- Create a new project
- Add a
Dockerfileto new project - Create pipeline configuration
- Check for reported vulnerabilities
- Update the Docker image
Tutorial: Scan a Docker container for vulnerabilities
You can use container scanning to check for vulnerabilities in container images stored in the container registry.
Container scanning configuration is added to the pipeline configuration of a project. In this tutorial, you:
- Create a new project.
-
Add a
Dockerfilefile to the project. ThisDockerfilecontains minimal configuration required to create a Docker image. - Create pipeline configuration for the new project to create a Docker
image from the
Dockerfile, build and push a Docker image to the container registry, and then scan the Docker image for vulnerabilities. - Check for reported vulnerabilities.
- Update the Docker image and scan the updated image.
Create a new project
To create the new project
- On the left sidebar, at the top, select Create new () and New project/repository.
- Select Create blank project.
- In Project name, enter
Tutorial container scanning project. - In Project URL, select a namespace for the project.
- Select Create project.
Add a Dockerfile to new project
To provide something for container scanning to work on, create a Dockerfile with very minimal configuration:
- In your
Tutorial container scanning projectproject, select > New file. -
Enter the filename
Dockerfile, and provide the following contents for the file:FROM hello-world:latest
Docker images created from this Dockerfile are based on hello-world Docker
image.
- Select Commit changes.
Create pipeline configuration
Now you’re ready to create pipeline configuration. The pipeline configuration:
- Builds a Docker image from the
Dockerfilefile, and pushes the Docker image to the container registry. Thebuild-imagejob uses Docker-in-Docker as a CI/CD service to build the Docker image. You can also use kaniko to build Docker images in a pipeline. - Includes the
Container-Scanning.gitlab-ci.ymltemplate, to scan the Docker image stored in the container registry.
To create the pipeline configuration:
- In the root directory of your project, select > New file.
-
Enter the filename
.gitlab-ci.yml, and provide the following contents for the file:include: - template: Jobs/Container-Scanning.gitlab-ci.yml container_scanning: variables: CS_IMAGE: $CI_REGISTRY_IMAGE/tutorial-image build-image: image: docker:24.0.2 stage: build services: - docker:24.0.2-dind script: - docker build --tag $CI_REGISTRY_IMAGE/tutorial-image --file Dockerfile . - docker login --username gitlab-ci-token --password $CI_JOB_TOKEN $CI_REGISTRY - docker push $CI_REGISTRY_IMAGE/tutorial-image - Select Commit changes.
You’re almost done. After you commit the file, a new pipeline starts with this configuration. When it’s finished, you can check the results of the scan.
Check for reported vulnerabilities
Vulnerabilities for a scan are located on the pipeline that ran the scan. To check for reported vulnerabilities:
- Select CI/CD > Pipelines and select the most recent pipeline. This pipeline should consist of a job called
container_scanningin theteststage. - If the
container_scanningjob was successful, select the Security tab. If any vulnerabilities were found, they are listed on that page.
Update the Docker image
A Docker image based on hello-world:latest is unlikely to show any vulnerabilities. For an example of a scan that
reports vulnerabilities:
- In the root directory of your project, select the existing
Dockerfilefile. - Select Edit.
- Replace
FROM hello-world:latestwith a different Docker image for theFROMinstruction. The best Docker images to demonstrate container scanning have:- Operating system packages. For example, from Debian, Ubuntu, Alpine, or Red Hat.
- Programming language packages. For example, NPM packages or Python packages.
- Select Commit changes.
After you commit changes to the file, a new pipeline starts with this updated Dockerfile. When it’s finished, you can
check the results of the new scan.