Running the scanner in lite SBOM mode
Kaspersky Container Security allows you to start a scanner to check images for vulnerabilities in the lite SBOM mode. In this case, the solution scans a specially created SBOM file, and the results of this scan become available at the CI/CD stage.
Data from listening to and intercepting network traffic must be securely transferred between the CI/CD environment and the solution.
You can generate an artifact for download in the .SPDX, .HTML, or .JSON format to receive the results.
Running a scanner in GitLab
To start the scanner in lite SBOM mode in GitLab, when configuring image scanning in CI/CD process, edit the .gitlab-ci.yml configuration file as follows:
- Add information about the image of the scanner that is started for image scanning in CI/CD as follows:
scan_image:
stage: scanner
image:
name:repo.cloud.example.com/repository/company/scanner:v.1.2-lite
entrypoint: [""]
pull_policy: always
- Specify the orchestration platform tag as follows:
k8s
In the example provided, the k8s tag is specified for Kubernetes, you can also specify the tag for another supported orchestration platform.
- Specify such variables as the build ID, private repository details, pipeline ID and API token for authorization of the CI/CD scanner requests to Kaspersky Container Security as follows:
SCAN_TARGET: ${CI_REGISTRY_IMAGE}:master
COMPANY_EXT_REGISTRY_USERNAME: ${COMPANY_EXT_REGISTRY_USERNAME}
COMPANY_EXT_REGISTRY_PASSWORD: ${COMPANY_EXT_REGISTRY_PASSWORD}
BUILD_NUMBER: ${CI_JOB_ID}
BUILD_PIPELINE: ${CI_PIPELINE_ID}
API_TOKEN: <API token value>
- If necessary, specify a variable to check the data receiving server in CI/CD using the CA certificate of the Ingress controller:
API_CA_CERT: ${KCS_CA_CERT}
If the API_CA_CERT variable is not set, scanning will start but will not be completed.
- Specify the web address of the API host server for Kaspersky Container Security:
API_BASE_URL: <web address>
- Specify the command to create an SBOM file when the scanner is started in one of the following supported formats:
- To generate an artifact in the .JSON format:
script:
- /bin/sh /entrypoint.sh $SCAN_TARGET --stdout > artifact-result.json
artifacts:
paths:
- artifact-result.json
- To generate an artifact in the .HTML format:
script:
- /bin/sh /entrypoint.sh $SCAN_TARGET --html --stdout > artifact-result.html
artifacts:
paths:
- artifact-result.html
- To generate an artifact in the .SPDX format:
script:
- /bin/sh /entrypoint.sh $SCAN_TARGET --spdx --stdout > artifact-result.spdx
artifacts:
paths:
- artifact-result.spdx
Example of the scanner configured to operate in the lite SBOM mode and the artifact generation in the .HTML format in GitLab
scan_image:
stage: scanner
image:
name: repo.cloud.example.com/repository/company/scanner:v.1.2-lite
entrypoint: [""]
pull_policy: always
tags:
- k8s
variables:
SCAN_TARGET: ${CI_REGISTRY_IMAGE}:master
COMPANY_EXT_REGISTRY_USERNAME: ${COMPANY_EXT_REGISTRY_USERNAME}
COMPANY_EXT_REGISTRY_PASSWORD: ${COMPANY_EXT_REGISTRY_PASSWORD}
BUILD_NUMBER: ${CI_JOB_ID}
BUILD_PIPELINE: ${CI_PIPELINE_ID}
API_CA_CERT: ${KCS_CA_CERT}
API_TOKEN: <API token value>
# Demostand KCS.int API:
API_BASE_URL: <web address>
script:
- /bin/sh /entrypoint.sh $SCAN_TARGET --html --stdout > artifact-result.html
artifacts:
paths:
- artifact-result.html
Running a scanner in Docker
To start the scanner in lite SBOM mode in Docker:
- Specify the web address of the API host server for Kaspersky Container Security:
-e API_BASE_URL=https://company.local
- Specify the value of the variable to skip checking the data receiving server using the CA certificate of the Ingress controller:
-e SKIP_API_SERVER_VALIDATION=true
- Specify the API token for authorization of the CI/CD scanner requests to Kaspersky Container Security as follows:
-e API_TOKEN=<API token value>
- Specify data to start the scanner:
repo.kcs.company.com/images/scanner:v1.2-lite
- If you need to generate an artifact for downloading in the .SPDX, .HTML, or .JSON format, specify the following:
- <artifact format> --stdout> result. <file format>
For example:
- Press the Enter key to start the scanner.
If a domain name resolution error - Name does not resolve - appears when calling the scanner, you must specify the address before the API_BASE_URL variable before the internal DNS server of your organization. For example:
--dns 10.0.xx.x
API_BASE_URL: https://company.local/
Example of the scanner configured to operate in the lite SBOM mode and the artifact generation in the .JSON format in Docker
pipeline {
agent any
stages {
stage('run scanner') {
steps {
$ 'docker login -u ${LOGIN} -p ${PASS} company.example.com'
$ 'docker run --dns 10.0.10.10 -e API_BASE_URL=https://kcs.int.company.com -e SKIP_API_SERVER_VALIDATION=true -e API_TOKEN=${API_TOKEN} repo.kcs.company.com/images/scanner:v1.2-lite alpine:latest --stdout > result.json'
}
}
stage('archive') {
steps {
archiveArtifacts artifacts: 'result.json'
}
}
}
}
Scan results can be obtained in the format you specified and can also be viewed in the Resources → CI/CD section.
Page top