►
From YouTube: Container Scanning analyzer - developer walkthrough
Description
Related to https://gitlab.com/gitlab-org/gitlab/-/issues/372790
This is a short walkthrough of GitLab Container Scanning analyzer repository for developers to help transition the source code to new group.
A
Hello,
my
name
is
mancheski,
I'm
staff
backend
engineer
at
golvern
security
pulses
team,
and
today
I
would
like
to
get
you
through
the
container
scanning
repository
and
all
the
directories
and
all
the
documentation,
so
you're
good
to
know,
know
where
to
start
and
how
to
execute
the
scan
itself
and
also
what
and
why
it's
designed
in
this
way.
Okay,
so
let's
get
started
so.
First
of
all,
you
know
that
you'll
find
all
the
documentation
in
the
docs
and
most
of
the
features
are
are
described
here.
A
I
would
say
all
features
are
described
here,
so
the
features
like
allo
listing
or
being
able
to
produce
dependence,
lists
and
report,
language,
specific
findings
and
so
on.
These
are
all
here
and
these
you
can
enable
by
specifying
certain
variables.
Okay,
let's
get
started
with
the
repository
itself
and
I'll
start
with
the
basic
things.
So
you
know
the
whole
feature
and
the
whole
analyzer
is
a
simple
cam,
and
this
cam
is
a
wrapper
around
to
unlock
two
scanners.
It's
a
3v
and
gripe
and
it's
written
in
a
way-
that's
easily
extensible.
A
So
in
the
future,
if
you
would
like
to
have
another
scanner,
you
can
easily
add
that,
because
we
abstracted
most
of
the
logic
that
it's
important
for
for
the
scan
itself
and
and
you
can
run
the
scan
using
different
binaries.
A
So
it's
again
it's
written
in
a
way
that
you
write
like
like
a
comment
like
gtcs
can
and
it
will
start
the
scan
so
in
the
directory
and
in
the
repository
you'll
find
the
usual
things
like
game.
Specs
reg
files
license
readme
file
that
can
read
here
more
about
the
release
process,
the
current
settings
and
the
template
that
we're
using
and
and
some
other
things.
A
So
that's
what
we
have
here,
so
I
will
not
go
through
break
file
that
you
have
usual
things
now.
Then
you
have
integration
test,
running
integration
test.
You
would
like
to
do
it
using
this
comment
instead
of
writing
like
spec
integration,
because
otherwise
it
will
run
the
integration
test
on
your
machine
and
what
we're
doing
in
the
integration
test
is
we're
changing
the
git
configuration.
A
So
it
may
also
change
the
git
configuration
for
your
local
machine,
so
it's
better
to
run
it
in
docker
and
and
just
execute
it.
And
it's
it's
one
comment.
So
it's
very
simple
to
do:
tagging
in
your
release,
updating,
3v
and
gripe
scanners.
A
We
also
have
a
task
that
will
update
scanner
and
createmr,
so
the
marks
that
you
currently
see
in
the
merge
requests
you
know,
update
3v
to
new
version
or
gravity
version,
we're
doing
it
automatically.
So
there's
a
rake
test
that
it's
running.
If
there
is
a
new
scanner,
a
new
version
of
scanner
is
found.
Then
the
new,
mr,
has
created
all
needed
changes.
A
So,
as
you
will
see,
we'll
modifying
a
few
files
here,
updating
versions,
updating
versions
of
the
template
and
updating
versions
for
the
fixtures
and
and
that's
it
and
it
will,
it
will
happen
automatically
for
you,
then
we
have
creating
changelog
is
also
automatic.
A
So,
if
you
need
to,
if
you
want
to
include
something
in
the
changelog,
what
you
need
to
do
is
to
in
comment
add
a
certain
addition
to
the
comment
so
take
a
look,
for
example,.
A
A
Okay,
and
what
else
do
we
have
in
the
right
file
now
triggering
ddbi
update,
because
every
every
day,
if
you
go
to
schedules,
you'll
see
that
every
single
day
we're
triggering
the
db
update.
