Running a scanner outside of the CI / CD process
In case of limited resources, you can run the Kaspersky Container Security scanner apart from the worker nodes in the CI/CD process. For example, by using the docker run command on a Docker node, or as a Job in a Kubernetes cluster.
To save resources to the greatest extent possible, we recommend using the scanner: 2.0.0-lite image, as it does not contain vulnerability databases and sends the SBOM file based on the target image scan results to the solution using the API.
To start Kaspersky Container Security scanner outside the CI/CD process, you must specify the following mandatory parameters:
API_TOKEN: <API token value> is the Kaspersky Container Security user token for authentication in the API interface of the solution.API_BASE_URL: <web address> is a link to access the API interface of Kaspersky Container Security. The interface can be accessed using the HTTP and HTTPS protocols, depending on the environment variables of the deployed solution.API_CA_CERT: <certificate in the .PEM format> is a variable for validation of the API certificate of the solution.SKIP_API_SERVER_VALIDATION = true - a variable that, if necessary, can be specified to skip the validation of the API certificate of Kaspersky Container Security.
You can also specify additional parameters for the scanner operation:
COMPANY_EXT_REGISTRY_USERNAME: <registry user name> is the name of the user of the registry where the image to be checked by the scanner is stored.COMPANY_EXT_REGISTRY_PASSWORD: <registry user password> is the password of the user of the registry where the image to be checked by the scanner is stored.BUILD_NUMBER: <ID of the build number> is the ID that is used to track the build number in the solution interface. Kaspersky Container Security displays the number in the CI\CD process scan results.BUILD_PIPELINE: <pipeline number ID> is the identifier that is used to track the pipeline number in the solution interface. Kaspersky Container Security displays the number in the CI\CD process scan results.HTTP_PROXY: <proxy server for HTTP requests> is a variable that indicates the use of an HTTP proxy server when access to external resources is requiredHTTPS_PROXY: <proxy server for HTTPS requests> is a variable that indicates the use of an HTTPS proxy when access to external resources is requiredNO_PROXY: <domains or masks corresponding to domains that are used for exclusion from proxying> is a variable that indicates the locally available resources if a proxy server is used.
Running a scanner in Docker
To start the scanner in lite SBOM mode in Docker:
- Specify the mandatory parameters for Kaspersky Container Security:
-e API_TOKEN=<API token value>
-e API_BASE_URL=https://company.com
-e API_CA_CERT: <certificate in the .PEM format> or -e SKIP_API_SERVER_VALIDATION=true
- If necessary, specify additional parameters for Kaspersky Container Security.
- Specify the scanner image to run:
repo.kcs.company.com/images/scanner:v2.0.0-lite
- If you need to generate an artifact for downloading, specify the following:
--<artifact format --stdout > result.<file format>
For example:
- Make sure that the .docker/config.json configuration file contains data for connection to the image registry with the scanner image. If necessary, run one of the following commands:
docker login repo.company.com or docker login repo.kcs.kaspersky.com. - Start scanning.
If a domain name resolution error - Name does not resolve - appears when calling the scanner, you must specify the address before the API_BASE_URL variable before the internal DNS server of your organization. For example:
--dns 10.0.xx.x
If the scanner image and image to be scanned are stored in your registry and you need to generate an artifact with the scanner operation results in the .JSON format, scanner starting variables are specified as follows:
docker run --dns 10.0.10.10 \
-e "API_BASE_URL=https://kcs.company.com" \
-e "SKIP_API_SERVER_VALIDATION=true" \
-e "API_TOKEN=${api_token}" \
-e "COMPANY_EXT_REGISTRY_USERNAME=${user}" \
-e "COMPANY_EXT_REGISTRY_PASSWORD=${password}"
repo.company.com/images/scanner:v2.0.0-lite \
repo.company.com/images/alpine:latest --stdout > result.json
If the scanner image is stored in a Kaspersky public registry (the node pulls this image using your proxy server), the scanned image is stored locally on the node as an archive, and you need to generate an artifact with the scanner operation results in the .SPDX format, scanner starting variables are specified as follows:
docker run --dns 10.0.10.10 \
-e "API_BASE_URL=https://kcs.company.com" \
-e "SKIP_API_SERVER_VALIDATION=true" \
-e "API_TOKEN=${api_token}" \
-e "HTTPS_PROXY=http://user:password@client.proxy.com:8080" \
-v ./image_to_scan.tar:/image.tar \
repo.kcs.kaspersky.com/images/scanner:v2.0.0-lite \
image.tar --file --spdx --stdout > result.spdx
Running the scanner as a Job in a Kubernetes cluster
To run the scanner in lite SBOM mode as a Job in a Kubernetes cluster:
- Make sure that the node running the commands contains kubectl and configuration file for the corresponding Kubernetes cluster and that they are accessible to the user who runs the commands.
- Make sure that a secret exists in the corresponding namespace to authenticate and download the scanner image from the registry you are interested in.
You can create such a secret yourself, for example, using the following command:
kubectl create secret docker-registry <secret name> --docker-server=<FQDN of the repository> --docker-username=username --docker-password=password
- Specify the values of the mandatory and, if necessary, additional parameters for the scanner to operate as a task in the Kubernetes cluster.
The parameters are specified in the file for running the scanner in the .YAML format as follows:
apiVersion: batch/v1
kind: Job
metadata:
name: my-lite-job
spec:
template:
spec:
containers:
- name: my-lite-container
image: repo.company.com/images/scanner:v2.0.0-lite
command: ["/bin/sh"]
args: ["entrypoint.sh", "alpine:latest"]
env:
- name: COMPANY_EXT_REGISTRY_USERNAME
value: <user for authentication in the image registry where the image to be scanned is located>
- name: COMPANY_EXT_REGISTRY_PASSWORD
value: <password for authentication in the image registry where the image to be scanned is located>
- name: API_BASE_URL
value: https://kcs.company.local
- name: API_TOKEN
value: <token for authentication in the API of Kaspersky Container Security>
- name: SKIP_API_SERVER_VALIDATION
value: 'true'
imagePullPolicy: Always
restartPolicy: Never
imagePullSecrets:
- name: <name of the secret for authentication and pulling the scanner image>
backoffLimit: 0
- Start scanning in the Kubernetes cluster:
kubectl apply -f my-lite-job.yaml
Article ID: 301504, Last review: May 20, 2025