Use docker/scout-cli in Gitlab

johnnybigodes · April 24, 2023, 6:08pm

Hello everyone,

I am building my images in a Gitlab Pipeline and would love to scan my images also in the pipeline.

I can save my image to a image.tar but I cant get my image to be scanned with docker/scout-cli container because there is no way to pass an archive into that CLI.

Does anyone have an idea how this could be possible.

Thanks in advance

rimelek · May 3, 2023, 9:14pm

Did you find a solution?

Why do you need to export the image to a tar archive? Wouldn’t be better to just test an already loaded image? Maybe there is something I missed.

johnnybigodes · May 5, 2023, 7:35pm

Hi there,

yes, i found a solution.

I am using it in a Gitlab Pipeline and I wanted to separate my jobs / stages.

My stages are like this:

Build
Scan
Push

With other words on stage “Build” I am building my image, save it afterwards as a *.tar with “docker save” to a folder and put that folder in my artifacts.

On the “Scan” stage, is where I scan my images for CVEs.
I have my images as *.tar from the artifacts and mount these as a Volume in the “scout-cli” container.
You can scan directly from the tar in the mounted volume.

On the “Push” stage I extract the images again from the *.tar files with “docker load” so, that I can upload them to my own Registry.

Why did I choose this complicated way of doing the things?
The scout-cli can only scan images from a *.tar file or if they are on Dockerhub.
I am uploading the images to an own internal Docker Registry, so that wouldnt work there.
Another reason was, because I wanted to also scan my images before pushing to the Docker Registry.

christiandupuis299 · May 24, 2023, 9:11am

Hey, we’ve made it a lot easier to install and use the Docker Scout CLI in CI systems. You can now install the binaries from GitHub - docker/scout-cli: Docker Scout CLI.

Here’s an example for using Docker Scout from a Gitlab CI pipeline:

docker-build:
  image: docker:latest
  stage: build
  services:
    - docker:dind
  before_script:
    - docker login -u "$CI_REGISTRY_USER" -p "$CI_REGISTRY_PASSWORD" $CI_REGISTRY
    # Install curl and the Docker Scout CLI
    - |
      apk add --update curl
      curl -sSfL https://raw.githubusercontent.com/docker/scout-cli/main/install.sh | sh -s -- 
      apk del curl 
      rm -rf /var/cache/apk/* 
    # Login to Docker Hub required for Docker Scout CLI
    - docker login -u "$DOCKER_HUB_USER" -p "$DOCKER_HUB_PAT"
  script:
    - |
      if [[ "$CI_COMMIT_BRANCH" == "$CI_DEFAULT_BRANCH" ]]; then
        tag=""
        echo "Running on default branch '$CI_DEFAULT_BRANCH': tag = 'latest'"
      else
        tag=":$CI_COMMIT_REF_SLUG"
        echo "Running on branch '$CI_COMMIT_BRANCH': tag = $tag"
      fi
    - docker build --pull -t "$CI_REGISTRY_IMAGE${tag}" .
    # Get a CVE report for the built image and fail the pipeline when critical or high CVEs are detected
    - docker scout cves "$CI_REGISTRY_IMAGE${tag}" --exit-code --only-severity critical,high
    - docker push "$CI_REGISTRY_IMAGE${tag}"
  rules:
    - if: $CI_COMMIT_BRANCH
      exists:
        - Dockerfile

Let me know if that helps.

Regards, cd

johnnybigodes · May 24, 2023, 9:24am

Hey, this looks promising…

I will take a look into it.

Thank you