Kaspersky Container Security

Running the scanner in lite SBOM mode

Kaspersky Container Security allows you to start a scanner to check images for vulnerabilities in the lite SBOM mode. In this case, the solution scans a specially created SBOM file, and the results of this scan become available at the CI/CD stage.

Data from listening to and intercepting network traffic must be securely transferred between the CI/CD environment and the solution.

You can generate an artifact for download in the .SPDX, .HTML, .JSON or .CDX format to receive the results.

Scan results can be obtained in the format you specified and can also be viewed in the ResourcesCI/CD section.

In this section

Running a scanner in GitLab

Running a scanner outside of the CI / CD process

Page top
[Topic 297412]

Running a scanner in GitLab

To start the scanner in lite SBOM mode in GitLab, when configuring image scanning in CI/CD process, edit the .gitlab-ci.yml configuration file as follows:

  1. Add information about the image of the scanner that is started for image scanning in CI/CD as follows:

    scan_image:

    stage: scanner

    image:

    name:repo.cloud.example.com/repository/company/scanner:v.2.0.0-lite

    entrypoint: [""]

    pull_policy: always

  2. Specify the orchestration platform tag as follows:

    k8s

    In the example provided, the k8s tag is specified for Kubernetes, you can also specify the tag for another supported orchestration platform.

  3. Specify such variables as the build ID, image registry data of the scanned image and certificate for secure connection to this registry, pipeline ID, and API token for authorization of requests from the CI/CD scanner in Kaspersky Container Security as follows:

    SCAN_TARGET: ${CI_REGISTRY_IMAGE}:master

    COMPANY_EXT_REGISTRY_USERNAME: ${COMPANY_EXT_REGISTRY_USERNAME}

    COMPANY_EXT_REGISTRY_PASSWORD: ${COMPANY_EXT_REGISTRY_PASSWORD}

    COMPANY_EXT_REGISTRY_TLS_CERT: ${COMPANY_EXT_REGISTRY_TLS_CERT}

    BUILD_NUMBER: ${CI_JOB_ID}

    BUILD_PIPELINE: ${CI_PIPELINE_ID}

    API_TOKEN: <API token value>

    HTTP_PROXY<proxy server for HTTP requests>

    HTTPS_PROXY<proxy server for HTTPS requests>

    NO_PROXY<domains or appropriate domain masks to be excluded from proxying>

    The details of the certificate for secure connection to the image registry in the COMPANY_EXT_REGISTRY_TLS_CERT variable are specified as a string in the .PEM format:
    -----BEGIN CERTIFICATE-----\n... certificate details > ...\n-----END CERTIFICATE----- .

  4. If necessary, specify a variable for scanning the API certificate of the solution:

    API_CA_CERT: ${KCS_CA_CERT}

    If the API_CA_CERT variable is not set, scanning will start but will not be completed.

  5. Specify the web address of the API host server for Kaspersky Container Security:

    API_BASE_URL: <web address>

  6. Specify the command to create an artifact when the scanner is started in one of the following supported formats:
    • To generate an artifact in the .JSON format:

      script:

      - /bin/sh /entrypoint.sh $SCAN_TARGET --stdout > artifact-result.json

      artifacts:

      paths:

      - artifact-result.json

    • To generate an artifact in the .HTML format:

      script:

      - /bin/sh /entrypoint.sh $SCAN_TARGET --html --stdout > artifact-result.html

      artifacts:

      paths:

      - artifact-result.html

    • To generate an SBOM artifact in the .SPDX format:

      script:

      - /bin/sh /entrypoint.sh $SCAN_TARGET --spdx --stdout > artifact-result.spdx

      artifacts:

      paths:

      - artifact-result.spdx

    • To generate an SBOM artifact in the .JSON format:

      script:

      - /bin/sh /entrypoint.sh $SCAN_TARGET --cdx --stdout > artifact-result.cdx.json

      artifacts:

      paths:

