Kaspersky Container Security
1.0
English

Contents

Integration with CI/CD

Kaspersky Container Security lets you scan images of containers and IaC residing in code repository management systems in the

CI/CD process
to detect vulnerabilities, malware, misconfigurations, and exposed sensitive data.

At the project build stage in the repository management system, you can run the Kaspersky Container Security scanner to check the objects in the repository for compliance with the enabled security policies. The scanner is started from a registry using an Agent, such as GitLab Runner in GitLab. Data on the scan job and sending scan results are forwarded through the application programming interface (API).

When running an object scan during the project build stage, you must make sure that the Fail CI/CD step is not selected in the settings of the applied assurance policy. If this setting is activated, the solution will notify you of an error during the scan.

The scan results are displayed in the list of images in the InventoryCI/CDScanning in CI/CD section.

In this Help section

Image scanning in CI/CD processes

Configuring image and configuration file scan settings

Scanning images from CI/CD
Page top
[Topic 252616]

Image scanning in CI/CD processes

Kaspersky Container Security allows you to scan images that are used in CI/CD. The solution is incorporated into CI/CD as a pipeline stage, where the Kaspersky Container Security Scanner is run.

To scan images from CI/CD, you should configure the integration of Kaspersky Container Security with CI/CD processes.

Kaspersky Container Security performs the following types of scans in CI/CD:

  • Scanning of images in TAR archives A TAR archive is stored as a build artifact that the solution scans in the next build pipeline.
  • Scanning a Git repository, which can be performed in one of the following ways:
    • for a project branch (individual development path) in the Git repository
    • for a commit (state snapshot or checkpoint in the project's timeline)

The scanning results are forwarded to the server and displayed in the Management Console in the ResourcesCI/CD section. The provided table lists the images that were scanned, shows the results of the risk assessment, and indicates the detected vulnerabilities.

You can click the image name link to open a page with detailed information about image scanning results. This page is similar to the page showing the results of registry images scanning.

Kaspersky Container Security also displays the type of artifact for each object. Two main artifacts are used:

  • File system is repository containing configuration files.
  • Container image is a template used for runtime implementation of the container.

The table indicates the build number and build pipeline for each scan object. These parameters can be used to determine the specific stage where the image failed.

For CI/CD images, rescanning is not provided.

Page top
[Topic 260412]

Configuring image and configuration file scan settings

To scan images or repositories (in order to scan configuration files) used in the CI/CD process, add a stage to the CI/CD pipeline that runs the Kaspersky Container Security scanner. The scanning results are forwarded to the Kaspersky Container Security Server and are displayed in the Management console in the ResourcesCI/CD section.

Data from listening to and intercepting network traffic must be securely transferred between the CI/CD environment and the product.

Example of configuring integration with GitLab CI/CD

This example uses a specific scanner image with the built-in vulnerability databases located in the image registry of the Kaspersky Container Security manufacturer.

To use the image scanning feature in the GitLab CI/CD process, you should enable the use of the GitLab Container Registry.

Integration configuration includes the following steps:

  1. Authorization of GitLab CI/CD in the image registry of the Kaspersky Container Security manufacturer.
    1. On the cluster operator's workstation, prepare a Base64 hash of the authorization data by running the following command:

      printf "login:password" | openssl base64 -A

      where login and password are the user name and password of an account in the image registry of the Kaspersky Container Security manufacturer.

    2. In the GitLab CI/CD environment variables, create the DOCKER_AUTH_CONFIG variable (in the GitLab repository select Settings → CI/CD, click the Expand button to expand Variables, and then click the Add variable button).
    3. Specify the variable in the following form:

      {

      "auths": {

      "repo.cloud.tronsec.ru": {

      "auth": "base64hash"

      }

      }

      }

      where base64hash is the string obtained in step 1a.

  2. Authorization of requests from GitLab CI/CD when sending data to Kaspersky Container Security.
    1. On the cluster operator's workstation, prepare a Base64 hash of the authorization data by running the following command:

      printf "login:password" | openssl base64 -A

      where login and password are the user name and password of an account in the image registry of the Kaspersky Container Security manufacturer.

    2. Specify the resulting hash in the API_TOKEN variable in the .gitlab-ci.yml configuration file.
  3. Adding the image scanning stage to the CI/CD process.

    To add scanning to the CI/CD pipeline, you should add the following lines to the .gitlab-ci.yml file:

    1. Add the information about the image for scanning after the build preparation as follows:

      scan_image:

      stage: scanner

      image:

      name: repo.cloud.tronsec.ru/repository/tron-customer/scanner:v1.0.1-with-db

      entrypoint: [""]

    2. Specify the tag and token for authorization of the CI/CD scanner requests to Kaspersky Container Security as follows:

      variables:

      SCAN_TARGET: ${CI_REGISTRY_IMAGE}:master

      API_TOKEN: base64hash

      The example below contains the master tag, you can also specify another tag.

    3. If you configure scanning for a private repository, specify the authorization data to ensure the scanner access to an image. The authorization data can be set as variables.

