Contents
Running the scanner in lite SBOM mode
Kaspersky Container Security allows you to start a scanner to check images for vulnerabilities in the lite SBOM mode. In this case, the solution scans a specially created SBOM file, and the results of this scan become available at the CI/CD stage.
Data from listening to and intercepting network traffic must be securely transferred between the CI/CD environment and the solution.
You can generate an artifact for download in the .SPDX, .HTML, .JSON or .CDX format to receive the results.
Scan results can be obtained in the format you specified and can also be viewed in the Resources → CI/CD section.
Running a scanner in GitLab
To start the scanner in lite SBOM mode in GitLab, when configuring image scanning in CI/CD process, edit the .gitlab-ci.yml configuration file as follows:
- Add information about the image of the scanner that is started for image scanning in CI/CD as follows:
scan_image:
stage: scanner
image:
name:repo.cloud.example.com/repository/company/scanner:v.2.0.0-lite
entrypoint: [""]
pull_policy: always
- Specify the orchestration platform tag as follows:
k8s
In the example provided, the
k8s
tag is specified for Kubernetes, you can also specify the tag for another supported orchestration platform. - Specify such variables as the build ID, image registry data of the scanned image and certificate for secure connection to this registry, pipeline ID, and API token for authorization of requests from the CI/CD scanner in Kaspersky Container Security as follows:
SCAN_TARGET: ${CI_REGISTRY_IMAGE}:master
COMPANY_EXT_REGISTRY_USERNAME: ${COMPANY_EXT_REGISTRY_USERNAME}
COMPANY_EXT_REGISTRY_PASSWORD: ${COMPANY_EXT_REGISTRY_PASSWORD}
COMPANY_EXT_REGISTRY_TLS_CERT: ${COMPANY_EXT_REGISTRY_TLS_CERT}
BUILD_NUMBER: ${CI_JOB_ID}
BUILD_PIPELINE: ${CI_PIPELINE_ID}
API_TOKEN:
<API token value>
HTTP_PROXY
–<proxy server for HTTP requests>
HTTPS_PROXY
–<proxy server for HTTPS requests>
NO_PROXY
–<domains or appropriate domain masks to be excluded from proxying>
The details of the certificate for secure connection to the image registry in the
COMPANY_EXT_REGISTRY_TLS_CERT
variable are specified as a string in the .PEM format:
-----BEGIN CERTIFICATE-----\n...
certificate details
> ...\n-----END CERTIFICATE-----
. - If necessary, specify a variable for scanning the API certificate of the solution:
API_CA_CERT: ${KCS_CA_CERT}
If the
API_CA_CERT
variable is not set, scanning will start but will not be completed. - Specify the web address of the API host server for Kaspersky Container Security:
API_BASE_URL:
<web address>
- Specify the command to create an artifact when the scanner is started in one of the following supported formats:
- To generate an artifact in the .JSON format:
script:
- /bin/sh /entrypoint.sh $SCAN_TARGET --stdout > artifact-result.json
artifacts:
paths:
- artifact-result.json
- To generate an artifact in the .HTML format:
script:
- /bin/sh /entrypoint.sh $SCAN_TARGET --html --stdout > artifact-result.html
artifacts:
paths:
- artifact-result.html
- To generate an SBOM artifact in the .SPDX format:
script:
- /bin/sh /entrypoint.sh $SCAN_TARGET --spdx --stdout > artifact-result.spdx
artifacts:
paths:
- artifact-result.spdx
- To generate an SBOM artifact in the .JSON format:
script:
- /bin/sh /entrypoint.sh $SCAN_TARGET --cdx --stdout > artifact-result.cdx.json
artifacts:
paths:
- artifact-result.cdx.json
- To generate an artifact in the .JSON format:
Running a scanner outside of the CI / CD process
In case of limited resources, you can run the Kaspersky Container Security scanner apart from the worker nodes in the CI/CD process. For example, by using the docker run
command on a Docker node, or as a Job in a Kubernetes cluster.
To save resources to the greatest extent possible, we recommend using the scanner: 2.0.0-lite image, as it does not contain vulnerability databases and sends the SBOM file based on the target image scan results to the solution using the API.
To start Kaspersky Container Security scanner outside the CI/CD process, you must specify the following mandatory parameters:
API_TOKEN: <
API token value
>
is the Kaspersky Container Security user token for authentication in the API interface of the solution.API_BASE_URL: <
web address
>
is a link to access the API interface of Kaspersky Container Security. The interface can be accessed using the HTTP and HTTPS protocols, depending on the environment variables of the deployed solution.API_CA_CERT: <
certificate in the .PEM format
>
is a variable for validation of the API certificate of the solution.SKIP_API_SERVER_VALIDATION = true
- a variable that, if necessary, can be specified to skip the validation of the API certificate of Kaspersky Container Security.
You can also specify additional parameters for the scanner operation:
COMPANY_EXT_REGISTRY_USERNAME: <
registry user name
>
is the name of the user of the registry where the image to be checked by the scanner is stored.COMPANY_EXT_REGISTRY_PASSWORD: <
registry user password
>
is the password of the user of the registry where the image to be checked by the scanner is stored.BUILD_NUMBER: <
ID of the build number
>
is the ID that is used to track the build number in the solution interface. Kaspersky Container Security displays the number in the CI\CD process scan results.BUILD_PIPELINE: <
pipeline number ID
>
is the identifier that is used to track the pipeline number in the solution interface. Kaspersky Container Security displays the number in the CI\CD process scan results.HTTP_PROXY: <
proxy server for HTTP requests
>
is a variable that indicates the use of an HTTP proxy server when access to external resources is requiredHTTPS_PROXY: <
proxy server for HTTPS requests
>
is a variable that indicates the use of an HTTPS proxy when access to external resources is requiredNO_PROXY: <
domains or masks corresponding to domains that are used for exclusion from proxying
>
is a variable that indicates the locally available resources if a proxy server is used.
Running the scanner as a Job in a Kubernetes cluster
Page top