在GitLab中将容器扫描添加到CI_Git_Gitlab_Gitlab Ci

在GitLab中将容器扫描添加到CI

git gitlab

在GitLab中将容器扫描添加到CI,git,gitlab,gitlab-ci,Git,Gitlab,Gitlab Ci,所以我尝试在gitlab中设置容器扫描，我尝试了很多方法，但似乎都不起作用，我遗漏了什么我的gitlab版本是：gitlab社区版12.9.4 计算机中的gitlab运行程序是：版本：12.10.2 这是我的.gitlab-ci.yml variables: vulnerable_tag: vulnerable non_vulnerable_tag: non_vulnerable IMAGE_NAME: test CLAIR_OUTPUT: High stages:

所以我尝试在gitlab中设置容器扫描，我尝试了很多方法，但似乎都不起作用，我遗漏了什么

我的gitlab版本是：gitlab社区版12.9.4

计算机中的gitlab运行程序是：版本：12.10.2

这是我的.gitlab-ci.yml

variables:
  vulnerable_tag: vulnerable
  non_vulnerable_tag: non_vulnerable
  IMAGE_NAME: test
  CLAIR_OUTPUT: High 

stages:
    - build
    - test

build:
  image: docker
  stage: build
  variables:
    IMAGE_NAME: test
    IMAGE_TAG: $CI_REGISTRY_IMAGE/$CI_COMMIT_REF_SLUG:$CI_COMMIT_SHA
  script:
    - uname -a
    - docker build -t $IMAGE_NAME .
    - docker run -d -p 80:80 $IMAGE_NAME 
    - docker ps
    - curl localhost
    - mkdir output
    - echo $IMAGE_NAME"/"$CI_COMMIT_REF_SLUG":"$CI_COMMIT_SHA >> output/file.txt
  tags:
    - testingtag
#  artifacts:
#    paths: 
#      - output/

stop_container:
  stage: test
  script:
    - docker stop $(docker ps -q)

是一个简单的nginx容器，它只显示一个普通的index.hmtl

我在.gitlab-ci.yml中尝试了所有不起作用的东西

include:
  - template: Container-Scanning.gitlab-ci.yml

这就是文档所说的内容以及它应该如何工作，但是它抛出了一个错误：此GitLab CI配置无效：包含的文件`Container Scanning.GitLab CI.yml`为空或不存在

这不会抛出错误，但不会执行任何操作。链接是相同的Container-Scanning.gitlab-ci.yml，但为纯文本

最后，添加Container-Scanning.gitlab-ci.yml的内容作为作业

# Read more about this feature here: https://docs.gitlab.com/ee/user/application_security/container_scanning/

variables:
  # Setting this variable will affect all Security templates
  # (SAST, Dependency Scanning, ...)
  SECURE_ANALYZERS_PREFIX: "registry.gitlab.com/gitlab-org/security-products/analyzers"

  CS_MAJOR_VERSION: 2

container_scanning:
  stage: test
  image: $SECURE_ANALYZERS_PREFIX/klar:$CS_MAJOR_VERSION
  variables:
    # By default, use the latest clair vulnerabilities database, however, allow it to be overridden here with a specific image
    # to enable container scanning to run offline, or to provide a consistent list of vulnerabilities for integration testing purposes
    CLAIR_DB_IMAGE_TAG: "latest"
    CLAIR_DB_IMAGE: "$SECURE_ANALYZERS_PREFIX/clair-vulnerabilities-db:$CLAIR_DB_IMAGE_TAG"
    # Override the GIT_STRATEGY variable in your `.gitlab-ci.yml` file and set it to `fetch` if you want to provide a `clair-whitelist.yml`
    # file. See https://docs.gitlab.com/ee/user/application_security/container_scanning/index.html#overriding-the-container-scanning-template
    # for details
    GIT_STRATEGY: none
  allow_failure: true
  services:
    - name: $CLAIR_DB_IMAGE
      alias: clair-vulnerabilities-db
  script:
    - /analyzer run
  artifacts:
    reports:
      container_scanning: gl-container-scanning-report.json
  dependencies: []
  rules:
    - if: $CONTAINER_SCANNING_DISABLED
      when: never
    - if: $CI_COMMIT_BRANCH &&
          $GITLAB_FEATURES =~ /\bcontainer_scanning\b/

CI只是跳过此作业，因为它不存在

如果您检查模板的路径，它包括安全性，那么以下代码应该可以工作：

include:
  - template: Securtiy/Container-Scanning.gitlab-ci.yml

GitLab community edition不包括容器扫描功能。目前，如前所述，它仅在Ultimate和Gold订阅中可用

此外，如果未检测到容器扫描功能（因为您正在运行community edition，所以不会检测到），CI config GitLab的这一部分将跳过整个扫描步骤：

  rules:  
    - if: $CONTAINER_SCANNING_DISABLED  
      when: never  
    - if: $CI_COMMIT_BRANCH &&  
          $GITLAB_FEATURES =~ /\bcontainer_scanning\b/

问题解决了吗？我也一样error@merla不，我做不到，经过一周的努力，我只是放弃了。请，下次提交后检查后，它已按您的要求正确格式化。

  rules:  
    - if: $CONTAINER_SCANNING_DISABLED  
      when: never  
    - if: $CI_COMMIT_BRANCH &&  
          $GITLAB_FEATURES =~ /\bcontainer_scanning\b/