Skip to main content
Version: 5.3

Gitlab

Scan for Vulnerabilities during Gitlab Build Pipeline

NeuVector can be configured to scan for vulnerabilities triggered in the Gitlab build pipeline. There is a Gitlab plug-in here which can be configured and used. Please follow the instructions on the gitlab site for using the plugin.

The scan can also use the NeuVector REST API by configuring the provided script below to access the controller.

In addition, make sure there is a NeuVector scanner container deployed and configured to connect to the Allinone or Controller. In 4.0 and later, the neuvector/scanner container must be deployed separate from the allinone or controller.

Scan During Gitlab Build Using REST API

Use the following script, configured for your NeuVector login credentials to trigger the vulnerability scans.

########################
# Scanning Job
########################

NeuVector_Scan:
image: docker:latest
stage: test
#the runner tag name is nv-scan
tags:
- nv-scan
services:
- docker:dind
before_script:
- apk add curl
- apk add jq
variables:
DOCKER_DAEMON_PORT: 2376
DOCKER_HOST: "tcp://$CI_SERVER_HOST:$DOCKER_DAEMON_PORT"
#the name of the image to be scanned
NV_TO_BE_SCANNED_IMAGE_NAME: "nv_demo"
#the tag of the image to be scanned
NV_TO_BE_SCANNED_IMAGE_TAG: "latest"
#for local, set NV_REGISTRY=""
#for remote, set NV_REGISTRY="[registry URL]"
NV_REGISTRY_NAME: ""
#the credential to login to the docker registry
NV_REGISTRY_USER: ""
NV_REGISTRY_PASSWORD: ""
#NeuVector image location
NV_IMAGE: "10.1.127.3:5000/neuvector/controller"
NV_PORT: 10443
NV_LOGIN_USER: "admin"
NV_LOGIN_PASSWORD: "admin"
NV_LOGIN_JSON: '{"password":{"username":"$NV_LOGIN_USER","password":"$NV_LOGIN_PASSWORD"}}'
NV_SCANNING_JSON: '{"request":{"registry":"$NV_REGISTRY","username":"$NV_REGISTRY_NAME","password":"$NV_REGISTRY_PASSWORD","repository":"$NV_TO_BE_SCANNED_IMAGE_NAME","tag":"$NV_TO_BE_SCANNED_IMAGE_TAG"}}'
NV_API_AUTH_URL: "https://$CI_SERVER_HOST:$NV_PORT/v1/auth"
NV_API_SCANNING_URL: "https://$CI_SERVER_HOST:$NV_PORT/v1/scan/repository"
script:
- echo "Start neuvector scanner"
- docker run -itd --privileged --name neuvector.controller -e CLUSTER_JOIN_ADDR=$CI_SERVER_HOST -p 18301:18301 -p 18301:18301/udp -p 18300:18300 -p 18400:18400 -p $NV_PORT:$NV_PORT -v /var/neuvector:/var/neuvector -v /var/run/docker.sock:/var/run/docker.sock -v /proc:/host/proc:ro -v /sys/fs/cgroup/:/host/cgroup/:ro $NV_IMAGE
- |
_COUNTER_="0"
while [ -z "$TOKEN" -a "$_COUNTER_" != "12" ]; do
_COUNTER_=$((( _COUNTER_ + 1 )))
sleep 5
TOKEN=`(curl -s -f $NV_API_AUTH_URL -k -H "Content-Type:application/json" -d $NV_LOGIN_JSON || echo null) | jq -r '.token.token'`
if [ "$TOKEN" = "null" ]; then
TOKEN=""
fi
done
- echo "Scanning ..."
- sleep 20
- curl $NV_API_SCANNING_URL -s -k -H "Content-Type:application/json" -H "X-Auth-Token:$TOKEN" -d $NV_SCANNING_JSON | jq .
- echo "Logout"
- curl $NV_API_AUTH_URL -k -X 'DELETE' -H "Content-Type:application/json" -H "X-Auth-Token:$TOKEN"

after_script:
- docker stop neuvector.controller
- docker rm neuvector.controller