A
I
remember
certain
how
often
we
are
doing
that,
but
I
believe
once
per
day
we're
we're
triggering
the
db
update
and
then
we're
also
triggering
the
scanners
update
as
well,
and
it
it
used
to
happen
every
day.
Then
we
changed
it
to
happen
every
week.
Now
we
changed
it
to
to
happen
every
four
weeks,
because
before
each
release
we're
just
updating
the
scanner
with
having,
like
updates
for
scanner
very
frequent.
A
We
we
had
some
small
troubles
that
we
introduced
them
back
no
and
we
had
to
fix
it
just
because
the
the
the
scanner
itself
was
updated.
So
now
we
have
more
time
to
do
all
the
testing
and
so
on.
So
once
per
all
month,
we
are
triggering
the
scanner
update.
You
can
always
stroke
it
manually
if
you,
if
you
see
that
there
is
something
and
the
3d
change
the
driver
that
would
like
to
update
and
then
we're
checking
if
the
burnable
database
is
is
updated.
A
That's
another
thing:
if
the
database
update
was
successful
and
I
believe
that's
it
for
the
for
the
rake
file
itself,
so
these
are
usually
useful
either
for
automation
or
for
for
your
work
and,
let's
take
a
look
further
license
gam
file,
docker
files,
we
have
two
docker
files.
First,
one
is
used
to
generate
to
generate
the
the
image,
the
usual
image
that
we're
using.
But
if
you'd
like
to
use
scripts
compliant
image,
we
also
have
a
another
image
and
we're
producing
also
the
on
image.
A
That's
compliant,
basically
cloud
owners,
repo
cop.
We
have
enabled
disabled
certain
scopes,
it
bought
itself,
so
there
is
a
way
to
actually
run
the
whole
repository
within
gitpod.
A
So
you
don't
need
to
the
configuration
and
setting
up
the
development
machine.
It's
not
very
hard,
but
if
you,
if
you'd
like
to
use
it
or
quickly
check
to
check
something,
there's
a
github
option,
so
you
can
start
a
new
git,
but
instance
with
different
under
scanning,
and
it
will.
It
will
automatically
run
tests
for
you
and
so
on
and
have
usual
gitlab
ciemo
file,
and
we
also
have
other
other
yaml
files
with
gitlab
ci.
A
So
you
can
go
here
and
you
can
click
how
we're
running
unit
tests
for
ci
or
integration
tests
or
what
kind
of
maintenance
tasks
we
have
released
and
then
security
scans,
okay
in
bin.
There
is
nothing
important
for
us,
it's
just
from
the
scaffold
and
docs
we're
already
talked
about.
Since
15-0,
we
have
released
the
container
scanning
analyzer
and
it's
available
for
for
three
tier
as
an
ultimate
tier,
so
certain
features
went
to
ee
and
these
features
include
remediation,
so
creating
remediations
and
taking
that
allo
list.
A
If
you
go
to
the
container
scanning
documentation-
and
you
can
read
more
about
verbal
listing
so
specifically,
you
create
a
file
within
this
format
and
then
we'll
ignore
them
during
the
like
during
scan.
So
we'll
not
produce
vulnerabilities.
If
it
is
matching
cves
or
the
package
names
that
are
listed
here,
okay-
and
it's
all
included
only
if
it's-
if
it's
github
all
right
in
exit,
we
have
the
main
comment
for
paul
again,
which
is
gtcs
what
it
will
do.
A
It
will
get
the
cli
class
and
it
will
start
it
and
it's
using
tor
underneath.
So
I
believe
you
might
be
quite
familiar
with
that.
If
not,
there
is
a
third
documentation
that
it's
great
for
us,
but
we
have
only
one
comment.
So
there's
nothing
actually
to
talk
about
here.
Legal
includes
the
license.
A
Let's
take
a
look
at
the
versions.
We
keep
the
information
about
versions
for
gripe
and
tribute
helps
us
with
automatic
updates.
So
we,
this
all,
is
here
in
scripts.
We
have
few
things
set
up.
