# Container Scanning
> 原文:[https://docs.gitlab.com/ee/user/application_security/container_scanning/](https://docs.gitlab.com/ee/user/application_security/container_scanning/)
* [Overview](#overview)
* [Requirements](#requirements)
* [Configuration](#configuration)
* [Customizing the Container Scanning settings](#customizing-the-container-scanning-settings)
* [Available variables](#available-variables)
* [Overriding the Container Scanning template](#overriding-the-container-scanning-template)
* [Vulnerability allowlisting](#vulnerability-allowlisting)
* [Running Container Scanning in an offline environment](#running-container-scanning-in-an-offline-environment)
* [Requirements for offline Container Scanning](#requirements-for-offline-container-scanning)
* [Make GitLab Container Scanning analyzer images available inside your Docker registry](#make-gitlab-container-scanning-analyzer-images-available-inside-your-docker-registry)
* [Set Container Scanning CI job variables to use local Container Scanner analyzers](#set-container-scanning-ci-job-variables-to-use-local-container-scanner-analyzers)
* [Automating Container Scanning vulnerability database updates with a pipeline](#automating-container-scanning-vulnerability-database-updates-with-a-pipeline)
* [Running the standalone Container Scanning Tool](#running-the-standalone-container-scanning-tool)
* [Reports JSON format](#reports-json-format)
* [Security Dashboard](#security-dashboard)
* [Vulnerabilities database update](#vulnerabilities-database-update)
* [Interacting with the vulnerabilities](#interacting-with-the-vulnerabilities)
* [Solutions for vulnerabilities (auto-remediation)](#solutions-for-vulnerabilities-auto-remediation)
* [Troubleshooting](#troubleshooting)
* [`docker: Error response from daemon: failed to copy xattrs`](#docker-error-response-from-daemon-failed-to-copy-xattrs)
# Container Scanning[](#container-scanning-ultimate "Permalink")
[Introduced](https://gitlab.com/gitlab-org/gitlab/-/merge_requests/3672) in [GitLab Ultimate](https://about.gitlab.com/pricing/) 10.4.
## Overview[](#overview "Permalink")
应用程序的 Docker 映像本身可能基于包含已知漏洞的 Docker 映像. 通过在管道中包含一个额外的作业来扫描这些漏洞并将其显示在合并请求中,您可以使用 GitLab 来审核基于 Docker 的应用程序. 默认情况下,GitLab 中的容器扫描基于[Clair](https://github.com/quay/clair)和[Klar](https://github.com/optiopay/klar) ,这是用于对容器中的漏洞进行静态分析的开源工具. [GitLab 的 Klar 分析仪](https://gitlab.com/gitlab-org/security-products/analyzers/klar/)扫描容器并用作 Clair 的包装纸.
**注意:**要将除 Clair 和 Klar 以外的其他[安全扫描器集成](../../../development/integrations/secure.html)到 GitLab 中,请参阅" [安全扫描器集成"](../../../development/integrations/secure.html) .
您可以通过执行以下任一操作来启用容器扫描:
* 在现有的`.gitlab-ci.yml`文件中[包括 CI 作业](#configuration) .
* 隐式使用[Auto DevOps](../../../topics/autodevops/index.html)提供的[自动](../../../topics/autodevops/index.html) [容器扫描](../../../topics/autodevops/stages.html#auto-container-scanning-ultimate) .
GitLab 比较发现的源分支与目标分支之间的漏洞,并在合并请求中直接显示信息.
[](img/container_scanning_v13_2.png)
## Requirements[](#requirements "Permalink")
要在管道中启用容器扫描,您需要以下内容:
* 带有[Docker](https://docs.gitlab.com/runner/executors/docker.html)或[Kubernetes](https://docs.gitlab.com/runner/install/kubernetes.html)执行器的[GitLab Runner](https://docs.gitlab.com/runner/) .
* Docker `18.09.03`或更高版本与 Runner 安装在同一台计算机上. 如果您在 GitLab.com 上使用共享的 Runners,那么情况已经如此.
