Investigate container scanning options within the context of the Gitlab appsec pipeline
Closed, ResolvedPublic
Actions

Assigned To

Authored By

	sbassett
	May 3 2022, 9:33 PM

Description

This is heavily dependent upon the outcomes of T287211, T301168 and T290339. If it appears that blubber will be successfully ported over to gitlab.wikimedia.org and function with pipelinelib similarly to how it does now, then we would likely want to implement some variety of container scanning within the appsec pipeline that followed a basic workflow of:

parse blubber.yaml for relevant images for a given app, repo, system.
build relevant dockerfiles
scan for vulnerabilities (and possibly lint/analyze for best practices)
report results as console output similar to other tests

OSI/FCL-compliant tooling to consider:

syft (for sbom) and grype (for vuln-scanning)
clair - perhaps a bit much for our needs
docker bench - more of a linter/best practices tool
dockle - also more of a linter
trivy - perhaps a bit much as well

Tools like snyk's alleged oss container scanner, dagda, etc simply do not satisfy current licensing requirements.

Related Objects
Search...

		Status	Subtype	Assigned	Task
		Open		sbassett	T342177 [EPIC] Application Security Pipeline Components for Gitlab - Phase 2 Work
		Resolved		mmartorana	T307523 Investigate container scanning options within the context of the Gitlab appsec pipeline

Event Timeline

sbassett created this task.May 3 2022, 9:33 PM

Restricted Application added a subscriber: Aklapper. · View Herald TranscriptMay 3 2022, 9:33 PM

sbassett updated the task description. (Show Details)May 3 2022, 9:33 PM

sbassett updated the task description. (Show Details)May 5 2022, 3:16 PM

sbassett moved this task from Incoming to Back Orders on the Security-Team board.May 9 2022, 4:22 PM

sbassett added a project: SecTeam-Processed.

sbassett added a project: GitLab-Application-Security-Pipeline.Jul 13 2023, 7:50 PM

sbassett edited parent tasks, added: T342177: [EPIC] Application Security Pipeline Components for Gitlab - Phase 2 Work; removed: T289290: Design and Build Application Security Pipeline Components for Gitlab.Jul 18 2023, 9:24 PM

sbassett changed the task status from Open to In Progress.Feb 6 2024, 6:03 PM

sbassett assigned this task to mmartorana.

sbassett triaged this task as Low priority.

sbassett moved this task from Backlog to In Progress on the GitLab-Application-Security-Pipeline board.

sbassett moved this task from Back Orders to In Progress on the Security-Team board.

Regarding this ticket, I would recommend syncing with @MoritzMuehlenhoff as I believe he had ideas and thoughts for scanning and updated running containers. This is different to CI of course, but would be good to be aware and plan the overall approach together.

In T307523#9537237, @acooper wrote:

Regarding this ticket, I would recommend syncing with @MoritzMuehlenhoff as I believe he had ideas and thoughts for scanning and updated running containers. This is different to CI of course, but would be good to be aware and plan the overall approach together.

Sounds good. We already keep track of the contents of container images via https://debmonitor.wikimedia.org for the vulnerability tracking , but some more consistent scanning would be a good complement.