In case of limited resources, you can run the Kaspersky Container Security scanner apart from the worker nodes in the CI/CD process. For example, on a Docker node using the docker run command or as a Job in a Kubernetes cluster.
For maximum resource economy, we recommend using the scanner:2.1.0-lite image because it does not include vulnerability databases and sends the SBOM file based on the target image scan results for analysis to the solution using the API.
To start Kaspersky Container Security scanner outside the CI/CD process, you must specify the following mandatory parameters:
API_TOKEN: <API token value> is the Kaspersky Container Security user token for authentication in the API interface of the solution.API_BASE_URL: <web address> is a link to access the API interface of Kaspersky Container Security. The interface can be accessed using the HTTP and HTTPS protocols, depending on the environment variables of the deployed solution.API_CA_CERT: <certificate in the .PEM format> is a variable for validation of the API certificate of the solution.SKIP_API_SERVER_VALIDATION = true - a variable that, if necessary, can be specified to skip the validation of the API certificate of Kaspersky Container Security.You can also specify additional parameters for the scanner operation:
COMPANY_EXT_REGISTRY_USERNAME: <registry user name> is the name of the user of the registry where the image to be checked by the scanner is stored.COMPANY_EXT_REGISTRY_PASSWORD: <registry user password> is the password of the user of the registry where the image to be checked by the scanner is stored.BUILD_NUMBER: <ID of the build number> is the ID that is used to track the build number in the solution interface. Kaspersky Container Security displays the number in the CI\CD process scan results.BUILD_PIPELINE: <pipeline number ID> is the identifier that is used to track the pipeline number in the solution interface. Kaspersky Container Security displays the number in the CI\CD process scan results.HTTP_PROXY: <proxy server for HTTP requests> is a variable that indicates the use of an HTTP proxy server when access to external resources is requiredHTTPS_PROXY: <proxy server for HTTPS requests> is a variable that indicates the use of an HTTPS proxy when access to external resources is requiredNO_PROXY: <domains or masks corresponding to domains that are used for exclusion from proxying> is a variable that indicates the locally available resources if a proxy server is used.