* [构建](../../packages/container_registry/index.html#container-registry-examples-with-gitlab-cicd) Docker 镜像[并将其推](../../packages/container_registry/index.html#container-registry-examples-with-gitlab-cicd)送到项目的容器注册表中. Docker 映像的名称应使用以下[预定义的环境变量](../../../ci/variables/predefined_variables.html) :
```
$CI_REGISTRY_IMAGE/$CI_COMMIT_REF_SLUG:$CI_COMMIT_SHA
```
您可以在`.gitlab-ci.yml`文件中直接使用它们:
```
build:
image: docker:19.03.12
stage: build
services:
- docker:19.03.12-dind
variables:
IMAGE_TAG: $CI_REGISTRY_IMAGE/$CI_COMMIT_REF_SLUG:$CI_COMMIT_SHA
script:
- docker login -u $CI_REGISTRY_USER -p $CI_REGISTRY_PASSWORD $CI_REGISTRY
- docker build -t $IMAGE_TAG .
- docker push $IMAGE_TAG
```
## Configuration[](#configuration "Permalink")
启用容器扫描的方式取决于您的 GitLab 版本:
* GitLab 11.9 及更高版本: [包括](../../../ci/yaml/README.html#includetemplate) GitLab 安装随附的[`Container-Scanning.gitlab-ci.yml`模板](https://gitlab.com/gitlab-org/gitlab/blob/master/lib/gitlab/ci/templates/Security/Container-Scanning.gitlab-ci.yml) .
* 11.9 之前的 GitLab 版本:从[`Container-Scanning.gitlab-ci.yml`模板](https://gitlab.com/gitlab-org/gitlab/blob/master/lib/gitlab/ci/templates/Security/Container-Scanning.gitlab-ci.yml)复制并使用作业.
要包括`Container-Scanning.gitlab-ci.yml`模板(GitLab 11.9 及更高版本),请将以下内容添加到您的`.gitlab-ci.yml`文件中:
```
include:
- template: Container-Scanning.gitlab-ci.yml
```
包含的模板:
* 在 CI / CD 管道中创建`container_scanning`作业.
* 从项目的[Container Registry 中](../../packages/container_registry/index.html)拉出已构建的 Docker 映像(请参阅[要求](#requirements) ),并扫描其可能的漏洞.
GitLab 将结果保存为" [容器扫描"报告工件](../../../ci/pipelines/job_artifacts.html#artifactsreportscontainer_scanning-ultimate) ,您可以稍后下载和分析. 下载时,您始终会收到最新的工件.
以下是一个示例`.gitlab-ci.yml` ,用于构建您的 Docker 映像,将其推送到 Container Registry 并扫描容器:
```
variables:
DOCKER_DRIVER: overlay2
stages:
- build
- test
build:
image: docker:stable
stage: build
services:
- docker:19.03.12-dind
variables:
IMAGE: $CI_REGISTRY_IMAGE/$CI_COMMIT_REF_SLUG:$CI_COMMIT_SHA
script:
- docker info
- docker login -u gitlab-ci-token -p $CI_JOB_TOKEN $CI_REGISTRY
- docker build -t $IMAGE .
- docker push $IMAGE
include:
- template: Container-Scanning.gitlab-ci.yml
```
### Customizing the Container Scanning settings[](#customizing-the-container-scanning-settings "Permalink")
There may be cases where you want to customize how GitLab scans your containers. For example, you may want to enable more verbose output from Clair or Klar, access a Docker registry that requires authentication, and more. To change such settings, use the [`variables`](../../../ci/yaml/README.html#variables) parameter in your `.gitlab-ci.yml` to set [environment variables](#available-variables). The environment variables you set in your `.gitlab-ci.yml` overwrite those in `Container-Scanning.gitlab-ci.yml`.
