DocumentationAPI Reference

GitLab Pipeline Example

Suggest Edits

GitLab offers a wide variety of CI/CD features and configuration options. The description is a YAML based DSL, in which it is easy to integrate the Cisco Panoptica CLI tools for scanning Docker images and analyzing Kubernetes manifests. We have created a two step example to show how it is possible to use these tools directly in GitLab CI/CD Pipelines. The example is available at https://gitlab.com/securecn/gitlab-integration/

Configuring a GitLab Runner

The Docker image scanner feature requires the Docker as well, so a Runner with access to Docker is needed. GitLab offers Shared runners which support Docker, but if you are bringing your own runner here you can find more information how to configure them properly to allow Docker access.

Required Credentials

To be able to use the example two type credentials are needed:

The Kubernetes cluster required for the Helm the k8s-security-check step has to be registered in Panoptica . Since these are "secrets" we suggest to define them as masked Project or Group variables in GitLab in the following way:

1750

The other variables in the project are free to be changed by the user in the provided .gitlab-ci.yml file:

variables:
  SCN_ACCESS_KEY: ${SCN_ACCESS_KEY}
  SCN_SECRET_KEY: ${SCN_SECRET_KEY}
  SCN_CONTROLLER_SECRET_KEY: ${SCN_CONTROLLER_SECRET_KEY}
  # KUBECONFIG_FILE: This is a file variable, so no need to set it here.

  # Scan options
  IMAGE_HIGHEST_SEVERITY: MEDIUM
  DOCKERFILE_HIGHEST_SEVERITY: WARN
  KUBERNETES_MAX_RISK: HIGH

  # Scan targets
  CHART: example-chart
  NAME: example-chart
  NAMESPACE: default
  IMAGE: alpine/helm

With the Scan options variables it is possible to define which level of risk is allowed in the artefacts under scanning, if these thresholds are reached the build step will fail and blocks your CI/CD Pipeline to detect issues during build/deployment.

With the Scan targets it is possible to define which Helm chart and Docker image to put under testing To scan multiple images and charts just repeat the steps in the YAML file for each of those.

Updated 8 months ago