Page MenuHomePhabricator

Investigate container scanning options within the context of the Gitlab appsec pipeline
Open, In Progress, LowPublic

Description

This is heavily dependent upon the outcomes of T287211, T301168 and T290339. If it appears that blubber will be successfully ported over to gitlab.wikimedia.org and function with pipelinelib similarly to how it does now, then we would likely want to implement some variety of container scanning within the appsec pipeline that followed a basic workflow of:

  1. parse blubber.yaml for relevant images for a given app, repo, system.
  2. build relevant dockerfiles
  3. scan for vulnerabilities (and possibly lint/analyze for best practices)
  4. report results as console output similar to other tests

OSI/FCL-compliant tooling to consider:

  1. syft (for sbom) and grype (for vuln-scanning)
  2. clair - perhaps a bit much for our needs
  3. docker bench - more of a linter/best practices tool
  4. dockle - also more of a linter
  5. trivy - perhaps a bit much as well

Tools like snyk's alleged oss container scanner, dagda, etc simply do not satisfy current licensing requirements.

Event Timeline

sbassett changed the task status from Open to In Progress.Feb 6 2024, 6:03 PM
sbassett assigned this task to mmartorana.
sbassett triaged this task as Low priority.
sbassett moved this task from Back Orders to In Progress on the Security-Team board.

Regarding this ticket, I would recommend syncing with @MoritzMuehlenhoff as I believe he had ideas and thoughts for scanning and updated running containers. This is different to CI of course, but would be good to be aware and plan the overall approach together.

Regarding this ticket, I would recommend syncing with @MoritzMuehlenhoff as I believe he had ideas and thoughts for scanning and updated running containers. This is different to CI of course, but would be good to be aware and plan the overall approach together.

Sounds good. We already keep track of the contents of container images via https://debmonitor.wikimedia.org for the vulnerability tracking , but some more consistent scanning would be a good complement.