Running the scanner in SBOM mode

Kaspersky Container Security allows you to start a scanner to check images for vulnerabilities in SBOM mode. In this case, the solution scans a specially created SBOM file instead of a TAR archive.

The advantages of using SBOM are the following:

• Less resources required to scan images for vulnerabilities.
• Reduced scanning time due to automatic verification of correct operation and proper use of solution components.
• Capability to scan all existing vulnerabilities in an image without exceptions.
• High reliability of scanning results.

In CI/CD, the scanning process consists of two stages: receiving an SBOM file and scanning an image based on the received SBOM file. The image scanning process is implemented as follows:

• The CI/CD scanner generates a list of image components and sends the generated artifact to Kaspersky Container Security.
• Using the image handler, the solution forwards the received SBOM file to the scanner for scanning.

  To scan in SBOM mode, Kaspersky Container Security runs a scanner with pre-installed databases containing information about vulnerabilities and other malicious objects (scanner:v2.0-with-db, scanner:v2.0-with-db-java).

To scan images in CI/CD, you must specify the values of the following environment variables in the file:

• API_TOKEN – the value of the Kaspersky Container Security API token is specified.
• API_BASE_URL – Kaspersky Container Security URL is specified.
• API_CA_CERT – details of the CA certificate of the Ingress controller are specified, which allows the scanner running in CI/CD to verify the authenticity of the data receiving server. If you use a self-signed certificate, or want to skip checking the data receiving server using the CA certificate of the Ingress controller, the value of the variable to skip the check is provided as follows:

  SKIP_API_SERVER_VALIDATION: 'true'

• COMPANY_EXT_REGISTRY_USERNAME – specify the account name in the registry of the scanned image.
• COMPANY_EXT_REGISTRY_PASSWORD – specify the password for the registry of the scanned image.
• COMPANY_EXT_REGISTRY_TLS_CERT – specify details of the certificate for secure connection to the registry.

  The certificate details are specified as a string in the .PEM format:
  -----BEGIN CERTIFICATE-----\n... <certificate details> ...\n-----END CERTIFICATE-----.

• HTTP_PROXY – a proxy server for HTTP requests
• HTTPS_PROXY – a proxy server for HTTPS requests
• NO_PROXY – domains or appropriate domain masks to be excluded from proxying

For subsequent scanning, Kaspersky Container Security generates a report in the CycloneDX format. You can also generate an artifact with SBOM to download within the CI/CD process in the CycloneDX or SPDX format.

To generate an SBOM file in the .SPDX format when the scanner operates with SBOM creation:

Enter the following command in the .gitlab-ci.yml configuration file:

- /bin/sh /entrypoint.sh $SCAN_TARGET --sbom --spdx --stdout > example.spdx

where:

<--sbom> indicates the creation of an SBOM file.

<--spdx> indicates that an artifact is generated in the .SPDX format.

<--stdout > example.spdx> indicates data output to a file in the .SPDX format.

To generate an SBOM file in the .СDX format when the scanner operates with SBOM creation:

Enter the following command in the .gitlab-ci.yml configuration file:

- /bin/sh /entrypoint.sh $SCAN_TARGET --sbom --cdx --stdout > example.cdx.json

where:

<--sbom> indicates the creation of an SBOM file.

<--cdx> indicates that an artifact is generated in the .CDX format.

<--stdout > example.cdx.json> indicates data output to a file in the .JSON format.

The resulting file (for example, example.cdx.json) is specified as an artifact: artifacts: paths:

Scanning using an SBOM file is only applicable when scanning an image for vulnerabilities. If your CI/CD process requires scanning for other risks and threats (such as misconfigurations), you must separately run the corresponding scanning and add its results to the image handler in addition to the SBOM file.

Page top