Artifact scanning in CI/CD processes

Integration with third-party resources > Integration with CI/CD > Artifact scanning in CI/CD processes

Artifact scanning in CI/CD processes

Kaspersky Container Security allows you to scan images that are used in CI/CD. To scan images from CI/CD, you should configure the integration of Kaspersky Container Security with CI/CD processes.

Data from listening to and intercepting network traffic must be securely transferred between the CI/CD environment and the solution.

To scan images or repositories (in order to scan configuration files) used in the CI/CD process, add a stage to the CI/CD pipeline that runs the Kaspersky Container Security scanner.

To scan images from CI/CD, in the configuration file used to integrate the repository, specify the API_BASE_URL (web-address of the Kaspersky Container Security API server) and API_TOKEN (token to access API of the Kaspersky Container Security) environment variables for the scanner. You must also specify API_CA_CERT (certificate for verifying host server of the API solution) or SKIP_API_SERVER_VALIDATION = true to skip this scan.

The scanning results are forwarded to the server and displayed in the Management Console in the Resources → CI/CD section. The provided table lists the images that were scanned, shows the results of the risk assessment, and indicates the detected vulnerabilities.

You can click the image name link to open a page with detailed information about image scanning results. This page is similar to the page showing the results of registry images scanning.

Kaspersky Container Security also displays the type of artifact for each object. Two main artifacts are used:

File system is repository containing configuration files.
Container image is template used for runtime implementation of the container.

For each scan object, you can specify the build number (BUILD_NUMBER) and the build

pipeline

(BUILD_PIPELINE). These parameters can be used to determine the specific stage where the object failed.

For CI/CD images, rescanning is not provided.

Kaspersky Container Security performs the following types of scans in CI/CD:

Scanning images from the image registry. The solution runs a scan after a successful build and saves the image into the image registry.
Scanning of images in TAR archives. A TAR archive is stored as a build artifact that the solution scans in the next build pipeline.
Scanning a Git repository, which can be performed in one of the following ways:
- for a project branch (individual development path) in the Git repository
- for a commit (state snapshot or checkpoint in the project's timeline)

To scan an image from an image registry:

Start the scan by running a command in the following format:

/scanner [TARGET] --stdout

where:

<TARGET>—full address of the image in the registry;
<--stdout> is the output to the security event log.

To access the registry, you must set the login COMPANY_EXT_REGISTRY_USERNAME and password (token) COMPANY_EXT_REGISTRY_PASSWORD in the environment variables.
To use a certificate for secure connection to the registry, you must specify the certificate details in the COMPANY_EXT_REGISTRY_TLS_CERT environment variable as the following string in .PEM format: -----BEGIN CERTIFICATE-----\n... certificate data > ...\n-----END CERTIFICATE----- .

Examples of scanning images in GitLab CI/CD and Jenkins CI/CD.

To scan an image from a TAR archive:

Build an image and save it as a TAR archive using any application for creating containerized images.
Start the scan by running a command in the following format:
/scanner [TARGET] --file --stdout

where:
- <TARGET>—path to the file with the image to be scanned
- <--file>—flag indicating scanning of the TARGET file
- <--stdout> is the output to the security event log.
Example of a configuration file with settings for scanning a TAR archive
stages:

- build_tar

- scan_tar

- push_image

build_tar:

stage: build_tar

tags:

- k8s

- docker

image:

name: gcr.io/kaniko-project/executor:v1.9.0-debug

entrypoint: [""]

dependencies:

- scan_source_branch

- scan_source_commit

script:

- mkdir -p /kaniko/.docker

- echo "${DOCKER_AUTH_CONFIG}" > /kaniko/.docker/config.json

- /kaniko/executor

--context "${CI_PROJECT_DIR}"

--dockerfile "${CI_PROJECT_DIR}/Dockerfile"

--destination "${CI_REGISTRY_IMAGE}:${CI_COMMIT_REF_NAME}"

--compressed-caching=false

--build-arg GITLAB_USER=gitlab-ci-token

--build-arg GITLAB_TOKEN=${CI_JOB_TOKEN}

--no-push

--tarPath=image.tar

artifacts:

paths:

- image.tar

expire_in: 2 hours

scan_tar:

stage: scan_tar

tags:

- k8s

- docker

dependencies:

- build_tar

image:

name: "company.gitlab.cloud.net:5050/companydev/example/scanner:master-with-db"

pull_policy: always

entrypoint: [""]

variables:

API_BASE_URL: ${API_BASE_URL}

API_TOKEN: ${API_TOKEN}

API_CA_CERT: ${KCS_CA_CERT}

script:

- /scanner image.tar --file --stdout

artifacts:

paths:

- image.tar

expire_in: 2 hours

push_image:

stage: push_image

tags:

- k8s

image:

name: gcr.io/go-containerregistry/crane:debug

entrypoint: [""]

dependencies:

- scan_tar

script:

- mkdir -p $HOME/.docker

- echo "${DOCKER_AUTH_CONFIG}" > $HOME/.docker/config.json

- /ko-app/crane push image.tar "${CI_REGISTRY_IMAGE}:${CI_COMMIT_REF_NAME}"

To scan the Git repository:

In the configuration file of the Git repository, in the environment variables specify the token to access the repository (GITHUB_TOKEN or GITLAB_TOKEN).
Start the scan by running a command in the following format:
/scanner [TARGET] --repo [--branch BRANCH] [--commit COMMIT] --stdout

where:
- <TARGET>—web address (URL) of the Git repository
- <--repo> —flag indicating scanning of the TARGET file
- <--branch BRANCH>—branch of the repository to be scanned
- <--commit COMMIT>—hash of the commit to be scanned
- <--stdout> is the output to the security event log.
Example of a configuration file with environment variables for scanning an image from a Git repository
stages:

- scan_source_branch

- scan_source_commit

scan_source_branch:

stage: scan_source_branch

image:

name: "company.gitlab.cloud.net:5050/companydev/example/scanner:master-with-db"

pull_policy: always

entrypoint: [""]

tags:

- k8s

- docker

variables:

API_BASE_URL: ${API_BASE_URL}

API_TOKEN: ${API_TOKEN}

API_CA_CERT: ${KCS_CA_CERT}

script:

- GITLAB_TOKEN=${CI_JOB_TOKEN} /scanner --repo ${CI_REPOSITORY_URL} --branch ${CI_COMMIT_BRANCH} --stdout

scan_source_commit:

stage: scan_source_commit

image:

name: "company.gitlab.cloud.net:5050/companydev/example/scanner:master-with-db"

pull_policy: always

entrypoint: [""]

tags:

- k8s

- docker

variables:

API_BASE_URL: ${API_BASE_URL}

API_TOKEN: ${API_TOKEN}

API_CA_CERT: ${KCS_CA_CERT}

script:

- GITLAB_TOKEN=${CI_JOB_TOKEN} /scanner --repo ${CI_REPOSITORY_URL} --commit ${CI_COMMIT_SHA} --stdout

To scan the

IaC

file system, you must use the scanner image with the vX.XX-with-db database. To scan IaC files, the scanner must be given access to the files inside the container (for example, by mounting a volume with files or copying files to the container file system).

To scan the file system,

Start the scan by running a command in the following format:

/scanner [TARGET] --sources --stdout

where:

<TARGET>– path to the file folder for scanning
<--sources> – flag indicating the need to scan files in the file system
<--stdout> is the output to the security event log.

Example of a configuration file with variables used to scan files in the file system

Scan results can be viewed in Resources → CI/CD, or downloaded in the .SPDX, .JSON, and .HTML formats.

Article ID: 296997, Last review: May 20, 2025

Page top