It's
used
to
help
helping
us
with
creating
image
with
new
databases.
Every
day
we
have
expert
versions
that
we're
using
to
export
the
purple
variables
check
version
that
we're
using
just
to
check.
If
there
are
certain
ci
comment,
tags
are
set
and
they're
valid
and
setup
integration
is
used
to
to
install
all
packages
needed
to
create
the
integration.
A
So,
for
example,
you
see
that
we
are
installing
hyproxy,
curl
and
so
on,
so
we
just
need
to
to
make
sure
that
it's
there
to
run
properly
the
integration
test.
That's
why
it's
better
to
run
this
in
docker,
rather
than
trying
to
run
it
on
your
local
machine.
A
Okay,
we
also
have
some
other
tasks
in
support,
so,
for
example,
generate
converter
pictures
and
there,
if
there's
anything
that
you
you're
changing
in
the
format
of
the
of
the
schema
within
the
analyzer.
You
just
run
around
this.
There
is
a
right
test
for
that,
but
it's
actually
doing
that
or
running
this.
This
module
and
other
things
that
I
believe
are
are
straightforward.
If
you
could
just
take
a
look
at
the
names,
okay,
specs,
so
let's
go
to
the
lib
and
let's
see
how
it's
actually
working
so
gcs
itself.
A
As
I
said
it
is
it's
again
and
it's
very
simple
wrapper
around
two
scanners
that
we
have.
If
you,
if
you
take
a
look
at
the
templates,
you
see
that
we
have
two
gold
templates,
so
grab
template
and
trigger
template,
because
both
scanners
are
supporting
this.
So
we
have
a
template
here
and
we're
just
using
that
to
to
make
sure
that
3v
or
gripe
is
creating
the
vulnerabilities
in
the
format
of
our
security
report
schemas,
and
then
we
can
manipulate
with
that.
A
So
you
see
here
like
very
basic
information
with
place
for
dependency
files
that
we
were
using.
If
you
go
to
gcs,
as
I
said
it
all
started
with
cli
in
cli,
there's
two
methods
scan
and
dp
check
db
check
is
quite
simple
to
just
get
to
the
utils
and
check
if
database
is
updated
scan.
We
have
written
this
in
a
way
that
you
have
two
plugins.
First
plugin
will
generate
container
scanning
report,
the
second
one
dependency
scanning
report
and
both
time
plugins
are
running
and
four
for
the
scanner.
A
So
you
see
dcs
scan
new
plugin,
so
it
will
take
this
plugin.
It
will
perform
scan
image
if
I'll
go
to
the
scan
itself.
This
kind
of
image
will
prepare
the
environment
and
it
will
run
the
plugin
each
plugin.
Has
this
also
scan
method?
So
you
have
the
scan
method
in
the
plugin.
If
I'll
go
to
dependency,
scan
you'll
see
that
the
scan
will
get
the
scanner
and
will
on
the
scanner,
run
method,
scan
os
packages,
and
then
we
have
other
things
so.
A
First,
it
will
scan
it
will
convert
and
it
will
have
all
the
all
the
failures
and
so
on.
It
will
ask
if,
if
it's
needed
to
skip
or
not
also
here,
we
have
convert
and
you're
using
the
pencil
list
converter
for
that
very
also,
very
simple
module
that
is
used
here
and
will
convert
the
file
that
was
produced
by
by
the
scanner
to
the
format
that
we
want
to
have
so
we'll
add
all
needed
information
like
start
time
and
time.
A
The
version
of
the
schema,
the
version
of
the
analyzer,
the
version
of
the
os
and
so
on.
These
are
all
things
that
are
needed
for
us
to
to
create
and
generate
report,
and
we
have
similar
converter
for
the
regular
container
scanning
list.
So
you
see
like
it
will
do
very
similar
things
set
the
start
and
times
the
versions
and
for
each
burn
building
the
report.
A
So
let's
get
back
to
the
scan
itself.
So,
as
I
told
you
first,
it
will
scan
and
then
it
will
try
to
convert
and
that's
it.
So
these
are
two
things
that
are
happening.
