The following examples runs in GitLab CI in a repository containing a Docker image's definition and contents. Triggered by a commit, the pipeline builds the image. If the commit was to the default branch, it uses Docker Scout to get a CVE report. If the commit was to a different branch, it uses Docker Scout to compare the new version to the current published version.
Steps
First, set up the rest of the workflow. There's a lot that's not specific to Docker Scout but needed to create the images to compare.
Add the following to a .gitlab-ci.yml file at the root of your repository.
This sets up the workflow to build Docker images with Docker-in-Docker mode, running Docker inside a container.
It then downloads curl and the Docker Scout CLI plugin, logs into the Docker
registry using environment variables defined in your repository's settings.
Add the following to the YAML file:
This creates the flow mentioned previously. If the commit was to the default branch, Docker Scout generates a CVE report. If the commit was to a different branch, Docker Scout compares the new version to the current published version. It only shows critical or high-severity vulnerabilities and ignores vulnerabilities that haven't changed since the last analysis.
Add the following to the YAML file:
These final lines ensure that the pipeline only runs if the commit contains a Dockerfile and if the commit was to the CI branch.
Video walkthrough
The following is a video walkthrough of the process of setting up the workflow with GitLab.
