How to use Dive in gitlab CI Securely?

wagoodman / dive

A tool for exploring each layer in a docker image

MIT License

46.65k stars 1.77k forks source link

How to use Dive in gitlab CI Securely? #493

Closed baojingh closed 10 months ago

baojingh commented 10 months ago

Issue: My understand to dive is that dive has to pull the image to his local docker engine and then dive could scan the docker image layer. I use dive in .gitlab-ci.yml. I have to mount the docker.sock file to my container such as "-v /var/run/docker.sock:/var/run/docker.sock", which is not secure I think.

My question is that how could I use dive in gitlab-ci.yml without "-v /var/run/docker.sock:/var/run/docker.sock"?

mark2185 commented 10 months ago

You could supply an image as an archive to circumvent the need for docker, just invoke it with --source docker-archive <path-to-image.tar> and it will read from the file.

How you get the file where you need it is up to you and your CI.

baojingh commented 10 months ago

Yes, Thanks and I got your point.

aarongoldenthal commented 9 months ago

If anyone's looking for a more complete GitLab CI example for saving the archive file:

dive:
  image:
    name: wagoodman/dive:latest
    entrypoint: ['']
  script:
    - apk add --no-cache skopeo
    - skopeo copy docker://${IMAGE_NAME}:${IMAGE_TAG} docker-archive:archive.tar
    - dive --source docker-archive archive.tar