GitLab example for the new scan engine (#23)

manuelbcd · web-flow · commit 0fac090f1fea · 2022-08-31T16:22:04.000+02:00
* Add new scan pipeline for GitLab and reorganize folders

* Documentation

* Fix documentation (last)

* Update index.md
diff --git a/.gitignore b/.gitignore
@@ -1 +1,3 @@
 docs/_site/**
+
+.DS_Store
diff --git a/docs/index.md b/docs/index.md
@@ -136,7 +136,7 @@ In this [repository](https://github.com/sysdiglabs/secure-inline-scan-examples/)
   * [Build and scan](https://github.com/sysdiglabs/secure-inline-scan-examples/tree/main/jenkins/jenkins-build-and-scan)
   * [Build, push and scan from repository](https://github.com/sysdiglabs/secure-inline-scan-examples/tree/main/jenkins/jenkins-build-push-scan-from-repo)
   * [Build, push and scan using Openshift internal registry](https://github.com/sysdiglabs/secure-inline-scan-examples/tree/main/jenkins/jenkins-openshift-internal-registry)
-* [Gitlab](https://github.com/sysdiglabs/secure-inline-scan-examples/tree/main/gitlab)
+* GitLab with the [new scan engine](https://github.com/sysdiglabs/secure-inline-scan-examples/tree/main/gitlab/new-scan-engine), or using the [legacy engine](https://github.com/sysdiglabs/secure-inline-scan-examples/tree/main/gitlab/old-scan-engine)
 * [GitHub](https://github.com/sysdiglabs/secure-inline-scan-examples/tree/main/github)
 * [Tekton](https://github.com/sysdiglabs/secure-inline-scan-examples/tree/main/tekton)
   * [Tekton alpha API](https://github.com/sysdiglabs/secure-inline-scan-examples/tree/main/tekton/alpha)
diff --git a/gitlab/new-scan-engine/.gitlab-ci.yml b/gitlab/new-scan-engine/.gitlab-ci.yml
@@ -0,0 +1,53 @@
+variables:
+  SYSDIG_SECURE_ENDPOINT: "https://us2.app.sysdig.com"
+  CI_REGISTRY_HOST: "docker.io"
+  CI_REGISTRY_NAME: "my-registry"
+  CI_IMAGE_NAME: "my-image"
+  CI_IMAGE_TAG: "my-tag"
+
+stages:
+  - build
+  - scan
+  - push
+
+image:build:
+  stage: build
+  image:
+    name: gcr.io/kaniko-project/executor:debug
+    entrypoint: [""]
+  script:
+    - /kaniko/executor --dockerfile Dockerfile --destination $CI_REGISTRY_HOST/$CI_REGISTRY_NAME/$CI_IMAGE_NAME:$CI_IMAGE_TAG --no-push --oci-layout-path $(pwd)/build/ --tarPath $(pwd)/build/$CI_IMAGE_TAG.tar
+  artifacts:
+    paths:
+      - build/
+    expire_in: 1 days
+
+image:scan:
+  stage: scan
+  before_script:
+    - export SECURE_API_TOKEN=$SYSDIG_SECURE_TOKEN
+  script:
+    - mkdir reports
+    - curl -LO https://download.sysdig.com/scanning/bin/sysdig-cli-scanner/$(curl -L -s https://download.sysdig.com/scanning/sysdig-cli-scanner/latest_version.txt)/linux/amd64/sysdig-cli-scanner
+    - chmod +x ./sysdig-cli-scanner
+    - ./sysdig-cli-scanner --console-log  --apiurl $SYSDIG_SECURE_ENDPOINT file://$(pwd)/build/$CI_IMAGE_TAG.tar
+  artifacts:
+    paths:
+      - reports
+      - build/
+    expire_in: 1 days
+    when: always
+  needs:
+    - image:build
+
+image:push:
+  stage: push
+  image:
+    name: gcr.io/go-containerregistry/crane:debug
+    entrypoint: [""]
+  script:
+    - crane auth login -u $CI_REGISTRY_USER -p $CI_REGISTRY_PASSWORD $CI_REGISTRY_HOST
+    - crane push build/$CI_IMAGE_TAG.tar $CI_REGISTRY_HOST/$CI_REGISTRY_NAME/$CI_IMAGE_NAME:$CI_IMAGE_TAG
+  needs:
+    - image:scan
+
diff --git a/gitlab/new-scan-engine/Dockerfile b/gitlab/new-scan-engine/Dockerfile
diff --git a/gitlab/new-scan-engine/README.md b/gitlab/new-scan-engine/README.md
@@ -0,0 +1,44 @@
+# GitLab CI Demo
+
+In this demo we will use GitLab pipelines. We will need to split this pipeline into three different jobs
+1. Kaniko: Tool used to build docker image
+2. Sysdig-cli-scanner: Scan docker images for vulnerabilities using the new scan engine developed by Sysding in 2022
+3. Crane: Push container image to a remote registry
+
+## Setup
+In GitLab repo settings add variables
+`CI_REGISTRY_USER`: Docker username
+`CI_REGISTRY_PASSWORD`: Docker user password
+`SYSDIG_SECURE_TOKEN`: Sysdig Token
+
+Modify the gitlab-ci.yml file to build the image
+```
+  CI_REGISTRY_HOST: "docker.io"
+  CI_REGISTRY_NAME: my-registry
+  CI_IMAGE_NAME: "my-image"
+  CI_IMAGE_TAG: "latest"
+```
+
+The variables are to build the full image url
+`$CI_REGISTRY_HOST/$CI_REGISTRY_NAME/$CI_IMAGE_NAME:$CI_IMAGE_TAG`
+We would expect
+`docker.io/my-registry/my-image:latest`
+
+## Understanding the stages
+In order to get around using Docker in docker, these additional stages are necessary
+
+There are three pipeline stages
+1. Build
+2. Scan
+3. Push
+
+### Build
+The build stage is using Kaniko. We use a method to build the container to an oci format tarball, saved to the current working directory in `build/` directory. It is not pushed to a remote registry.
+We then save the `build/` directory as an artifact.
+
+### Scan
+The scan stage is using `sysdig-cli-scanner`. This stage uses a the latest Sysdig scanning method documented here [Sysdig Secure - Vulnerabilities](https://docs.sysdig.com/en/docs/sysdig-secure/vulnerabilities/pipeline/)
+We then save the `build/` directory as an artifact for the next step as well as the `report/` directory to review the PDF scan results later.
+
+### Push
+The push stage is using `crane`. It simply authenticates to your docker registry and pushes the conatiner from the Build stage to the remote registry
diff --git a/gitlab/old-scan-engine/.gitlab-ci.yml b/gitlab/old-scan-engine/.gitlab-ci.yml
diff --git a/gitlab/old-scan-engine/Dockerfile b/gitlab/old-scan-engine/Dockerfile
@@ -0,0 +1 @@
+FROM alpine
diff --git a/gitlab/old-scan-engine/README.md b/gitlab/old-scan-engine/README.md
@@ -1,11 +1,13 @@
 # GitLab CI Demo - No DinD
 
