Use docker/scout-cli in Gitlab

Hello everyone,

I am building my images in a Gitlab Pipeline and would love to scan my images also in the pipeline.

I can save my image to a image.tar but I cant get my image to be scanned with docker/scout-cli container because there is no way to pass an archive into that CLI.

Does anyone have an idea how this could be possible.

Thanks in advance

Did you find a solution?

Why do you need to export the image to a tar archive? Wouldn’t be better to just test an already loaded image? Maybe there is something I missed.

Hi there,

yes, i found a solution.

I am using it in a Gitlab Pipeline and I wanted to separate my jobs / stages.

My stages are like this:

  • Build
  • Scan
  • Push

With other words on stage “Build” I am building my image, save it afterwards as a *.tar with “docker save” to a folder and put that folder in my artifacts.

On the “Scan” stage, is where I scan my images for CVEs.
I have my images as *.tar from the artifacts and mount these as a Volume in the “scout-cli” container.
You can scan directly from the tar in the mounted volume.

On the “Push” stage I extract the images again from the *.tar files with “docker load” so, that I can upload them to my own Registry.

Why did I choose this complicated way of doing the things?
The scout-cli can only scan images from a *.tar file or if they are on Dockerhub.
I am uploading the images to an own internal Docker Registry, so that wouldnt work there.
Another reason was, because I wanted to also scan my images before pushing to the Docker Registry.

Hey, we’ve made it a lot easier to install and use the Docker Scout CLI in CI systems. You can now install the binaries from GitHub - docker/scout-cli: Docker Scout CLI.

Here’s an example for using Docker Scout from a Gitlab CI pipeline:

  image: docker:latest
  stage: build
    - docker:dind
    # Install curl and the Docker Scout CLI
    - |
      apk add --update curl
      curl -sSfL | sh -s -- 
      apk del curl 
      rm -rf /var/cache/apk/* 
    # Login to Docker Hub required for Docker Scout CLI
    - docker login -u "$DOCKER_HUB_USER" -p "$DOCKER_HUB_PAT"
    - |
      if [[ "$CI_COMMIT_BRANCH" == "$CI_DEFAULT_BRANCH" ]]; then
        echo "Running on default branch '$CI_DEFAULT_BRANCH': tag = 'latest'"
        echo "Running on branch '$CI_COMMIT_BRANCH': tag = $tag"
    - docker build --pull -t "$CI_REGISTRY_IMAGE${tag}" .
    # Get a CVE report for the built image and fail the pipeline when critical or high CVEs are detected
    - docker scout cves "$CI_REGISTRY_IMAGE${tag}" --exit-code --only-severity critical,high
    - docker push "$CI_REGISTRY_IMAGE${tag}"
        - Dockerfile

Let me know if that helps.

Regards, cd

Hey, this looks promising…

I will take a look into it.

Thank you