Home
Contribute Contact Us Browse all meetings
Home Contribute Contact Us Browse all meetings
GitLab / Secure Stage / 5 Apr 2023
GitLab / Secure Stage / 5 Apr 2023
Previous Meeting Next Meeting
Add meeting Rate page Subscribe
youtube image
From YouTube: Demo of OCS vulnerability scan using Trivy K8s cli

Description

This video is trimmed from a demo I gave during the weekly Composition Analysis meeting. More context on the change can be found in this MR: gitlab.com/gitlab-org/cluster-integration/gitlab-agent/-/merge_requests/909

A

So I've started the server the gitlab agent server right and what it's doing is pulling the configuration uh the security policies configuration um so so. uh I've connected the gitlab agent to my repository that I'm using to test um the the OCS scans right- and this is the current job- that it runs that it uses to determine when it starts a 3B scan right. So what I'm going to do now is I'm going to change it, to um maybe, let's say, 28 right. So it's going to run uh at every 28th minute of the hour.

A

um Right I have to make a commit, um so this is how um GitHub agent is set up. So whenever uh the configuration file changes right, the agent picks it up and it sees uh and it reconfigures uh the setting. So you see that over here now it knows that uh every 28th minute of the hour it will run a scan job right. The change that I made was that I used the um the 3v container image to run a kubernetes scan uh or they call it the qvc8 scan right.

A

So what we'll see later at the 28th minute is that it's going to pick up the two namespaces that I've configured here the default mean space and 10 namespace and run the scan for each of the for each of the name spaces and the pods that exist in there right. So, um as you can see, I have three parts running one in default: namespace and two inside the tab name space where I'm going to expand this uh to show what's happening. These are all um debug logs this yeah.

A

So what happens is that um at the 28th minute right, we start a scan right and it's creating ports 3D ports. For the time namespace and the default name, space right um and then I I create a watcher that will watch on the port to see that uh it has succeeded once he has succeeded, he would read the logs from the port and then create the vulnerabilities inside gitlab right and then that kind of completes the whole process and Flow right.

A

So how this can be seen in the dashboard is the inside uh the nav bar infrastructure keep it at this cluster right. um If we were to refresh it um and you go into the particular agent, you should be able to see the vulnerabilities that's being picked up here yep.

A

So here you go. So these are the vulnerabilities that were picked up from the scan and you show up here and you can actually see the the details over here.