Integrate with Gitlab

The Sysdig Vulnerability CLI scanner output is not compatible with Gitlab by default. Use the translator tool below to convert the Sysdig CLI scanner output to Gitlab format and generate visual reports in Gitlab.

Prerequisites

Have the following ready:

Gitlab Ultimate.
A Sysdig Secure API token. See Retrive the Sysdig API Token.
The Sysdig Secure URL for your region. See SaaS regions and IP Ranges.

Run in Gitlab

The code below runs the Sysdig CLI Scanner, translates the output to an acceptable format, and then uploads it to Gitlab.

In GitLab, add the following to your .gitlab-ci.yml file:

stages:          # List of stages for jobs, and their order of execution
  - scan
  - stop_on_fail # Only if you want to stop upon failed scan or scanner error

container_scanning:
  stage: scan
  variables:
    SECURE_API_TOKEN: $SECURE_TOKEN                 # Your Sysdig Secure API Token
    SECURE_URL: https://secure.sysdig.com           # Your Sysdig Secure endpoint
    IMAGE: nginx:1.20                               # Image to scan
    EXTRA_CLI_PARAMS: --override-pullstring=myimage # CLI Scanner parameters
    STOP_ON_FAIL: true                              # Stop on failed scan
    STOP_ON_SCANNER_FAIL: true                      # Stop on scanner error
    GITLAB_REPORT: gitlab-report.json               # GitLab vulnerabilities report filename
  script:
    - touch $GITLAB_REPORT    # Create the report file
    - docker run --env-file <(env) -v "$(pwd)"/${GITLAB_REPORT}:/gitlab-report.json --rm quay.io/sysdig/gitlab-scanner:latest $IMAGE || echo $? > scan_code
  allow_failure: true         # Allow failure. It won't upload the vuln report if this stage fails.
                              # Check the following discussion for more info: https://gitlab.com/gitlab-org/gitlab/-/issues/241342
  artifacts:
    paths:
      - scan_code             # Scan result code for 'stop_on_fail' stage.
    reports:
      container_scanning: $GITLAB_REPORT # Upload the report as an artifact


stop_on_fail:
  stage: stop_on_fail
  dependencies:
    - container_scanning
  script:
    - exit $(cat scan_code || echo 0)   # Fail if scan_code exists and contains value != 0

SECURE_API_TOKEN: Use your Sysdig Secure API token.
SECURE_URL: Use your Sysdig Secure URL.

Test the Integration

To test the integration:

Create a new project or repository in Gitlab.
Add a Dockerfile with a base image of known vulnerabilities. For examples of known vulnerabilities, see Vulhub.
Follow the instructions in Run in Gitlab.
Make a merge request.

GitLab will trigger the execution of the pipeline building the image, executing the scanner and generating the report automatically.

If you click on the report, you will see the following:

Feedback

Was this page helpful?

Glad to hear it! Please tell us how we can improve.

Sorry to hear that. Please tell us how we can improve.