show for which dependencies we have found vulnerabilities. This MR addresses that.
Screenshots or screen recordings
How to set up and validate locally
- Create new project.
- Create
gitlab-ci.yml
file and paste content:
include:
- template: Security/Container-Scanning.gitlab-ci.yml
variables:
CS_DISABLE_LANGUAGE_VULNERABILITY_SCAN: "false"
DOCKER_IMAGE: "dnurmi/testrepo:jarjar"
CS_ANALYZER_IMAGE: "registry.gitlab.com/gitlab-org/security-products/analyzers/container-scanning:348489-fix-location-image-for-trivy-language-scan"
- Run pipeline and go to Security & Compliance -> Dependency list. You should see information about vulnerabilities there.
MR acceptance checklist
This checklist encourages us to confirm any changes have been analyzed to reduce risks in quality, performance, reliability, security, and maintainability.
-
I have evaluated the MR acceptance checklist for this MR.
Related to #348489 (closed)