Skip to content

Match container-scanning vulnerabilities in dependencies

What does this MR do and why?

We have recently added ability to list dependencies found in container-scanning analyzer, however we have missed one important detail: we also want to show for which dependencies we have found vulnerabilities. This MR addresses that.

Screenshots or screen recordings

image

How to set up and validate locally

  1. Create new project.
  2. Create gitlab-ci.yml file and paste content:
include:
   - template: Security/Container-Scanning.gitlab-ci.yml

variables:
   CS_DISABLE_LANGUAGE_VULNERABILITY_SCAN: "false"
   DOCKER_IMAGE: "dnurmi/testrepo:jarjar"
   CS_ANALYZER_IMAGE: "registry.gitlab.com/gitlab-org/security-products/analyzers/container-scanning:348489-fix-location-image-for-trivy-language-scan"
  1. Run pipeline and go to Security & Compliance -> Dependency list. You should see information about vulnerabilities there.

MR acceptance checklist

This checklist encourages us to confirm any changes have been analyzed to reduce risks in quality, performance, reliability, security, and maintainability.

Related to #348489 (closed)

Merge request reports

Loading