      TRON_EXT_REGISTRY_USERNAME: ${TRON_EXT_REGISTRY_USERNAME}

      TRON_EXT_REGISTRY_PASSWORD: ${TRON_EXT_REGISTRY_PASSWORD}

    4. Specify the domain name of the Kaspersky Container Security Management console in your corporate network:

      API_BASE_URL: <domain name>

      script:

      - /bin/sh /entrypoint.sh $SCAN_TARGET --stdout > artifact-result.json

      artifacts:

      paths:

      - artifact-result.json

Page top

[Topic 259284]

Scanning images from CI/CD

To scan images from CI/CD, in the configuration file used to integrate the repository, specify the API_BASE_URL (web-address of the Kaspersky Container Security API server) and API_TOKEN (token to access API of the Kaspersky Container Security) environment variables for the scanner.

To scan an image from a TAR archive:

  1. Build an image and save it as a TAR archive using any application for creating containerized images.
  2. Start the scan by running a command in the following format:

    /scanner image.tar --file --stdout

    where:

    • <--file> is the file with the image to be scanned
    • <--stdout> is output to the security event log

    Example of a configuration file with settings for scanning a TAR archive

    stages:

    - build_tar

    - scan_tar

    - push_image

    build_tar:

    stage: build_tar

    tags:

    - k8s

    - docker

    image:

    name: gcr.io/kaniko-project/executor:v1.9.0-debug

    entrypoint: [""]

    dependencies:

    - scan_source_branch

    - scan_source_commit

    script:

    - mkdir -p /kaniko/.docker

    - echo "${DOCKER_AUTH_CONFIG}" > /kaniko/.docker/config.json

    - /kaniko/executor

    --context "${CI_PROJECT_DIR}"

    --dockerfile "${CI_PROJECT_DIR}/Dockerfile"

    --destination "${CI_REGISTRY_IMAGE}:${CI_COMMIT_REF_NAME}"

    --compressed-caching=false

    --build-arg GITLAB_USER=gitlab-ci-token

    --build-arg GITLAB_TOKEN=${CI_JOB_TOKEN}

    --no-push

    --tarPath=image.tar

    artifacts:

    paths:

    - image.tar

    expire_in: 2 hours

    scan_tar:

    stage: scan_tar

    tags:

    - k8s

    - docker

    dependencies:

    - build_tar

    image:

    name: "company.gitlab.cloud.net:5050/companydev/example/scanner:master-with-db"

    pull_policy: always

    entrypoint: [""]

    variables:

    API_BASE_URL: ${API_BASE_URL}

    API_TOKEN: ${API_TOKEN}

    API_CA_CERT: ${KCS_CA_CERT}

    script:

    - /scanner image.tar --file --stdout

    artifacts:

    paths:

    - image.tar

    expire_in: 2 hours

    push_image:

    stage: push_image

    tags:

    - k8s

    image:

    name: gcr.io/go-containerregistry/crane:debug

    entrypoint: [""]

    dependencies:

    - scan_tar

    script:

    - mkdir -p $HOME/.docker

    - echo "${DOCKER_AUTH_CONFIG}" > $HOME/.docker/config.json

    - /ko-app/crane push image.tar "${CI_REGISTRY_IMAGE}:${CI_COMMIT_REF_NAME}"

To scan an image from a Git repository:

  1. In the configuration file of the Git repository, specify the token for accessing the repository (for example, GitLab requires you to indicate a value for GITLAB_TOKEN).
  2. Start scanning by running a command in the following format:

    /scanner [TARGET] [--repo REPO_URL] [--branch BRANCH] [--commit COMMIT] --stdout

    where:

    • <TARGET> is the path to the file with the image to be scanned
    • <--repo> is the web address (URL) of the Git repository
    • <--branch> is the branch of the repository to be scanned
    • <--commit> is the hash of the commit to be scanned
    • <--stdout> is the output to the security event log.

    Example of a configuration file with environment variables for scanning an image from a Git repository

    stages:

    - scan_source_branch

    - scan_source_commit

    scan_source_branch:

    stage: scan_source_branch

    image:

    name: "company.gitlab.cloud.net:5050/companydev/example/scanner:master-with-db"

    pull_policy: always

    entrypoint: [""]

    tags:

    - k8s

    - docker

    variables:

    API_BASE_URL: ${API_BASE_URL}

    API_TOKEN: ${API_TOKEN}

    API_CA_CERT: ${KCS_CA_CERT}

    script:

    - GITLAB_TOKEN=${CI_JOB_TOKEN} /scanner --repo ${CI_REPOSITORY_URL} --branch ${CI_COMMIT_BRANCH} --stdout

    scan_source_commit:

    stage: scan_source_commit

    image:

    name: "company.gitlab.cloud.net:5050/companydev/example/scanner:master-with-db"

    pull_policy: always

    entrypoint: [""]

    tags:

    - k8s

    - docker

    variables:

    API_BASE_URL: ${API_BASE_URL}

    API_TOKEN: ${API_TOKEN}

    API_CA_CERT: ${KCS_CA_CERT}

    script:

    - GITLAB_TOKEN=${CI_JOB_TOKEN} /scanner --repo ${CI_REPOSITORY_URL} --commit ${CI_COMMIT_SHA} --stdout

Page top
[Topic 260433]