2.6 KiB
stage | group | info |
---|---|---|
Configure | Configure | To determine the technical writer assigned to the Stage/Group associated with this page, see https://about.gitlab.com/handbook/engineering/ux/technical-writing/#assignments |
Container vulnerability scanning (ULTIMATE)
Introduced in GitLab 14.8.
To view cluster vulnerabilities, you can view the vulnerability report. You can also configure your agent so the vulnerabilities are displayed with other agent information in GitLab.
View cluster vulnerabilities
Prerequisite:
- You must have at least the Developer role.
- Cluster image scanning must be part of your build process.
To view vulnerability information in GitLab:
- On the top bar, select Menu > Projects and find the project that contains the agent configuration file.
- On the left sidebar, select Infrastructure > Kubernetes clusters.
- Select the Agent tab.
- Select the agent you want to see the vulnerabilities for.
Enable cluster vulnerability scanning (ULTIMATE)
You can use cluster image scanning to scan container images in your cluster for security vulnerabilities.
To begin scanning all resources in your cluster, add a starboard
configuration block to your agent configuration with a cadence
field
containing a CRON expression for when the scans will be run.
starboard:
vulnerability_report:
cadence: '0 0 * * *' # Daily at 00:00 (Kubernetes cluster time)
The cadence
field is required. GitLab supports the following types of CRON syntax for the cadence field:
- A daily cadence of once per hour at a specified hour, for example:
0 18 * * *
- A weekly cadence of once per week on a specified day and at a specified hour, for example:
0 13 * * 0
It is possible that other elements of the CRON syntax will work in the cadence field, however, GitLab does not officially test or support them.
By default, cluster image scanning will attempt to scan the workloads in all
namespaces for vulnerabilities. The vulnerability_report
block has a namespaces
field which can be used to restrict which namespaces are scanned. For example,
if you would like to scan only the development
, staging
, and production
namespaces, you can use this configuration:
starboard:
vulnerability_report:
cadence: '0 0 * * *'
namespaces:
- development
- staging
- production