►
From YouTube: How to set up Container Scanning using GitLab
Description
Container Images are a significant source of vulnerabilities in the software development lifecycle because they are often built on existing images, usually from external sources. Ensuring containers are safe before being deployed in your environment is essential. In this video tutorial, Abubakar will walk through setting up container scanning in GitLab.
You can also learn more about container scanning in the GitLab documentation: https://docs.gitlab.com/ee/user/application_security/container_scanning/
#devsecops #containers #trivy #grype #containerscanning
A
Action,
hi,
I'm,
abubakar,
siddique,
angu,
developer,
evangelism
program
manager
at
gitler,
and
in
this
video
we'll
be
talking
about
container
scanning
yeah,
almost
everywhere
containers
been
adopted
now
and
with
the
use
of
clusters.
Kubernetes
clusters
that
has
become
a
Mainstay
in
our
industry
developers
build
with
containers
they
deploy
with
containers.
The
almost
everything
well,
not
everything,
a
huge
part
of
application
development
today
revolves
around
container
technology
now.
A
But
when
and
one
huge
aspect
of
containers
is
the
container
Registries,
where
there's
a
lot
of
open
source
or
Community
built
images
that
are
pushed
to
container
Registries
like
Docker,
Hall,
key
dot,
IO
or
private
container
Registries,
and
for
you
to
build
a
container
most
times,
you
don't
necessarily
need
to
start
from
scratch.
You
can
use
a
base
image,
pull
them
from
the
container
registry
and
use
that
base
image
to
build
your
own
container
now,
but
the
issue
most
times
is
the
base.
A
Image
might
be
compromised,
or
yours,
too,
might
have
some
dependencies
that
are
not
or
the
way
your
Docker
file
has
been
created.
Has
some
security
vulnerabilities
now
in
this
video
I'll
be
showing
you
how
you
can
use
gitlab
to
scan
your
container
images
to
ensure
that
you
don't
have
any
vulnerability?
A
They
are
usually
based
on
cves
that
have
been
published
now.
Gitlab
used
integrates
with
open
source
tools
like
trivia
and
gripe
to
scan
your
container
image,
and
if
you
have
your
own
costume
scanner
or
some
other
third-party
scanner,
you
can
integrate
it
into
gitlab
CI
into
the
Container
scanning
job
to
use
to
start
party
tools.
But
first,
let's
see
how
you
can
use
container
container
scanning
on
your
project.
Now,
in
my
browser
here,
I
have
a
demo
project,
critical
project,
very
cool
name
now
so
we'll
go
to
let's
check
our
CI
file.
A
It's
a
demo
review
on
this
project
created
from
a
template
from
gitlab
default
template,
and
you
can
see
it's
using
version
3.0.4
of
Ruby
which
most
likely
might
have
vulnerabilities.
So
let
me
edit
my
CI
file
using
the
pipeline.
Editor
I'll,
be
replacing
the
whole
CI
file
with
rules
for
container
scanning
and
also
for
the
purpose
of
this
demo.
I'll
also
be
using
the
git
lab
built
Auto
build
template
to
automatically
build
my
project.
So
it's
it
to
use,
it
will
detect
my
application.
A
It
will
detect
my
application
to
locate
Bluetooth
Ruby.
They
need
to
package
it
with
build
packs
and
deploy
to
gitlab
container
registry.
Now
what
some
of
the
things
that
needs
to
be
in
place
for
container
scanning
to
work
on
your
project
is
you
have
to
have
a
test
stage
which
will
automatically
come
within
the
job
and
your
container
has
to
be
in
the
container
registry
before
gitlab
can
scan
it.
A
A
Okay,
while
this,
let's
see
okay
first
committed
already
now-
let's
see
we
should
have
a
pipeline
running
now
in
our
pipeline
we
have
two
jobs
to
build
and
container
scanning.
Well,
the
container
scanning
is
waiting
for
the
bills
to
be
done
like
I
mentioned
earlier.
