Tutorial: Scan a Docker container for vulnerabilities

DETAILS: Tier: Free, Premium, Ultimate Offering: GitLab.com, Self-managed, GitLab Dedicated

You can use container scanning to check for vulnerabilities in container images stored in the container registry.

Container scanning configuration is added to the pipeline configuration of a project. In this tutorial, you:

Create a new project.
Add a Dockerfile file to the project. This Dockerfile contains minimal configuration required to create a Docker image.
Create pipeline configuration for the new project to create a Docker image from the Dockerfile, build and push a Docker image to the container registry, and then scan the Docker image for vulnerabilities.
Check for reported vulnerabilities.
Update the Docker image and scan the updated image.

Create a new project

To create the new project

On the left sidebar, at the top, select Create new ({plus}) and New project/repository.
Select Create blank project.
In Project name, enter Tutorial container scanning project.
In Project URL, select a namespace for the project.
Select Create project.

Add a `Dockerfile` to new project

To provide something for container scanning to work on, create a Dockerfile with very minimal configuration:

In your Tutorial container scanning project project, select {plus} > New file.
Enter the filename Dockerfile, and provide the following contents for the file:
```
FROM hello-world:latest
```

Docker images created from this Dockerfile are based on hello-world Docker image.

Select Commit changes.

Create pipeline configuration

Now you're ready to create pipeline configuration. The pipeline configuration:

Builds a Docker image from the Dockerfile file, and pushes the Docker image to the container registry. The build-image job uses Docker-in-Docker as a CI/CD service to build the Docker image. You can also use kaniko to build Docker images in a pipeline.
Includes the Container-Scanning.gitlab-ci.yml template, to scan the Docker image stored in the container registry.

To create the pipeline configuration:

In the root directory of your project, select {plus} > New file.

Enter the filename .gitlab-ci.yml, and provide the following contents for the file:

include:
  - template: Jobs/Container-Scanning.gitlab-ci.yml

container_scanning:
  variables:
    CS_IMAGE: $CI_REGISTRY_IMAGE/tutorial-image

build-image:
  image: docker:24.0.2
  stage: build
  services:
    - docker:24.0.2-dind
  script:
    - docker build --tag $CI_REGISTRY_IMAGE/tutorial-image --file Dockerfile .
    - docker login --username gitlab-ci-token --password $CI_JOB_TOKEN $CI_REGISTRY
    - docker push $CI_REGISTRY_IMAGE/tutorial-image

Select Commit changes.

You're almost done. After you commit the file, a new pipeline starts with this configuration. When it's finished, you can check the results of the scan.

Check for reported vulnerabilities

Vulnerabilities for a scan are located on the pipeline that ran the scan. To check for reported vulnerabilities:

Select CI/CD > Pipelines and select the most recent pipeline. This pipeline should consist of a job called container_scanning in the test stage.
If the container_scanning job was successful, select the Security tab. If any vulnerabilities were found, they are listed on that page.

Update the Docker image

A Docker image based on hello-world:latest is unlikely to show any vulnerabilities. For an example of a scan that reports vulnerabilities:

In the root directory of your project, select the existing Dockerfile file.
Select Edit.
Replace FROM hello-world:latest with a different Docker image for the FROM instruction. The best Docker images to demonstrate container scanning have:
- Operating system packages. For example, from Debian, Ubuntu, Alpine, or Red Hat.
- Programming language packages. For example, NPM packages or Python packages.
Select Commit changes.

After you commit changes to the file, a new pipeline starts with this updated Dockerfile. When it's finished, you can check the results of the new scan.