- Kaspersky Container Security 1.1 Help
- About the Kaspersky Container Security platform
- Solution architecture
- Preparing to install the solution
- Solution installation
- Removing the solution
- Updating the solution
- Solution interface
- Licensing the solution
- Data provisioning
- Working with clusters
- Working with images from registers
- Setting up integration with external image registries
- Integration with CI/CD
- Image scanning in CI/CD processes
- Configuring image and configuration file scan settings
- Defining the path to container images
- Scanning images from CI/CD
- Monitoring the integrity and origin of images
- Running the scanner in SBOM mode
- Getting scan results in JSON or HTML format
- Running the scanner in lite SBOM mode
- Risk handling
- Compliance check
- Configuring and generating reports
- Security policies configuration
- Managing container runtime profiles
- Configuring integration with image signature validators
- Setting up integration with notification outputs
- Configuring LDAP server integration
- Users, roles, and scopes
- Managing users
- About user roles
- Working with system roles
- Displaying list of roles
- About scopes
- Scopes and enforcement of security policies
- Switching between scopes
- Adding users, roles, and scopes
- Resetting password for user accounts
- Changing settings for users, roles, and scopes
- Removing users, roles, and scopes
- Security event log
- Exporting events to SIEM systems
- Backing up and restoring data
- Contacting Technical Support
- Sources of information about the application
- Limitations and warnings
- Glossary
- Third party code information
- Trademark notices
Scanning images from CI/CD
To scan images from CI/CD, in the configuration file used to integrate the repository, specify the API_BASE_URL (web-address of the Kaspersky Container Security API server) and API_TOKEN (token to access API of the Kaspersky Container Security) environment variables for the scanner.
To scan an image from a TAR archive:
- Build an image and save it as a TAR archive using any application for creating containerized images.
- Start the scan by running a command in the following format:
/scanner image.tar --file --stdoutwhere:
<--file> is thefile with the image to be scanned<--stdout> isoutput to the security event log
Example of a configuration file with settings for scanning a TAR archive
stages:
- build_tar
- scan_tar
- push_image
build_tar:
stage: build_tar
tags:
- k8s
- docker
image:
name: gcr.io/kaniko-project/executor:v1.9.0-debug
entrypoint: [""]
dependencies:
- scan_source_branch
- scan_source_commit
script:
- mkdir -p /kaniko/.docker
- echo "${DOCKER_AUTH_CONFIG}" > /kaniko/.docker/config.json
- /kaniko/executor
--context "${CI_PROJECT_DIR}"
--dockerfile "${CI_PROJECT_DIR}/Dockerfile"
--destination "${CI_REGISTRY_IMAGE}:${CI_COMMIT_REF_NAME}"
--compressed-caching=false
--build-arg GITLAB_USER=gitlab-ci-token
--build-arg GITLAB_TOKEN=${CI_JOB_TOKEN}
--no-push
--tarPath=image.tar
artifacts:
paths:
- image.tar
expire_in: 2 hours
scan_tar:
stage: scan_tar
tags:
- k8s
- docker
dependencies:
- build_tar
image:
name: "company.gitlab.cloud.net:5050/companydev/example/scanner:master-with-db"
pull_policy: always
entrypoint: [""]
variables:
API_BASE_URL: ${API_BASE_URL}
API_TOKEN: ${API_TOKEN}
API_CA_CERT: ${KCS_CA_CERT}
script:
- /scanner image.tar --file --stdout
artifacts:
paths:
- image.tar
expire_in: 2 hours
push_image:
stage: push_image
tags:
- k8s
image:
name: gcr.io/go-containerregistry/crane:debug
entrypoint: [""]
dependencies:
- scan_tar
script:
- mkdir -p $HOME/.docker
- echo "${DOCKER_AUTH_CONFIG}" > $HOME/.docker/config.json
- /ko-app/crane push image.tar "${CI_REGISTRY_IMAGE}:${CI_COMMIT_REF_NAME}"
To scan an image from a Git repository:
- In the configuration file of the Git repository, specify the token for accessing the repository (for example, GitLab requires you to indicate a value for GITLAB_TOKEN).
- Start scanning by running a command in the following format:
/scanner [TARGET] [--repo REPO_URL] [--branch BRANCH] [--commit COMMIT] --stdoutwhere:
<TARGET>is the path to the file with the image to be scanned<--repo>is the web address (URL) of the Git repository<--branch>is the branch of the repository to be scanned<--commit>isthe hash of the commit to be scanned<--stdout>is the output to the security event log.
stages:
- scan_source_branch
- scan_source_commit
scan_source_branch:
stage: scan_source_branch
image:
name: "company.gitlab.cloud.net:5050/companydev/example/scanner:master-with-db"
pull_policy: always
entrypoint: [""]
tags:
- k8s
- docker
variables:
API_BASE_URL: ${API_BASE_URL}
API_TOKEN: ${API_TOKEN}
API_CA_CERT: ${KCS_CA_CERT}
script:
- GITLAB_TOKEN=${CI_JOB_TOKEN} /scanner --repo ${CI_REPOSITORY_URL} --branch ${CI_COMMIT_BRANCH} --stdout
scan_source_commit:
stage: scan_source_commit
image:
name: "company.gitlab.cloud.net:5050/companydev/example/scanner:master-with-db"
pull_policy: always
entrypoint: [""]
tags:
- k8s
- docker
variables:
API_BASE_URL: ${API_BASE_URL}
API_TOKEN: ${API_TOKEN}
API_CA_CERT: ${KCS_CA_CERT}
script:
- GITLAB_TOKEN=${CI_JOB_TOKEN} /scanner --repo ${CI_REPOSITORY_URL} --commit ${CI_COMMIT_SHA} --stdout