This
is
using
the
auto
builds
templates,
part
of
Auto
devops.
It's
going
to
use,
build
packs.
You
see
it's
trying
to
pull
the
auto
build
image
here.
It's
going
to
use,
build
packs
to
detect
my
application.
A
Oh
see
that
it's
Ruby
then
use
the
necessary
features
to
build
a
ruby
container
and
container
image
and
push
it
to
the
gitlab
container
registry.
So,
while
it's
done
it
might
take
a
while
for
each
to
complete,
there
are
different
types
of
configurations
that
you
can
add.
Now,
let's
view
the
gitlab
documentation
for
container
scanning.
Now
we
have
like
I
mentioned
earlier.
You
can
it
integrates
with
trivia
or
grip,
or
you
can
use
third
party
tools
and
there
are
different
options
that
you
can
set.
A
For
example,
you
can
set
the
secure
log
level,
maybe
it's
too
noisy,
and
you
want
to
limit
the
level
of
information
that
it
displays
and
you
can
also,
let's
say,
for
example,
you
there's
a
certain
image.
A
You
want
to
scan
images
in
your
local
issue
or
in
a
specific
registry.
You
can
specify
that
also
or
you
want
to
authenticate
against
a
particular
registry.
You
are,
you
are
not
deploying
to
gitlab
registry,
but
you
are
deploying
to
another
history
somewhere,
maybe
like
AWS,
you
can
authenticate
with
that
and
deploy
to
and
use
container
scanning
for
that
also
now
you
can
also
set
certain
variables
for
different
things.
You
can
follow.
A
I'll
share,
I'll,
add
a
link
to
the
documentation
page
in
the
description
where
you
can
learn
more
about
different
options
and
different
settings
that
you
can
set
for
your
container
registry
to
work
now,
if
you
can
also
decide
to
set
up
a
continuous
container
scanning
in
offline
environments,
maybe
for
whatever
reason
you
yeah
in
a
secure
environment
and
your
devices
don't
have
access
to
the
internet,
especially
in
regulated
environments.
Now
you
can
create
you
can
pull.
You
can
set
up
a
job
I.
Think.
Let
me
see,
there's
a
section
for
that
here.
A
A
So
we
have
this
here:
you
can
have
a
project
somewhere
that
pulls
the
image
you
need,
maybe
for
3v
or
for
container
scanning
pulls
it
regularly
push.
Then
it
party
package
is
and
push
it
to
gitlab
registry.
Then
you
can
use
that
new
image.
You
have
in
your
lab
registry
for
your
container
scanning.
That
way
it
doesn't
depend
on
the
external
images.
A
A
Container
and
offline
environment,
so
maybe
running
container
scanning
an
offline
environment.
You
can
you
see,
you
can
create
you,
you
can
package
your
own
version
of
TV
or
gripe
or
whichever
one
and
shoot
to
gitler
registry
then
use
the
gitlab
registry
or
your
own
custom
registry
within
your
organization
to
run
your
container
scanning
now
see
here.
A
So
you
simply
specify
this
as
the
image
it
should
use
and
when
you
specify
it
it
will
use
your
local
scanning
image
instead
of
having
to
pull
from
gitlab,
but
you
can
also
keep
it
up
to
date
by
setting
up
a
job
in
the
projects
you've
created
for
creating
the
container
image
so
that
regularly
it
can
pull
a
new
version
of
the
image
tag.
It
then
push
to
your
local
container
registry
again
and
let's
go
back
to
look
at
our
job.
The
build
job
is
complete.
Let's
go
back
to
pipeline.
A
This
is
our
pipeline,
so
the
build
job
is
complete
and
the
containers
can
job
is
complete.
So
if
we
check
security
here,
you
can
see
dependencies
can
for
your
container
scanning.
It's
recognized,
296
vulnerabilities.
That's
a
lot!
You
can
see
all
of
them
here
from
the
container
scanner
it
execute
for
this
Pipeline
and
also
it
looks
so
recognized
10
licenses.