Kaspersky Container Security allows you to start a scanner to check images for vulnerabilities in SBOM mode. In this case, the solution scans a specially created SBOM file instead of a TAR archive.
The advantages of using SBOM are the following:
In CI/CD, the scanning process consists of two stages: receiving an SBOM file and scanning an image based on the received SBOM file. The image scanning process is implemented as follows:
For subsequent scanning, Kaspersky Container Security generates an SBOM file in the CycloneDX format. You can also generate an artifact to download within the CI/CD process in the SPDX format.
To generate an SBOM file in the .SPDX format when the scanner operates with SBOM creation:
Enter the following command in the .gitlab-ci.yml configuration file:
- /bin/sh /entrypoint.sh $SCAN_TARGET --sbom-json --spdx --stdout > example.spdx
where:
<--sbom-json> indicates the creation of an SBOM file.
<--spdx> indicates that an artifact is generated in the .SPDX format.
<--stdout > example.spdx> indicates data output to a file in the .SPDX format.
To generate an SBOM file in the .JSON format when the scanner operates with SBOM creation:
Enter the following command in the .gitlab-ci.yml configuration file:
- /bin/sh /entrypoint.sh $SCAN_TARGET --sbom-json --stdout > example.json
where:
<--sbom-json> indicates the creation of an SBOM file.
<--stdout > example.json> indicates data output to a file in .JSON format.
The resulting file (for example, example.json) is specified as an artifact: artifacts: paths:
Scanning using an SBOM file is only applicable when scanning an image for vulnerabilities. If your CI/CD process requires scanning for other risks and threats (such as misconfigurations), you must separately run the corresponding scanning and add its results to the image handler in addition to the SBOM file.
Page top