►
Description
In this demo we are adding new scans to Security Policies: Cluster Image Scanning and Container Scanning. This allows us to enforce running Cluster Image Scanning and Container Scanning scans defined in the policy or schedule scans to run periodically.
Issue: https://gitlab.com/gitlab-org/gitlab/-/issues/330714
MR: https://gitlab.com/gitlab-org/gitlab/-/merge_requests/69253
A
There
is
an
openmr
that
soon
will
be
reviewed
and
merged,
and
today
I
would
like
to
talk
about
features
that
are
introduced
with
this.
Mr,
so
let's
go
and
let's
quickly
create
a
new
project
for
us.
A
Okay,
let's
just
disable
protected
branches
for
our
repository,
so
it
will
be
easier
for
us
to
to
push
to
main
without
need
for
any
additional
approvals.
Okay,
let's
go
to
reference
three
and,
let's
create
all
see
some
policies.
First,
for
our
project
payment
file.
A
Let's
take
a
look
at
the
examples
that
we
currently
have
and
then
scanning
will
be
the
first
one.
Okay.
So
for
now,
let's
see
if
we
already
have
something
in
cica
pipelines
for
our
project,
we
should
have
one
that
is
running
our
test,
say
hi
our
job.
Okay,
I'm
gonna!
Just
do
that.
A
Commit
changes
in
our
main
project,
I'll
go
to
cicd
configuration
I'll
just
add
variables.
It
will
allow
us
to
run
continuous
scanning
scan
because,
with
this
new
feature,
we're
not
only
adding
cluster
net
scanning
you're,
also
adding
regular
container
scanning
for
your
static
containers,
so
I'll
just
provide
docker
image
with
files
through
alpine
3.6.
A
I'll
just
add
the
variable
itself,
then
we'll
go
to
cip
pipeline
and
I'll
trigger
it.
Manually
you'll
actually
see
a
second
job
is
added
for
continuous
scanning.
A
A
So
now,
if
I'll
go
and
trigger
this
pipeline
again,
it
will
automatically
extend
my
pipeline.
Both
this
cluster
emits
scanning
job.
So
obviously
it
will
not
work
for
us
in
this
case
because
it
is
not
configured.
We
haven't
added
any
like
ci
variable
that
should
allow
us
to
to
perform
a
scan
regular
cluster.
If
you
want
to
read
more
about
classroom
and
scanning,
I
remember
mine
going
to
docs
and
there's
like
the
whole
section
that
allows
you
to
how
to
configure
a
cluster
and
how
to
provide
the
cis
config
variable
to
your
project.
A
So
it
will
automatically
get
vulnerabilities
that
you
wanted
to
get
right,
but
you
see
that
department
itself
is
extended.
The
job
will
fail
because
it
was
not
configured
for
us.
There
is
no
cube
config,
but
it
was
added
so
that
that's
what
was
important
for
us.
So
now
we
can
talk
about
actual
feature
that
we
want
to
add.
So
allow
you
to
schedule
a
scan
like
classroom
and
scanning
scan
on
your
selected
cluster
on
set
date
set
time
so
set
cadence.
You
can
specify
okay.
A
A
Gonna
just
name
it
production
cluster.
A
So
now
one
of
the
examples
that
we
have
here
is
actually
how
to
run
it
on
selected
cluster.
So
I'll
just
do
that
so
I'll
go
to
my
policy
and
I'll
modify
it.
So
I
have
here
the
advanced
example
we'll
go
to
this
example
in
a
second
I'm
just
going
to
remove
that
and
leave
the
empty
object
here
and
I'm
going
to
copy
the
name
of
the
cluster
and
I'll
paste
it
here.
We're
going
to
run
container
scanning
scan
for
it
will
regularly
extend
the
pipeline.
A
So
when
you
manually
trigger
the
scan,
it
will
extend
that
with
under
scanning
scan,
then
because
we've
added
clusters
policy
engine
will
recognize
that
you
want
to
run
container
scanning
scan
on
the
cluster.
So
it
will
automatically
translate
that
clusterman
scanning
scan.
So
it
will
get
a
configuration
conflict
for
the
cluster
itself.
It
will
connect
and
get
vulnerabilities
from
your
cluster,
and
we
also
added
additional
thing
here.
A
So
I
wanted
to
show
you
that
this
allows
me
to
show
that
in
a
single
single
policy,
so
I'll
start
it
is
added
so
I'll
start
by
going
to
and
triggering
like
manual
manual
job.
A
Okay,
so
you
see,
containers
can
goes
at
it
and
now
let's
wait
for
a
few
minutes
to
to
have
these
policies
applied.
So
we
need
to
wait
for
a
few
minutes,
so
we're
gonna
have
schedule
scans
for
the
cluster
and
for
regular
container
scanning
scan
and
it
should
should
be
added
automatically.
