►
From YouTube: Demo of OCS vulnerability scan using Trivy K8s cli
Description
This video is trimmed from a demo I gave during the weekly Composition Analysis meeting. More context on the change can be found in this MR: gitlab.com/gitlab-org/cluster-integration/gitlab-agent/-/merge_requests/909
A
So
I've
started
the
server
the
gitlab
agent
server
right
and
what
it's
doing
is
pulling
the
configuration
the
security
policies
configuration
so
so.
I've
connected
the
gitlab
agent
to
my
repository
that
I'm
using
to
test
the
the
OCS
scans
right-
and
this
is
the
current
job-
that
it
runs
that
it
uses
to
determine
when
it
starts
a
3B
scan
right.
So
what
I'm
going
to
do
now
is
I'm
going
to
change
it,
to
maybe,
let's
say,
28
right.
So
it's
going
to
run
at
every
28th
minute
of
the
hour.
A
Right
I
have
to
make
a
commit,
so
this
is
how
GitHub
agent
is
set
up.
So
whenever
the
configuration
file
changes
right,
the
agent
picks
it
up
and
it
sees
and
it
reconfigures
the
setting.
So
you
see
that
over
here
now
it
knows
that
every
28th
minute
of
the
hour
it
will
run
a
scan
job
right.
The
change
that
I
made
was
that
I
used
the
the
3v
container
image
to
run
a
kubernetes
scan
or
they
call
it
the
qvc8
scan
right.
A
So
what
we'll
see
later
at
the
28th
minute
is
that
it's
going
to
pick
up
the
two
namespaces
that
I've
configured
here
the
default
mean
space
and
10
namespace
and
run
the
scan
for
each
of
the
for
each
of
the
name
spaces
and
the
pods
that
exist
in
there
right.
So,
as
you
can
see,
I
have
three
parts
running
one
in
default:
namespace
and
two
inside
the
tab
name
space
where
I'm
going
to
expand
this
to
show
what's
happening.
These
are
all
debug
logs
this
yeah.
A
So
what
happens
is
that
at
the
28th
minute
right,
we
start
a
scan
right
and
it's
creating
ports
3D
ports.
For
the
time
namespace
and
the
default
name,
space
right
and
then
I
I
create
a
watcher
that
will
watch
on
the
port
to
see
that
it
has
succeeded
once
he
has
succeeded,
he
would
read
the
logs
from
the
port
and
then
create
the
vulnerabilities
inside
gitlab
right
and
then
that
kind
of
completes
the
whole
process
and
Flow
right.
A
So
how
this
can
be
seen
in
the
dashboard
is
the
inside
the
nav
bar
infrastructure
keep
it
at
this
cluster
right.
If
we
were
to
refresh
it
and
you
go
into
the
particular
agent,
you
should
be
able
to
see
the
vulnerabilities
that's
being
picked
up
here
yep.