此示例[包括](../../../ci/yaml/README.html#include)容器扫描模板,并通过将`CLAIR_OUTPUT`环境变量设置为`High`来启用 Clair 的详细输出:
```
include:
- template: Container-Scanning.gitlab-ci.yml
variables:
CLAIR_OUTPUT: High
```
#### Available variables[](#available-variables "Permalink")
可以使用环境变量[配置](#customizing-the-container-scanning-settings)容器扫描.
| 环境变量 | Description | Default |
| --- | --- | --- |
| `SECURE_ANALYZERS_PREFIX` | 设置用于下载分析器的 Docker 注册表基地址. | `"registry.gitlab.com/gitlab-org/security-products/analyzers"` |
| `KLAR_TRACE` | 设置为 true 可启用 klar 的更多详细输出. | `"false"` |
| `CLAIR_TRACE` | 设置为 true 可启用 clair 服务器进程的更多详细输出. | `"false"` |
| `DOCKER_USER` | 用于访问需要身份验证的 Docker 注册表的用户名. | `$CI_REGISTRY_USER` |
| `DOCKER_PASSWORD` | 访问需要身份验证的 Docker 注册表的密码. | `$CI_REGISTRY_PASSWORD` |
| `CLAIR_OUTPUT` | 严重级别阈值. 严重级别高于或等于此阈值的漏洞将被输出. 支持的级别为`Unknown` , `Negligible` , `Low` , `Medium` , `High` , `Critical`和`Defcon1` . | `Unknown` |
| `REGISTRY_INSECURE` | 允许[Klar](https://github.com/optiopay/klar)访问不安全的注册表(仅 HTTP). 仅应在本地测试图像时设置为`true` . | `"false"` |
| `DOCKER_INSECURE` | 允许[Klar](https://github.com/optiopay/klar)使用带有错误(或自签名)SSL 证书的 HTTPS 访问安全的 Docker 注册表. | `"false"` |
| `CLAIR_VULNERABILITIES_DB_URL` | (不推荐**使用-改为使用`CLAIR_DB_CONNECTION_STRING`** )此变量在`Container-Scanning.gitlab-ci.yml`文件的[services 部分](https://gitlab.com/gitlab-org/gitlab/-/blob/898c5da43504eba87b749625da50098d345b60d6/lib/gitlab/ci/templates/Security/Container-Scanning.gitlab-ci.yml#L23)中显式设置,并且默认为`Container-Scanning.gitlab-ci.yml` `clair-vulnerabilities-db` . 该值表示[托管漏洞定义](https://hub.docker.com/r/arminc/clair-db)的[PostgreSQL 服务器](https://hub.docker.com/r/arminc/clair-db)正在运行的地址,除非您按照" [运行独立容器扫描工具"](#running-the-standalone-container-scanning-tool)部分中的说明在本地运行映像,否则**不应更改**该地址. | `clair-vulnerabilities-db` |
| `CLAIR_DB_CONNECTION_STRING` | 该变量表示[托管漏洞定义](https://hub.docker.com/r/arminc/clair-db)数据库的[PostgreSQL 服务器](https://hub.docker.com/r/arminc/clair-db)的[连接字符串](https://s0www0postgresql0org.icopy.site/docs/9.3/libpq-connect.html) ,除非您按照" [运行独立容器扫描工具"](#running-the-standalone-container-scanning-tool)部分中的说明在本地运行映像,否则**不应更改**该变量. 连接字符串的主机值必须与`Container-Scanning.gitlab-ci.yml`模板文件的[别名](https://gitlab.com/gitlab-org/gitlab/-/blob/898c5da43504eba87b749625da50098d345b60d6/lib/gitlab/ci/templates/Security/Container-Scanning.gitlab-ci.yml#L23)值匹配,该[别名](https://gitlab.com/gitlab-org/gitlab/-/blob/898c5da43504eba87b749625da50098d345b60d6/lib/gitlab/ci/templates/Security/Container-Scanning.gitlab-ci.yml#L23)默认为`clair-vulnerabilities-db` . | `postgresql://postgres:password@clair-vulnerabilities-db:5432/postgres?sslmode=disable&statement_timeout=60000` |