+> :warning: **Outdated example**: This example is using the legacy scan engine. Please use the [latest example for the new scan engine](../new-scan-engine/README.md) instead.
+
 ![Gitlab job](gitlab.png)
 
 In this demo we will use GitLab pipelines without requiring privileged containers, or docker in docker.
 We will need to split this pipeline into three different jobs
 1. Kaniko: Tool used to build docker image
-2. Sysdig-inline-scan: Scan docker images for vulnerabilities
+2. Sysdig-inline-scan (deprecated): Scan docker images for vulnerabilities
 3. Crane: Push container image to a remote registry
 
 ## Setup
@@ -40,7 +42,7 @@ The build stage is using Kaniko. We use a method to build the container to an oc
 We then save the `build/` directory as an artifact.
 
 ### Scan
-The scan stage is using `sysdig-inline-scan:2`. This stage uses a newer Sysdig scanning method without the docker daemon dependencies.
+The scan stage is using `sysdig-inline-scan:2` (deprecated). This stage uses a scanning method without the docker daemon dependencies ([Documentation](https://docs.sysdig.com/en/docs/sysdig-secure/scanning/integrate-with-cicd-tools/)).
 We then save the `build/` directory as an artifact for the next step as well as the `report/` directory to review the PDF scan results later.
 
 ### Push
diff --git a/gitlab/old-scan-engine/gitlab.png b/gitlab/old-scan-engine/gitlab.png
