Skip to content

Replace GitLab Container Scan

Replacing GitLab container scanning with Boost container scanning is rather straigthfoward. Suppose that you have a following GitLab container scan configuration.

include:
  - template: Jobs/Container-Scanning.gitlab-ci.yml

container_scanning:
  before_script:
    - echo "Custom authentication script"
  variables:
    CS_IMAGE: example.com/user/image:tag

First you need to replace the include instruction to refer to boost template.

include:
  - remote: 'https://raw.githubusercontent.com/boostsecurityio/boostsec-scanner-gitlab/main/scanner.yml'

.boost-container-scan:
  extends:
    - .boost_scan
  variables:
    BOOST_IMAGE_NAME: $CS_IMAGE
  script:
    - !reference [.boost_setup, before_script]
    - export TRIVY_USERNAME=$CS_REGISTRY_USER
    - export TRIVY_PASSWORD=$CS_REGISTRY_PASSWORD
    - !reference [.boost_scan, script]
  rules:
    - if: $CI_PIPELINE_SOURCE == "merge_request_event" && $CS_IMAGE
      variables:
        BOOST_SCANNER_REGISTRY_MODULE: "boostsecurityio/trivy-image"
    - if: ($CI_PIPELINE_SOURCE == "push") && ($CI_COMMIT_BRANCH == $CI_DEFAULT_BRANCH) && $CS_IMAGE
      variables:
        BOOST_SCANNER_REGISTRY_MODULE: "boostsecurityio/trivy-sbom-image"

Then your container_scan is replaced by:

boost-container-scan:
  extends:
    - .boost-container-scan
  before_script:
    - echo "Add logic here"
  variables:
    CS_IMAGE: example.com/user/image:tag