diff options
Diffstat (limited to 'doc/user/application_security')
| -rw-r--r-- | doc/user/application_security/container_scanning/index.md | 35 | ||||
| -rw-r--r-- | doc/user/application_security/dependency_scanning/index.md | 2 |
2 files changed, 8 insertions, 29 deletions
diff --git a/doc/user/application_security/container_scanning/index.md b/doc/user/application_security/container_scanning/index.md index 7c24edb8558..c3f80c6a0fd 100644 --- a/doc/user/application_security/container_scanning/index.md +++ b/doc/user/application_security/container_scanning/index.md @@ -11,7 +11,7 @@ in [GitLab Ultimate](https://about.gitlab.com/pricing/) 10.4. If you are using [GitLab CI/CD](../../../ci/README.md), you can check your Docker images (or more precisely the containers) for known vulnerabilities by using -[Clair](https://github.com/coreos/clair) and [klar](https://github.com/optiopay/klar), +[Clair](https://github.com/coreos/clair) and [clair-scanner](https://github.com/arminc/clair-scanner), two open source tools for Vulnerability Static Analysis for containers. You can take advantage of Container Scanning by either [including the CI job](#configuration) in @@ -48,7 +48,7 @@ To enable Container Scanning in your pipeline, you need: running. If you're using the shared Runners on GitLab.com, this is already the case. - To [build and push](../../../ci/docker/using_docker_build.md#container-registry-examples) - your Docker image to your project's [Container Registry](../../packages/container_registry/index.md). + your Docker image to your project's [Container Registry](../../project/container_registry.md). The name of the Docker image should match the following scheme: ```text @@ -79,7 +79,7 @@ The included template will: 1. Create a `container_scanning` job in your CI/CD pipeline. 1. Pull the already built Docker image from your project's - [Container Registry](../../packages/container_registry/index.md) (see [requirements](#requirements)) + [Container Registry](../../project/container_registry.md) (see [requirements](#requirements)) and scan it for possible vulnerabilities. The results will be saved as a @@ -90,6 +90,10 @@ artifact available. Behind the scenes, the [GitLab Container Scanning analyzer](https://gitlab.com/gitlab-org/security-products/container-scanning) is used and runs the scans. +If you want to whitelist some specific vulnerabilities, you can do so by defining +them in a YAML file named `clair-whitelist.yml`. Read more in the +[Clair documentation](https://github.com/arminc/clair-scanner/blob/master/README.md#example-whitelist-yaml-file). + ## Example The following is a sample `.gitlab-ci.yml` that will build your Docker Image, push it to the container registry and run Container Scanning. @@ -120,31 +124,6 @@ build: - docker push $IMAGE ``` -## Vulnerability Whitelisting - -If you want to whitelist specific vulnerabilities, you'll need to: - - 1. Set `GIT_STRATEGY: fetch` in your `.gitlab-ci.yml` file by following the instructions described in the - [overriding the Container Scanning template](#overriding-the-container-scanning-template) section of this document. - 1. Define the whitelisted vulnerabilities in a YAML file named `clair-whitelist.yml` which must use the format described - in the [following whitelist example file](https://github.com/arminc/clair-scanner/blob/v12/example-whitelist.yaml). - 1. Add the `clair-whitelist.yml` file to the git repository of your project - -### Overriding the Container Scanning template - -If you want to override the job definition (for example, change properties like -`variables`), you need to declare a `container_scanning` job after the -template inclusion and specify any additional keys under it. For example: - -```yaml -include: - - template: Container-Scanning.gitlab-ci.yml - -container_scanning: - variables: - GIT_STRATEGY: fetch -``` - ## Security Dashboard The Security Dashboard is a good place to get an overview of all the security diff --git a/doc/user/application_security/dependency_scanning/index.md b/doc/user/application_security/dependency_scanning/index.md index 5baaa92d3d8..166a71b6fbe 100644 --- a/doc/user/application_security/dependency_scanning/index.md +++ b/doc/user/application_security/dependency_scanning/index.md @@ -58,7 +58,7 @@ The following languages and dependency managers are supported. | JavaScript ([npm](https://www.npmjs.com/), [yarn](https://yarnpkg.com/en/)) | yes | [gemnasium](https://gitlab.com/gitlab-org/security-products/gemnasium), [Retire.js](https://retirejs.github.io/retire.js) | | Go ([Golang](https://golang.org/)) | not currently ([issue](https://gitlab.com/gitlab-org/gitlab-ee/issues/7132 "Dependency Scanning for Go")) | not available | | PHP ([Composer](https://getcomposer.org/)) | yes | [gemnasium](https://gitlab.com/gitlab-org/security-products/gemnasium) | -| Python ([pip](https://pip.pypa.io/en/stable/)) | yes | [gemnasium](https://gitlab.com/gitlab-org/security-products/gemnasium) | +| Python ([pip](https://pip.pypa.io/en/stable/)) (only `requirements.txt` supported) | yes | [gemnasium](https://gitlab.com/gitlab-org/security-products/gemnasium) | | Python ([Pipfile](https://docs.pipenv.org/en/latest/basics/)) | not currently ([issue](https://gitlab.com/gitlab-org/gitlab-ee/issues/11756 "Pipfile.lock support for Dependency Scanning"))| not available | | Python ([poetry](https://poetry.eustace.io/)) | not currently ([issue](https://gitlab.com/gitlab-org/gitlab-ee/issues/7006 "Support Poetry in Dependency Scanning")) | not available | | Ruby ([gem](https://rubygems.org/)) | yes | [gemnasium](https://gitlab.com/gitlab-org/security-products/gemnasium), [bundler-audit](https://github.com/rubysec/bundler-audit) | |