      - artifact-result.cdx.json

Example of the scanner configured to operate in the lite SBOM mode and the artifact generation in the .HTML format in GitLab

scan_image:

stage: scanner

image:

name: repo.cloud.example.com/repository/company/scanner:v.2.0.0-lite

entrypoint: [""]

pull_policy: always

tags:

- k8s

variables:

SCAN_TARGET: ${CI_REGISTRY_IMAGE}:master

COMPANY_EXT_REGISTRY_USERNAME: ${COMPANY_EXT_REGISTRY_USERNAME}

COMPANY_EXT_REGISTRY_PASSWORD: ${COMPANY_EXT_REGISTRY_PASSWORD}

BUILD_NUMBER: ${CI_JOB_ID}

BUILD_PIPELINE: ${CI_PIPELINE_ID}

API_CA_CERT: ${KCS_CA_CERT}

API_TOKEN: <API token value>

# Demostand KCS.int API:

API_BASE_URL: <web address>

script:

- /bin/sh /entrypoint.sh $SCAN_TARGET --html --stdout > artifact-result.html

artifacts:

paths:

- artifact-result.html

Page top

[Topic 301503]

Running a scanner outside of the CI / CD process

In case of limited resources, you can run the Kaspersky Container Security scanner apart from the worker nodes in the CI/CD process. For example, by using the docker run command on a Docker node, or as a Job in a Kubernetes cluster.

To save resources to the greatest extent possible, we recommend using the scanner: 2.0.0-lite image, as it does not contain vulnerability databases and sends the SBOM file based on the target image scan results to the solution using the API.

To start Kaspersky Container Security scanner outside the CI/CD process, you must specify the following mandatory parameters:

  • API_TOKEN: <API token value> is the Kaspersky Container Security user token for authentication in the API interface of the solution.
  • API_BASE_URL: <web address> is a link to access the API interface of Kaspersky Container Security. The interface can be accessed using the HTTP and HTTPS protocols, depending on the environment variables of the deployed solution.
  • API_CA_CERT: <certificate in the .PEM format> is a variable for validation of the API certificate of the solution.
  • SKIP_API_SERVER_VALIDATION = true - a variable that, if necessary, can be specified to skip the validation of the API certificate of Kaspersky Container Security.

You can also specify additional parameters for the scanner operation:

  • COMPANY_EXT_REGISTRY_USERNAME: <registry user name> is the name of the user of the registry where the image to be checked by the scanner is stored.
  • COMPANY_EXT_REGISTRY_PASSWORD: <registry user password> is the password of the user of the registry where the image to be checked by the scanner is stored.
  • BUILD_NUMBER: <ID of the build number> is the ID that is used to track the build number in the solution interface. Kaspersky Container Security displays the number in the CI\CD process scan results.
  • BUILD_PIPELINE: <pipeline number ID> is the identifier that is used to track the pipeline number in the solution interface. Kaspersky Container Security displays the number in the CI\CD process scan results.
  • HTTP_PROXY: <proxy server for HTTP requests> is a variable that indicates the use of an HTTP proxy server when access to external resources is required
  • HTTPS_PROXY: <proxy server for HTTPS requests> is a variable that indicates the use of an HTTPS proxy when access to external resources is required
  • NO_PROXY: <domains or masks corresponding to domains that are used for exclusion from proxying> is a variable that indicates the locally available resources if a proxy server is used.

Running a scanner in Docker

To start the scanner in lite SBOM mode in Docker:

  1. Specify the mandatory parameters for Kaspersky Container Security:

    -e API_TOKEN=<API token value>

    -e API_BASE_URL=https://company.com

    -e API_CA_CERT: <certificate in the .PEM format> or -e SKIP_API_SERVER_VALIDATION=true

  2. If necessary, specify additional parameters for Kaspersky Container Security.
  3. Specify the scanner image to run:

    repo.kcs.company.com/images/scanner:v2.0.0-lite

  4. If you need to generate an artifact for downloading, specify the following:

    --<artifact format --stdout > result.<file format>

    For example:

    --html --stdout > result.html

  5. Make sure that the .docker/config.json configuration file contains data for connection to the image registry with the scanner image. If necessary, run one of the following commands: docker login repo.company.com or docker login repo.kcs.kaspersky.com.
  6. Start scanning.

