In today’s fast-paced software development environment, DevSecOps teams are continuously looking for ways to streamline their workflows while ensuring that their applications remain secure. Two tools that have become indispensable in the world of containerized applications are Docker and GitLab. In this blog post, we’ll explore how combining Docker’s registry management and security capabilities with GitLab Ultimate’s CI/CD and security features can provide a powerful, secure, and efficient workflow.
What Is Docker Scout?
Docker Scout is a powerful security tool provided by Docker to help organizations gain deeper insights into the security of their container images. It offers a unified view of vulnerabilities across all container images in an organization, making it easier to manage and mitigate risks. Docker Scout automatically scans container images for vulnerabilities as they are pushed to the registry, identifies newly disclosed vulnerabilities that impact images in the registry, and provides actionable insights to improve security posture. Finally, Docker Scout offers policy enforcement capabilities beyond known open source vulnerabilities that are crucial for software supply chain and application security.
Why Use Docker Scout with GitLab Ultimate?
GitLab Ultimate is known for its robust CI/CD capabilities and built-in security scanning tools. It provides a comprehensive security dashboard and vulnerability reports across all of the different types of vulnerabilities found via SAST, DAST, container scanning, IaC scanning, and more. It also provides security gates via the ability to set merge request approval policies based on security scan results. However, GitLab’s built-in container scanning tools are effective, the container registry lacks some container features available with Docker. Utilizing Docker Hub and integrating Docker Scout with GitLab pipelines brings several additional benefits to the table:
1. Enhanced Vulnerability Insights for Images
Docker Scout provides a unified view of vulnerabilities impacting container images across the application landscape, bringing container security to the forefront of application security. It makes it easier to identify trends and make informed decisions about container image usage, remediation prioritization, and security policies to secure containerized applications effectively.
2. Policy Enforcement for Secure Containers
Docker Scout allows organizations to define and enforce policies for container images. For example, you can:
Restrict the use of base images to an approved list
Ensure that all containers are configured to run as non-root users by default.
Validate that images contain SBOM and provenance attestations
These policies further enhance the security of the software supply chain and reduce the risk of security misconfigurations in application containers.
3. Identification of Newly Disclosed Vulnerabilities
One of the key advantages of Docker Scout is its continuous monitoring of container images. As new critical and high severity vulnerabilities are added to NVD, Docker Scout will recheck your existing images and alert you if you are impacted. This helps security teams react faster to emerging threats, reducing the time it takes to patch or mitigate critical vulnerabilities.
How to Integrate Docker Scout with GitLab
Integrating Docker Scout with GitLab Ultimate is a straightforward process. You will want to modify your existing build job with these steps:
in a before_script block, install curl and run a curl command to install the Docker Scout CLI
add a line in your script block after your docker build to perform the Docker Scout scan using the GitLab output format and saving the results to a file named gl-security-report.json. Note that Docker Scout supports the required GitLab security report format out of the box (awesome!), so we don't have to write a script to manipulate it!
save the gl-security-report.json as the appropriate artifact type in the build job.
Your complete build job would end up looking something like this (view the repository):
This integration ensures that you can leverage the strengths of both tools to create a secure and efficient DevSecOps workflow. You will see the vulnerabilities found by the Docker Scout scan in the pipeline security tab, and any newly introduced vulnerabilities in a feature branch will be handled just like any vulnerabilities found by the GitLab security scans.
Conclusion
Using Docker Scout with GitLab Ultimate provides DevOps teams with a powerful combination of tools to manage container security effectively. Docker Scout enhances GitLab’s security capabilities by providing continuous vulnerability scans, unified vulnerability management, and policy enforcement. By integrating Docker Scout into your GitLab CI/CD pipeline, you can ensure that your containerized applications remain secure from development to production.
See a demo of the integrated solution below.
Comments