Gitlab

在GitLab构建管道中扫描漏洞

SUSE® Security可以配置以扫描在GitLab构建管道中触发的漏洞。这里有一个可以配置和使用的 GitLab插件。请按照GitLab网站上的说明使用该插件。

扫描还可以通过配置下面提供的脚本来使用SUSE® Security REST API以访问控制器。

此外，请确保部署并配置了一个SUSE® Security扫描器容器，以连接到Allinone或控制器。在4.0及更高版本中，neuvector/scanner容器必须与allinone或控制器分开部署。

使用REST API在GitLab构建期间扫描

使用以下脚本，配置您的SUSE® Security登录凭据以触发漏洞扫描。

########################
# Scanning Job
########################

{product-name}_Scan:
  image: docker:latest
  stage: test
  #the runner tag name is nv-scan
  tags:
    - nv-scan
  services:
    - docker:dind
  before_script:
    - apk add curl
    - apk add jq
  variables:
    DOCKER_DAEMON_PORT: 2376
    DOCKER_HOST: "tcp://$CI_SERVER_HOST:$DOCKER_DAEMON_PORT"
    #the name of the image to be scanned
    NV_TO_BE_SCANNED_IMAGE_NAME: "nv_demo"
    #the tag of the image to be scanned
    NV_TO_BE_SCANNED_IMAGE_TAG: "latest"
    #for local, set NV_REGISTRY=""
    #for remote, set NV_REGISTRY="[registry URL]"
    NV_REGISTRY_NAME: ""
    #the credential to login to the docker registry
    NV_REGISTRY_USER: ""
    NV_REGISTRY_PASSWORD: ""
    #{product-name} image location
    NV_IMAGE: "10.1.127.3:5000/neuvector/controller"
    NV_PORT: 10443
    NV_LOGIN_USER: "admin"
    NV_LOGIN_PASSWORD: "admin"
    NV_LOGIN_JSON: '{"password":{"username":"$NV_LOGIN_USER","password":"$NV_LOGIN_PASSWORD"}}'
    NV_SCANNING_JSON: '{"request":{"registry":"$NV_REGISTRY","username":"$NV_REGISTRY_NAME","password":"$NV_REGISTRY_PASSWORD","repository":"$NV_TO_BE_SCANNED_IMAGE_NAME","tag":"$NV_TO_BE_SCANNED_IMAGE_TAG"}}'
    NV_API_AUTH_URL: "https://$CI_SERVER_HOST:$NV_PORT/v1/auth"
    NV_API_SCANNING_URL: "https://$CI_SERVER_HOST:$NV_PORT/v1/scan/repository"
  script:
    - echo "Start neuvector scanner"
    - docker run -itd --privileged --name neuvector.controller -e CLUSTER_JOIN_ADDR=$CI_SERVER_HOST -p 18301:18301 -p 18301:18301/udp -p 18300:18300 -p 18400:18400  -p $NV_PORT:$NV_PORT -v /var/neuvector:/var/neuvector -v /var/run/docker.sock:/var/run/docker.sock -v /proc:/host/proc:ro -v /sys/fs/cgroup/:/host/cgroup/:ro $NV_IMAGE
    - |
      _COUNTER_="0"
      while [ -z "$TOKEN" -a "$_COUNTER_" != "12" ]; do
        _COUNTER_=$((( _COUNTER_ + 1 )))
        sleep 5
        TOKEN=`(curl -s -f $NV_API_AUTH_URL -k -H "Content-Type:application/json" -d $NV_LOGIN_JSON || echo null) | jq -r '.token.token'`
        if [ "$TOKEN" = "null" ]; then
          TOKEN=""
        fi
      done
    - echo "Scanning ..."
    - sleep 20
    - curl $NV_API_SCANNING_URL -s -k -H "Content-Type:application/json" -H "X-Auth-Token:$TOKEN" -d $NV_SCANNING_JSON | jq .
    - echo "Logout"
    - curl $NV_API_AUTH_URL -k -X 'DELETE' -H "Content-Type:application/json" -H "X-Auth-Token:$TOKEN"

  after_script:
    - docker stop neuvector.controller
    - docker rm neuvector.controller