Integrate with Gitlab

The Sysdig Vulnerability CLI scanner output is not compatible with Gitlab by default. Use the translator tool below to convert the Sysdig CLI scanner output to Gitlab format and automatically generate visual reports in Gitlab.

Prerequisites

Have the following ready:

Run in Gitlab

The code below runs the Sysdig CLI Scanner, translates the output to an acceptable format, and then uploads it to Gitlab.

In GitLab, add the following to your .gitlab-ci.yml file:

stages:          # List of stages for jobs, and their order of execution
  - scan

container_scanning:
  stage: scan
  script:
      - docker build -t image-to-scan .     # Build the image to scan
      - touch gitlab-report.json            # Create the report file
                                            # Run the scanner
      - docker run -e SECURE_API_TOKEN=$SECURE_API_TOKEN -e SECURE_URL=$SYSDIG_SECURE_ENDPOINT  -v /var/run/docker.sock:/var/run/docker.sock -v "$(pwd)"/gitlab-report.json:/gitlab-report.json --rm quay.io/sysdig/gitlab-scanner:latest image-to-scan 
  allow_failure: true
  artifacts:
    reports:
      container_scanning: gitlab-report.json # Upload the report as an artifact
  • SECURE_API_TOKEN: Use your Sysdig Secure API token.
  • SECURE_URL: Use your Sysdig Secure URL.

Test the Integration

To test the integration:

  1. Create a new project/repository in Gitlab.
  2. Add a Dockerfile with a base image of known vulnerabilities. Any Ubuntu or UBI image will do the trick.
  3. Follow the instructions in Run in Gitlab.
  4. Make a merge request.

GitLab will trigger the execution of the pipeline building the image, executing the scanner and generating the report automatically.

If you click on the report, you will see the following: