Skip to content

Analysis: GitLab CI Services for Container Scanning

This document provides an analysis of using GitLab CI/CD Services for enhancing our container scanning workflow.

Executive Summary

GitLab CI Services provide an excellent way to improve our container scanning workflow, particularly for distroless containers. The services approach allows us to create specialized, pre-configured environments for scanning while maintaining a clean separation between the scanning tools and the CI/CD job itself.

Recommendation: Implement GitLab CI Services for our scanning workflow to improve maintainability, consistency, and support for both standard and distroless container scanning approaches.

Key Findings

Benefits

  1. Pre-configured Scanning Environment: Services allow us to create Docker images with CINC Auditor, the train-k8s-container plugin, and the SAF CLI pre-installed, eliminating the need to install these in each job.

  2. Support for Both Scanning Approaches: Different service containers can be created for standard and distroless container scanning, supporting both our approaches without complicating the CI/CD configuration.

  3. Improved Consistency: Every scan job uses the exact same scanning environment, reducing variability and potential issues across different runners.

  4. Reduced Setup Time: By moving the installation of dependencies to the container build process, we reduce the runtime of each job significantly.

  5. Better Isolation: Scanning tools are isolated from the CI/CD environment, reducing potential conflicts with other job dependencies.

Potential Challenges

  1. Additional Complexity: Introducing services adds another layer to the CI/CD configuration, which may be challenging for users to understand initially.

  2. Docker-in-Docker Requirements: Services require either Docker socket access or Docker-in-Docker service, which may not be available in all CI/CD environments.

  3. Maintenance Overhead: Scanner service images need to be maintained and updated as dependencies change.

Implementation Recommendations

1. Create Specialized Service Images

Build and maintain two specialized Docker images:

  • Standard Scanner Image: Contains CINC Auditor with the train-k8s-container plugin for scanning standard containers.
  • Distroless Scanner Image: Includes the additional tooling needed for our distroless container scanning approach.

2. Provide Clear Documentation

Create clear documentation that explains:

  • How services are used in the scanning workflow
  • When to use standard vs. distroless scanning
  • How to troubleshoot common issues

3. CI/CD Configuration Examples

Provide both basic examples for simple setups and advanced examples that leverage services for more complex scenarios.

4. Performance Considerations

  • Services add some overhead due to additional container startup
  • Balance this with the time saved by not installing dependencies in each job
  • Consider caching strategies for service images

Comparison with GitHub Actions

While GitHub Actions doesn't provide an exact equivalent to GitLab CI Services, similar benefits can be achieved using:

  • Custom container actions
  • Service containers feature
  • Job containers that come pre-configured with necessary tools

For GitHub Actions integration, we recommend a similar approach of creating specialized containers while accounting for the differences in how GitHub Actions handles services.

Next Steps

  1. Build and publish the scanner service Docker images
  2. Update GitLab CI example templates to demonstrate services usage
  3. Enhance documentation to explain the services approach
  4. Create parallel GitHub Actions examples for cross-platform compatibility

Conclusion

GitLab CI Services provide a significant enhancement to our container scanning workflow without overcomplicating it. By creating specialized, pre-configured scanner images, we can improve consistency, reduce setup time, and better support both standard and distroless container scanning approaches. The benefits outweigh the additional complexity, making services an excellent choice for improving our GitLab CI integration.