| `CI_APPLICATION_REPOSITORY` | Docker repository URL for the image to be scanned. | `$CI_REGISTRY_IMAGE/$CI_COMMIT_REF_SLUG` |
| `CI_APPLICATION_TAG` | 待扫描图像的 Docker 存储库标签. | `$CI_COMMIT_SHA` |
| `CLAIR_DB_IMAGE` | [托管漏洞定义](https://hub.docker.com/r/arminc/clair-db)的[PostgreSQL 服务器](https://hub.docker.com/r/arminc/clair-db)的 Docker 映像名称和标记. 使用特定版本覆盖此值可能很有用,例如,为了进行集成测试而提供一致的漏洞集,或在本地进行脱机安装时引用本地托管的漏洞数据库. | `arminc/clair-db:latest` |
| `CLAIR_DB_IMAGE_TAG` | (不推荐**使用-改为使用`CLAIR_DB_IMAGE`** ) [托管漏洞定义](https://hub.docker.com/r/arminc/clair-db)的[PostgreSQL 服务器](https://hub.docker.com/r/arminc/clair-db)的 Docker 映像标记. 可以使用特定版本覆盖此值,例如,为集成测试目的提供一致的漏洞集很有用. | `latest` |
| `DOCKERFILE_PATH` | 用于生成补救的`Dockerfile`的路径. 默认情况下,扫描程序将在项目的根目录中查找名为`Dockerfile`的文件,因此仅当您的`Dockerfile`位于非标准位置(例如子目录)时,才应配置此变量. 有关更多详细信息,请参见[漏洞解决方案](#solutions-for-vulnerabilities-auto-remediation) . | `Dockerfile` |
| `ADDITIONAL_CA_CERT_BUNDLE` | 您要信任的 CA 证书捆绑包. | ”” |
| `SECURE_LOG_LEVEL` | 可用的日志级别为: `fatal` , `error` , `warn` , `info` , `debug` | `info` |
### Overriding the Container Scanning template[](#overriding-the-container-scanning-template "Permalink")
如果要覆盖作业定义(例如,更改诸如`variables`属性),则必须在`container_scanning`模板之后声明一个`container_scanning`作业,然后指定任何其他键. 例如:
```
include:
- template: Container-Scanning.gitlab-ci.yml
container_scanning:
variables:
GIT_STRATEGY: fetch
```
**Deprecated:** GitLab 13.0 and later doesn’t support [`only` and `except`](../../../ci/yaml/README.html#onlyexcept-basic). When overriding the template, you must use [`rules`](../../../ci/yaml/README.html#rules) instead.
### Vulnerability allowlisting[](#vulnerability-allowlisting "Permalink")
要允许列表特定漏洞,请按照下列步骤操作:
1. 设置`GIT_STRATEGY: fetch`按照[覆盖容器扫描模板中](#overriding-the-container-scanning-template)的说明, `GIT_STRATEGY: fetch` `.gitlab-ci.yml`文件.
2. 在名为`vulnerability-allowlist.yml`的 YAML 文件中定义允许列出的漏洞. 这必须使用[许可清单示例文件中](https://gitlab.com/gitlab-org/security-products/analyzers/klar/-/raw/master/testdata/vulnerability-allowlist.yml)描述的格式.
3. 将`vulnerability-allowlist.yml`文件添加到项目的 Git 存储库中.
### Running Container Scanning in an offline environment[](#running-container-scanning-in-an-offline-environment "Permalink")
对于在通过互联网有限,受限或间歇性访问外部资源的环境中进行自我管理的 GitLab 实例,需要进行一些调整才能使容器扫描作业成功运行. 有关更多信息,请参阅[脱机环境](../offline_deployments/index.html) .
#### Requirements for offline Container Scanning[](#requirements-for-offline-container-scanning "Permalink")
要在脱机环境中使用容器扫描,您需要:
* GitLab 亚军与[`docker`或`kubernetes`执行](#requirements) .
* 要使用 Container Scanning [分析器](https://gitlab.com/gitlab-org/security-products/analyzers/klar)映像的副本配置本地 Docker Container Registry,请在[Container Scanning 容器注册表中找到](https://gitlab.com/gitlab-org/security-products/analyzers/klar/container_registry) .
