Adding Container-Scanning to CI in GitLab

Question

So im trying to set up Container scanning in gitlab, i tried many ways but none seems to work, what im missing?

My gitlab version is: GitLab Community Edition 12.9.4

The gitlab-runner in the machine is: Version: 12.10.2

This is my .gitlab-ci.yml

variables:
  vulnerable_tag: vulnerable
  non_vulnerable_tag: non_vulnerable
  IMAGE_NAME: test
  CLAIR_OUTPUT: High 

stages:
    - build
    - test

build:
  image: docker
  stage: build
  variables:
    IMAGE_NAME: test
    IMAGE_TAG: $CI_REGISTRY_IMAGE/$CI_COMMIT_REF_SLUG:$CI_COMMIT_SHA
  script:
    - uname -a
    - docker build -t $IMAGE_NAME .
    - docker run -d -p 80:80 $IMAGE_NAME 
    - docker ps
    - curl localhost
    - mkdir output
    - echo $IMAGE_NAME"/"$CI_COMMIT_REF_SLUG":"$CI_COMMIT_SHA >> output/file.txt
  tags:
    - testingtag
#  artifacts:
#    paths: 
#      - output/

stop_container:
  stage: test
  script:
    - docker stop $(docker ps -q)

Is a simple nginx container that just shows a plain index.hmtl

What i've tried (everything inside the .gitlab-ci.yml) that didnt work

include:
  - template: Container-Scanning.gitlab-ci.yml 

This is what the documents says and how it should works, but it throws an error This GitLab CI configuration is invalid: Included file `Container-Scanning.gitlab-ci.yml` is empty or does not exist!

include:
 - remote: 'https://gitlab.com/gitlab-org/gitlab/-/raw/master/lib/gitlab/ci/templates/Security/Container-Scanning.gitlab-ci.yml'

This throws no error, but does nothing. (the link is the same Container-Scanning.gitlab-ci.yml but in plaintext)

And for last, adding the content of Container-Scanning.gitlab-ci.yml as a job

# Read more about this feature here: https://docs.gitlab.com/ee/user/application_security/container_scanning/

variables:
  # Setting this variable will affect all Security templates
  # (SAST, Dependency Scanning, ...)
  SECURE_ANALYZERS_PREFIX: "registry.gitlab.com/gitlab-org/security-products/analyzers"

  CS_MAJOR_VERSION: 2

container_scanning:
  stage: test
  image: $SECURE_ANALYZERS_PREFIX/klar:$CS_MAJOR_VERSION
  variables:
    # By default, use the latest clair vulnerabilities database, however, allow it to be overridden here with a specific image
    # to enable container scanning to run offline, or to provide a consistent list of vulnerabilities for integration testing purposes
    CLAIR_DB_IMAGE_TAG: "latest"
    CLAIR_DB_IMAGE: "$SECURE_ANALYZERS_PREFIX/clair-vulnerabilities-db:$CLAIR_DB_IMAGE_TAG"
    # Override the GIT_STRATEGY variable in your `.gitlab-ci.yml` file and set it to `fetch` if you want to provide a `clair-whitelist.yml`
    # file. See https://docs.gitlab.com/ee/user/application_security/container_scanning/index.html#overriding-the-container-scanning-template
    # for details
    GIT_STRATEGY: none
  allow_failure: true
  services:
    - name: $CLAIR_DB_IMAGE
      alias: clair-vulnerabilities-db
  script:
    - /analyzer run
  artifacts:
    reports:
      container_scanning: gl-container-scanning-report.json
  dependencies: []
  rules:
    - if: $CONTAINER_SCANNING_DISABLED
      when: never
    - if: $CI_COMMIT_BRANCH &&
          $GITLAB_FEATURES =~ /\bcontainer_scanning\b/

The CI just skip this job as it didnt exist

Answer 1

It should work with GitLab 15.0 (May 2022)

Container Scanning available in all tiers

Container Scanning helps developers to easily find known security vulnerabilities in dependencies that are installed in their container images.

With GitLab 15.0, we are making the basic Container Scanning features available in every GitLab tier.

See Documentation and Issue.

---

However, the following is only for Ultimate Edition with GitLab 15.5 (October 2022)

Operational container scanning

GitLab now officially supports vulnerability scanning of container images in operational or production Kubernetes environments. You can set up scanning either through the configuration file for your GitLab Agent for Kubernetes or by creating a scan execution policy to require scans to run on a regular cadence.

Results are displayed both on the project’s Vulnerability Report page under the Operational Vulnerabilities tab and also on the Infrastructure > Kubernetes clusters > Agent page under the Security tab. To get started, make sure you have installed the GitLab Agent for Kubernetes and that a scan cadence is defined either in the agent configuration file or in a scan execution policy.

See Documentation and Issue.

---

GitLab 17.7 (Dec. 2024) proposes an experimental feature:

SCA Vulnerability Prioritizer

his experimental feature is another step in helping users prioritize vulnerabilities identified during Dependency Scanning or Container Scanning. Users may include this CI/CD component in their .gitlab-ci.yml file, which will generate a prioritization report for vulnerabilities found in the project. The report will print to the pipeline output.

The component queries the GitLab GraphQL API to retrieve vulnerability data and prioritizes as follows:

1. Vulnerabilities with known exploits (KEV) are the top priority.
2. Vulnerabilities with high EPSS scores.
3. Higher severity vulnerabilities. Only detected and confirmed vulnerabilities are shown. Currently, the component relies on EPSS and KEV data to help prioritize vulnerabilities. EPSS and KEV data are only found on CVEs, which are collected through dependency and container scanning. To learn more, please refer to the Vulnerability Prioritizer.

As always, we welcome your feedback. Please add any questions or comments to the feedback issue.

Answer 2

If you check the path of template it includes Security so the following code should work:

include:
  - template: Security/Container-Scanning.gitlab-ci.yml 

Answer 3

GitLab community edition does not include the container scanning feature. Currently it is only available in Ultimate and Gold subscriptions as noted at the top of this page.

Also this part of the CI config GitLab to skip the entire scanning step if the container scanning feature is not detected, which it won't because you are running the community edition:

  rules:  
    - if: $CONTAINER_SCANNING_DISABLED  
      when: never  
    - if: $CI_COMMIT_BRANCH &&  
          $GITLAB_FEATURES =~ /\bcontainer_scanning\b/