A
All
right
so
see
we
have
two
jobs
to
separate
pipelines
with
one
job
with
braddock,
so
the
first
one
is
cluster
image
scanning
scan
because
we
specified
here
that
we
want
to
run
it
on
the
clusters.
So
the
engine
responsible
for
running
those
policies
understands
that
if
you
configure
that
for
the
cluster,
it
will
actually
run
it
on
clustering
and
scanning
scan
instead
of
continuous
scanning,
but
as
well
since
we've
added
also
that
for
branches
it
added
separate
pipeline
with
additional
job
just
to
run
container
scanning
scan.
A
Additionally,
so
you
can
see
we
have
two,
so
both
were
passed.
So,
let's
take
a
look
here
and
let's
see
if
we
have
found
any
police,
okay,
that
found
seven
reports,
it
was
added.
So
now
we
can
go
to
vulnerable
to
report
and
take
a
look
at
different
abilities
that
were
added
so
for
both
classroom
and
scanning
and
container
scanning.
We
have
on
the
baltics,
they
were
found
right.
This
is
great,
I
can
go
and
I
will
modify
it
and
now
enforce
instead
of
enforcing
like
container
scanning
scan.
A
Okay,
so
what
it
will
do
to
actually
run
regular
classroom
scanning
on
this
cluster,
then
it
will
automatically
extend
all
your
pipelines
through
it
like
triggered
manually
or
or
mrs
and
so
on.
It
will
extend
that
with
this
cluster
and
scanning
scan
job,
or
it
will
add
additional
schedule
that
will
actually
every
five
minutes
run
classroom
and
scanning
scan
for
your
project
for
the
variable
that
you
defined
in
your
project.
So
let's
assume
that
that
we
have
that
variable
are
configured
here.
A
I
can
add
the
variable
cis
cube,
config
and
I'll
just
add
the
configuration
of
it.
It
will
add
in
a
job
that
will
actually
take
that
configuration
from
that
variable
and
it
will
use
that
to
run
a
clustering
scanning
scan.
A
So
this
this
is.
This
was
added
just
to
make
sure
that
you
explicitly
want
to
run
cluster
image
scanning
scan
if
you
just
wanted
to
to
handle
it
automatically,
you
can
specify
container
scanning
and
then
based
on
the
role
that
you
have.
It
will
run
proper
scan
for
you.
If
you
want
to
enforce
explicitly
classroom
scanning
scan
without
this
auto
selection,
then
you
need
to
specify
the
clustering
scanning.
A
Okay,
I'll,
go
back
to
container
scanning
and
I'll
just
add
one
machine
thing,
so
we'll
actually
filter
some
results
based
on
the
configuration
added
into
into
the
policy.
A
So
in
this
example,
what
we're
gonna
do
we're
gonna,
actually
I'll
just
comment.
Those
changes,
we're
gonna
wait
for
a
few
minutes,
while
waiting.
I'm
gonna
just
quickly
talk
about
what
will
happen,
so
it
will
take
a
look
at
the
names
of
the
containers
of
the
resources
or
namespace
or
the
kinds
and
will
actually
filter
based
on
those
values.
So,
for
example,
let's
say
I
have
nginx
www
deployment
added
gitlab
production
namespace
that
it
has
like
nginx
container
to
only
get
me
vulnerabilities
from
that
container.
A
These
all
are
optional.
You
can
specify,
for
example,
I
would
only
get
variables
for
deployments
or
only
for
given
namespace
or
for
given
resource
so
and
for
now
and
first
iteration.
We
are
supporting
only
the
first
value.
So,
even
if
you
add
more,
it's
not
yet
supported
on
the
analyzer,
but
as
soon
as
we
are
adding
that
analyzer,
it
will
allow
us
to
filter
multiple
values
provided
for
a
single
type.
A
For
now,
only
the
first
one
will
be
taken
and
we
don't
really
have
on
our
cluster.
Anything
like
that.
So
I
expect
that
when
we
are
going
to
schedule
that
it
will
actually
found
now
affordable
setup,
we
were
waiting
for
some
time.
Let's
go
back
to
our
cice
and
let's
see
if
we
have
pipelines
that
are
added.
A
So
again
we
have
two
pipelines.
We
want
to
get
it
for
clustering
scanning
and
let's
see
what
on
the
laser
received
and
if
those
values
were
filtered
out
or
not.
Okay,
see
no
reports
were
found
because
we
actually
have
no
no
resources
that
are
matching
values
that
we
provided
here,
but
it
it
allows
you
to
to
modify
it.
It
allows
you
to
actually
specify
what
you
really
want
to
get
which
variables
you
would
like
to
see
in
your
project.
A
Okay,
that
would
be
it
if
you
have
more
questions,
feel
free
to
ask
the
issue
or
in
the
epic
we're
happy
to
help
we're
extending
the
help
as
well,
to
give
more
information
about
that,
and
we
can
extend
that
feature
in
the
future.
Thank
you.