**注意:** GitLab Runner 的[默认`pull policy`为`always`](https://docs.gitlab.com/runner/executors/docker.html) ,这意味着即使本地副本可用,Runner 也会尝试从 GitLab 容器注册表中拉取 Docker 映像. 如果您只喜欢使用本地可用的 Docker 映像,则可以在离线环境[`pull_policy`](https://docs.gitlab.com/runner/executors/docker.html) GitLab Runner 的[`pull_policy`设置为`if-not-present`](https://docs.gitlab.com/runner/executors/docker.html) . 但是,如果不在离线环境中,我们建议将拉取策略设置保持为`always` ,因为这样可以在 CI / CD 管道中使用更新的扫描仪.
#### Make GitLab Container Scanning analyzer images available inside your Docker registry[](#make-gitlab-container-scanning-analyzer-images-available-inside-your-docker-registry "Permalink")
对于容器扫描,将以下默认图像从`registry.gitlab.com`导入[本地 Docker 容器注册表](../../packages/container_registry/index.html) :
```
registry.gitlab.com/gitlab-org/security-products/analyzers/klar
https://hub.docker.com/r/arminc/clair-db
```
将 Docker 映像导入本地脱机 Docker 注册表的过程取决于**您的网络安全策略** . 请咨询您的 IT 员工,以找到可以导入或临时访问外部资源的已接受和批准的流程. 请注意,这些扫描程序会[定期](../index.html#maintenance-and-update-of-the-vulnerabilities-database)使用新定义进行[更新](../index.html#maintenance-and-update-of-the-vulnerabilities-database) ,因此请考虑您是否能够自己进行定期更新.
有关更多信息,请参见[有关如何使用管道更新映像的特定步骤](#automating-container-scanning-vulnerability-database-updates-with-a-pipeline) .
有关将 Docker 映像保存和传输为文件的详细信息,请参阅 Docker 有关[`docker save`](https://s0docs0docker0com.icopy.site/engine/reference/commandline/save/) , [`docker load`](https://s0docs0docker0com.icopy.site/engine/reference/commandline/load/) , [`docker export`](https://s0docs0docker0com.icopy.site/engine/reference/commandline/export/)和[`docker import`](https://s0docs0docker0com.icopy.site/engine/reference/commandline/import/)的文档.
#### Set Container Scanning CI job variables to use local Container Scanner analyzers[](#set-container-scanning-ci-job-variables-to-use-local-container-scanner-analyzers "Permalink")
1. [覆盖](#overriding-the-container-scanning-template) `.gitlab-ci.yml`文件中[的容器扫描模板](#overriding-the-container-scanning-template) ,以引用本地 Docker 容器注册表中托管的 Docker 映像:
```
include:
- template: Container-Scanning.gitlab-ci.yml
container_scanning:
image: $CI_REGISTRY/namespace/gitlab-klar-analyzer
variables:
CLAIR_DB_IMAGE: $CI_REGISTRY/namespace/clair-vulnerabilities-db
```
2. 如果您的本地 Docker 容器注册表正在通过`HTTPS`安全运行,但是您使用的是自签名证书,则必须在`.gitlab-ci.yml`的上述`container_scanning`部分中将`DOCKER_INSECURE: "true"`设置为.
#### Automating Container Scanning vulnerability database updates with a pipeline[](#automating-container-scanning-vulnerability-database-updates-with-a-pipeline "Permalink")
设置[计划的管道](../../../ci/pipelines/schedules.html)以按照预设的计划自动构建漏洞数据库的新版本可能是值得的. 使用管道自动执行此操作意味着您不必每次都手动进行操作. 您可以使用以下`.gitlab-yml.ci`作为模板:
```
image: docker:stable
stages:
- build
build_latest_vulnerabilities:
stage: build
services:
- docker:19.03.12-dind
script:
- docker pull arminc/clair-db:latest
- docker tag arminc/clair-db:latest $CI_REGISTRY/namespace/clair-vulnerabilities-db
- docker login -u gitlab-ci-token -p $CI_JOB_TOKEN $CI_REGISTRY
- docker push $CI_REGISTRY/namespace/clair-vulnerabilities-db
```
上面的模板适用于在本地安装上运行的 GitLab Docker 注册表,但是,如果您使用的是非 GitLab Docker 注册表,则需要更改`$CI_REGISTRY`值和 Docker `docker login`凭据以匹配以下内容:您的本地注册表.
