Tutorial: Scan a Docker container for vulnerabilities
DETAILS: Tier: Free, Premium, Ultimate Offering: SaaS, self-managed
You can use container scanning to check for vulnerabilities in container images stored in the container registry.
Container scanning configuration is added to the pipeline configuration of a project. In this tutorial, you:
- Create a new project.
-
Add a
Dockerfile
file to the project. ThisDockerfile
contains minimal configuration required to create a Docker image. - Create pipeline configuration for the new project to create a Docker
image from the
Dockerfile
, build and push a Docker image to the container registry, and then scan the Docker image for vulnerabilities. - Check for reported vulnerabilities.
- Update the Docker image and scan the updated image.
Create a new project
To create the new project
- On the left sidebar, at the top, select Create new ({plus}) and New project/repository.
- Select Create blank project.
- In Project name, enter
Tutorial container scanning project
. - In Project URL, select a namespace for the project.
- Select Create project.
Dockerfile
to new project
Add a To provide something for container scanning to work on, create a Dockerfile
with very minimal configuration:
-
In your
Tutorial container scanning project
project, select {plus} > New file. -
Enter the filename
Dockerfile
, and provide the following contents for the file:FROM hello-world:latest
Docker images created from this Dockerfile
are based on hello-world
Docker
image.
- Select Commit changes.
Create pipeline configuration
Now you're ready to create pipeline configuration. The pipeline configuration:
- Builds a Docker image from the
Dockerfile
file, and pushes the Docker image to the container registry. Thebuild-image
job uses Docker-in-Docker as a CI/CD service to build the Docker image. You can also use kaniko to build Docker images in a pipeline. - Includes the
Container-Scanning.gitlab-ci.yml
template, to scan the Docker image stored in the container registry.
To create the pipeline configuration:
-
In the root directory of your project, select {plus} > New file.
-
Enter the filename
.gitlab-ci.yml
, and provide the following contents for the file:include: - template: Security/Container-Scanning.gitlab-ci.yml container_scanning: variables: CS_IMAGE: $CI_REGISTRY_IMAGE/tutorial-image build-image: image: docker:24.0.2 stage: build services: - docker:24.0.2-dind script: - docker build --tag $CI_REGISTRY_IMAGE/tutorial-image --file Dockerfile . - docker login --username gitlab-ci-token --password $CI_JOB_TOKEN $CI_REGISTRY - docker push $CI_REGISTRY_IMAGE/tutorial-image
-
Select Commit changes.
You're almost done. After you commit the file, a new pipeline starts with this configuration. When it's finished, you can check the results of the scan.
Check for reported vulnerabilities
Vulnerabilities for a scan are located on the pipeline that ran the scan. To check for reported vulnerabilities:
- Select CI/CD > Pipelines and select the most recent pipeline. This pipeline should consist of a job called
container_scanning
in thetest
stage. - If the
container_scanning
job was successful, select the Security tab. If any vulnerabilities were found, they are listed on that page.
Update the Docker image
A Docker image based on hello-world:latest
is unlikely to show any vulnerabilities. For an example of a scan that
reports vulnerabilities:
- In the root directory of your project, select the existing
Dockerfile
file. - Select Edit.
- Replace
FROM hello-world:latest
with a different Docker image for theFROM
instruction. The best Docker images to demonstrate container scanning have:- Operating system packages. For example, from Debian, Ubuntu, Alpine, or Red Hat.
- Programming language packages. For example, NPM packages or Python packages.
- Select Commit changes.
After you commit changes to the file, a new pipeline starts with this updated Dockerfile
. When it's finished, you can
check the results of the new scan.