    If a domain name resolution error - Name does not resolve - appears when calling the scanner, you must specify the address before the API_BASE_URL variable before the internal DNS server of your organization. For example:

    --dns 10.0.xx.x

If the scanner image and image to be scanned are stored in your registry and you need to generate an artifact with the scanner operation results in the .JSON format, scanner starting variables are specified as follows:

docker run --dns 10.0.10.10 \

-e "API_BASE_URL=https://kcs.company.com" \

-e "SKIP_API_SERVER_VALIDATION=true" \

-e "API_TOKEN=${api_token}" \

-e "COMPANY_EXT_REGISTRY_USERNAME=${user}" \

-e "COMPANY_EXT_REGISTRY_PASSWORD=${password}"

repo.company.com/images/scanner:v2.0.0-lite \

repo.company.com/images/alpine:latest --stdout > result.json

If the scanner image is stored in a Kaspersky public registry (the node pulls this image using your proxy server), the scanned image is stored locally on the node as an archive, and you need to generate an artifact with the scanner operation results in the .SPDX format, scanner starting variables are specified as follows:

docker run --dns 10.0.10.10 \

-e "API_BASE_URL=https://kcs.company.com" \

-e "SKIP_API_SERVER_VALIDATION=true" \

-e "API_TOKEN=${api_token}" \

-e "HTTPS_PROXY=http://user:password@client.proxy.com:8080" \

-v ./image_to_scan.tar:/image.tar \

repo.kcs.kaspersky.com/images/scanner:v2.0.0-lite \

image.tar --file --spdx --stdout > result.spdx

Running the scanner as a Job in a Kubernetes cluster

To run the scanner in lite SBOM mode as a Job in a Kubernetes cluster:

  1. Make sure that the node running the commands contains kubectl and configuration file for the corresponding Kubernetes cluster and that they are accessible to the user who runs the commands.
  2. Make sure that a secret exists in the corresponding namespace to authenticate and download the scanner image from the registry you are interested in.

    You can create such a secret yourself, for example, using the following command:

    kubectl create secret docker-registry <secret name> --docker-server=<FQDN of the repository> --docker-username=username --docker-password=password

  3. Specify the values of the mandatory and, if necessary, additional parameters for the scanner to operate as a task in the Kubernetes cluster.

    The parameters are specified in the file for running the scanner in the .YAML format as follows:

    apiVersion: batch/v1

    kind: Job

    metadata:

    name: my-lite-job

    spec:

    template:

    spec:

    containers:

    - name: my-lite-container

    image: repo.company.com/images/scanner:v2.0.0-lite

    command: ["/bin/sh"]

    args: ["entrypoint.sh", "alpine:latest"]

    env:

    - name: COMPANY_EXT_REGISTRY_USERNAME

    value: <user for authentication in the image registry where the image to be scanned is located>

    - name: COMPANY_EXT_REGISTRY_PASSWORD

    value: <password for authentication in the image registry where the image to be scanned is located>

    - name: API_BASE_URL

    value: https://kcs.company.local

    - name: API_TOKEN

    value: <token for authentication in the API of Kaspersky Container Security>

    - name: SKIP_API_SERVER_VALIDATION

    value: 'true'

    imagePullPolicy: Always

    restartPolicy: Never

    imagePullSecrets:

    - name: <name of the secret for authentication and pulling the scanner image>

    backoffLimit: 0

  4. Start scanning in the Kubernetes cluster:

    kubectl apply -f my-lite-job.yaml

Page top
[Topic 301504]