- Create a new project
- Add a
Dockerfile
to new project - Create pipeline configuration
- Check for reported vulnerabilities
- Update the Docker image
Tutorial: Scan a Docker container for vulnerabilities
You can use container scanning to check for vulnerabilities in container images stored in the container registry.
Container scanning configuration is added to the pipeline configuration of a project. In this tutorial, you:
- Create a new project.
-
Add a
Dockerfile
file to the project. ThisDockerfile
contains minimal configuration required to create a Docker image. - Create pipeline configuration for the new project to create a Docker
image from the
Dockerfile
, build and push a Docker image to the container registry, and then scan the Docker image for vulnerabilities. - Check for reported vulnerabilities.
- Update the Docker image and scan the updated image.
Create a new project
To create the new project
- On the left sidebar, at the top, select Create new () and New project/repository.
- Select Create blank project.
- In Project name, enter
Tutorial container scanning project
. - In Project URL, select a namespace for the project.
- Select Create project.
Add a Dockerfile
to new project
To provide something for container scanning to work on, create a Dockerfile
with very minimal configuration:
- In your
Tutorial container scanning project
project, select > New file. -
Enter the filename
Dockerfile
, and provide the following contents for the file:FROM hello-world:latest
Docker images created from this Dockerfile
are based on hello-world
Docker
image.
- Select Commit changes.
Create pipeline configuration
Now you’re ready to create pipeline configuration. The pipeline configuration:
- Builds a Docker image from the
Dockerfile
file, and pushes the Docker image to the container registry. Thebuild-image
job uses Docker-in-Docker as a CI/CD service to build the Docker image. You can also use kaniko to build Docker images in a pipeline. - Includes the
Container-Scanning.gitlab-ci.yml
template, to scan the Docker image stored in the container registry.
To create the pipeline configuration:
- In the root directory of your project, select > New file.
-
Enter the filename
.gitlab-ci.yml
, and provide the following contents for the file:include: - template: Security/Container-Scanning.gitlab-ci.yml container_scanning: variables: CS_IMAGE: $CI_REGISTRY_IMAGE/tutorial-image build-image: image: docker:24.0.2 stage: build services: - docker:24.0.2-dind script: - docker build --tag $CI_REGISTRY_IMAGE/tutorial-image --file Dockerfile . - docker login --username gitlab-ci-token --password $CI_JOB_TOKEN $CI_REGISTRY - docker push $CI_REGISTRY_IMAGE/tutorial-image
- Select Commit changes.
You’re almost done. After you commit the file, a new pipeline starts with this configuration. When it’s finished, you can check the results of the scan.
Check for reported vulnerabilities
Vulnerabilities for a scan are located on the pipeline that ran the scan. To check for reported vulnerabilities:
- Select CI/CD > Pipelines and select the most recent pipeline. This pipeline should consist of a job called
container_scanning
in thetest
stage. - If the
container_scanning
job was successful, select the Security tab. If any vulnerabilities were found, they are listed on that page.
Update the Docker image
A Docker image based on hello-world:latest
is unlikely to show any vulnerabilities. For an example of a scan that
reports vulnerabilities:
- In the root directory of your project, select the existing
Dockerfile
file. - Select Edit.
- Replace
FROM hello-world:latest
with a different Docker image for theFROM
instruction. The best Docker images to demonstrate container scanning have:- Operating system packages. For example, from Debian, Ubuntu, Alpine, or Red Hat.
- Programming language packages. For example, NPM packages or Python packages.
- Select Commit changes.
After you commit changes to the file, a new pipeline starts with this updated Dockerfile
. When it’s finished, you can
check the results of the new scan.