Container Scanning tests your Docker images against known vulnerabilities that may affect software that is installed in the image. It doesn't check the application code only, but it extends security to all the installed system components.
Users often use existing images as the base for their containers. It means that they rely on the security of those images and their preinstalled software. Unfortunately, this software is subject to vulnerabilities, and this may affect the security of the entire project.
Our best practices are to package applications into containers, so they can deployed to Kubernetes.
Our goal is to provide Container Scanning as part of the standard development process. This means that Container Scanning is executed every time a new commit is pushed to a branch. We also include Container Scanning as part of Auto DevOps.
Container Scanning results are available in the merge request security report, where only new vulnerabilities, introduced by the new code, are shown. A full report is also available in the pipeline details page.
We want to make Container Scanning results available also in the Security Dashboard, where Security Teams can check the security status.
Another place where Container Scanning results can be useful is the GitLab Container Registry. Images built during pipelines are stored in the registry, and then used for deployments. Integrating Container Scanning into GitLab Container Registry will help to monitor if it is safe to deploy a specific version of the app.
We want Container Scanning to provide information about images deployed to the production environment.
The next MVC is to add more information to reports
We want to engage analysts to make them aware of the security features already available in GitLab. Since this is a relatively new scope for us, we must aim at being included in the next researches.
We can get valuable feedback from analysts, and use it to drive our vision.
Container Scanning can also be considered part of Software Composition Analysis (SCA), since vulnerabilities for base images can be considered very similar to vulnerabilities for software dependencies.