Scan docker image available in organization registry

[shusriva]

Hi Team,

How to scan the docker image available in the organization gitlab registry. Is there any way available in scancode.io ?

[pombredanne]

@shusriva there would be two ways I can think of say with https://gitlab.com/gitlab-org/omnibus-gitlab/container_registry/

1. docker save the image and upload it in the UI/API/CLI in a project that you scan with the docker pipeline For instance I used the "copy image path" from gitlab: to get registry.gitlab.com/gitlab-org/omnibus-gitlab:xenial from https://gitlab.com/gitlab-org/omnibus-gitlab/container_registry/75

docker pull registry.gitlab.com/gitlab-org/omnibus-gitlab:xenial
docker save registry.gitlab.com/gitlab-org/omnibus-gitlab:xenial > omnibus-gitlab-xenial.tar

and then use omnibus-gitlab-xenial.tar with "upload files" to your project.

2. use directly a "docker"-style URL as the Download URL for your project e.g. docker://registry.gitlab.com/gitlab-org/omnibus-gitlab:xenial bypassing the local pull/save/upload. This will fetch the image directly from its registry

I would be interested in 2. to know how we could handle authentication. We use https://github.com/containers/skopeo to fetch containers from remote registries, and this should be the same approach as using docker login saved configuration per https://github.com/containers/skopeo#authenticating-to-a-registry ... the trick is that this would be needed on the server side... If this is something you need, I would be really interested if you can report your experimentation there

In all cases, the overall flow would be https://scancodeio.readthedocs.io/en/latest/tutorial_web_ui_analyze_docker_image.html

[shusriva]

@pombredanne I would like to try approach 2 as it fits our requirement. I would also like to add that we have so many images and performing step1 or step 2 will take a lot of time. Is there any better way to scan the multiple images (let say 150 images) in one shot

[pombredanne]

Is there any better way to scan the multiple images (let say 150 images) in one shot

I would do it this way:

• I would collect the list of image paths to scan likely with some API calls to Gitlab or some query of the image registry
• I would then create a simple script that would scan each image in its own project either using ScanCode.io API calls or the command line https://scancodeio.readthedocs.io/en/latest/tutorial_cli_analyze_docker_image.html

You could technically scan all images in a single project but I would not recommend it as it would be messy as this would be huge and would take much longer.

What are the typical base images and tech stack you use for these images? Also if you can share back your experience wrt. using the Gitlab API to list images that would be very nice.

[shusriva]

@pombredanne As per the current scenario, I have a pipeline in Gitlab which pulls almost 150 docker images from docker hub and gcr(image details are added in a file and provided as an input to the pipeline) and store it in Gitlab container registry. I wanted to integrate the scancodeio tool with my gitlab pipeline so that it should scan each docker images after pulling from docker hub and before storing in gitlab container registry.

For pulling image from public registry and publishing it into private registry, we are using skopeo. these steps are automated with gitlab ci pipeline