So
if
I'll
go
to
container
scanning,
for
example,
it
will
perform
on
the
scanner,
scan
image
method
and
then
it
will
get
convert
and
within
the
conversion,
we're
looking
at
the
allo
list,
but
also
only
if
it's
e,
okay,
let's
take
a
look
now
on
the
scanner.
A
Scanner
itself
is
a
very
simple
class
with
all
basic
things
like
template
files,
dependencies
template
files,
and
here
we
have
scan
image,
default,
option
and
default
method,
and
also
it's
kind
of
like
packages,
the
automatic
and
then
we're
all
writing
them
for
each
scanner.
So
if
you
like
to
create
a
new
scanner,
you
just
create
a
new
file
here,
you
call
it
like
new
scanner
rb
and
then
you
just
need
to
add
on
add
the
methods.
A
So
the
first
method
is
the
scan
command
and
the
other
method
is
os,
can
command
so
scan
command?
What
we'll
do
is
how
you,
what
does
it
mean?
It
means
that
what
kind
of
comments
you
need
to
run
within
the
your
command
line
to
perform
given
scan
using
a
given
scanner.
So
here
we
are
on
the
track.
Three.
The
image
with
certain
servers
level,
we're
into
type
argument
and
other
arguments,
no,
no
show
no
progress.
It
will
be
offline
scan
so
not
trying
to
download
the
new
database
so
we'll
skip
the
update.
A
Then
we're
only
interested
in
vulnerability,
security
checks
and
it
will
format
that
with
the
template
and
the
template
file
is
the
file
that
I
told
you
about
previously.
So
it's
a
go
template
file
and
the
output
will
be
like
based
on
file.
So
then
we
have
all
things
that
we
need
and
for
os
can
comment
os
can,
as
as
I
mentioned,
it's
for
dependency
scanning.
It
will
do
also
like
scan
the
image
list.
A
All
packages
not
show
progress,
do
not
get
the
updates
and
format
it
as
a
json
file,
and
and
that's
it
and
also
the
the
first
method
that
it's
important
is
version
info,
because,
with
version
info
we
can,
when
the
ci
is
running,
we
can
show
the
information
about
the
version
of
the
of
the
scanner
itself.
Also
when
the
database
was
updated,
and
here
we
have
other
methods
that
are
helper
methods
needed
for
for
our
scanner
and
the
environment.
A
What
kind
of
variables
we'd
like
to
set
when
we're
running
scan
using
this
scanner?
So
it's
very
similar
for
gripe.
We
also
have
scan
command,
but
it's
just
do
drive
and
it
will
set
very
similar
things
and
to
create
an
output
file,
the
same
for
yeah
scanner,
version,
environment
and
and
so
on.
A
It's
we're
encapsulating
the
comments
that
we'd
like
to
run
so
we're
capturing
all
the
errors,
all
the
information
and
we're
just
logging
them
properly
and
and
so
on,
and
also
here
we
have
trusting
the
certificates
because,
when
you're
running
under
your
private
registry,
you
just
need
to
trust
the
certificates
to
to
make
sure
that
you're
running
the
scan
against
the
repository
that
it's
that
is
certified
and
that
it's
valid
okay,
let's
see
there's
in
total,
we
have
all
all
the
information,
all
the
methods
that
are
needed
in
different
parts
of
the
of
the
scanner
itself.
A
So,
for
example,
avtdp
was
updated
measure
runtime
all
write
file,
so
it's
also
encapsulating
all
logic
needed
to
to
run
to
write
file,
write
tables.
So
it
simplifies
the
work
for
us
if
you
want
to
just
present
the
table
on
the
terminal
and
so
on,
I
believe
that's
it
for
for
the
scanners
and
lasers
itself,
I
believe
it's
it's
more
or
less
straightforward.
A
If
you
have
any
questions,
let
us
know
we'll
try
to
to
make
sure
that
the
transition
is
very
simple
and
will
make
sure
that
we
can
help
you
with
any
requests
that
you
might
have.
So.
Thank
you
very
much
and
have
a
good
one.