## Running the standalone Container Scanning Tool[](#running-the-standalone-container-scanning-tool "Permalink")
可以对 Docker 容器运行[GitLab 容器扫描工具](https://gitlab.com/gitlab-org/security-products/analyzers/klar) ,而无需在 CI 作业的上下文中运行它. 要直接扫描图像,请按照下列步骤操作:
1. Run [Docker Desktop](https://www.docker.com/products/docker-desktop) or [Docker Machine](https://github.com/docker/machine).
2. 运行最新的[预填充漏洞数据库](https://hub.docker.com/repository/docker/arminc/clair-db) Docker 映像:
```
docker run -p 5432:5432 -d --name clair-db arminc/clair-db:latest
```
3. Configure an environment variable to point to your local machine’s IP address (or insert your IP address instead of the `LOCAL_MACHINE_IP_ADDRESS` variable in the `CLAIR_DB_CONNECTION_STRING` in the next step):
```
export LOCAL_MACHINE_IP_ADDRESS=your.local.ip.address
```
4. 运行分析器的 Docker 映像,并在`CI_APPLICATION_REPOSITORY`和`CI_APPLICATION_TAG`环境变量中传递要分析的映像和标签:
```
docker run \
--interactive --rm \
--volume "$PWD":/tmp/app \
-e CI_PROJECT_DIR=/tmp/app \
-e CLAIR_DB_CONNECTION_STRING="postgresql://postgres:password@${LOCAL_MACHINE_IP_ADDRESS}:5432/postgres?sslmode=disable&statement_timeout=60000" \
-e CI_APPLICATION_REPOSITORY=registry.gitlab.com/gitlab-org/security-products/dast/webgoat-8.0@sha256 \
-e CI_APPLICATION_TAG=bc09fe2e0721dfaeee79364115aeedf2174cce0947b9ae5fe7c33312ee019a4e \
registry.gitlab.com/gitlab-org/security-products/analyzers/klar
```
结果存储在`gl-container-scanning-report.json` .
## Reports JSON format[](#reports-json-format "Permalink")
容器扫描工具会发出 JSON 报告文件. 有关更多信息,请参见此[报告](https://gitlab.com/gitlab-org/security-products/security-report-schemas/-/blob/master/dist/container-scanning-report-format.json)的[架构](https://gitlab.com/gitlab-org/security-products/security-report-schemas/-/blob/master/dist/container-scanning-report-format.json) .
这是示例容器扫描报告:
```
{ "version": "2.3", "vulnerabilities": [ { "id": "ac0997ad-1006-4c81-81fb-ee2bbe6e78e3", "category": "container_scanning", "message": "CVE-2019-3462 in apt", "description": "Incorrect sanitation of the 302 redirect field in HTTP transport method of apt versions 1.4.8 and earlier can lead to content injection by a MITM attacker, potentially leading to remote code execution on the target machine.", "severity": "High", "confidence": "Unknown", "solution": "Upgrade apt from 1.4.8 to 1.4.9", "scanner": { "id": "klar", "name": "klar" }, "location": { "dependency": { "package": { "name": "apt" }, "version": "1.4.8" }, "operating_system": "debian:9", "image": "registry.gitlab.com/gitlab-org/security-products/dast/webgoat-8.0@sha256:bc09fe2e0721dfaeee79364115aeedf2174cce0947b9ae5fe7c33312ee019a4e" }, "identifiers": [ { "type": "cve", "name": "CVE-2019-3462", "value": "CVE-2019-3462", "url": "https://security-tracker.debian.org/tracker/CVE-2019-3462" } ], "links": [ { "url": "https://security-tracker.debian.org/tracker/CVE-2019-3462" } ] } ], "remediations": [ { "fixes": [ { "id": "c0997ad-1006-4c81-81fb-ee2bbe6e78e3" } ], "summary": "Upgrade apt from 1.4.8 to 1.4.9", "diff": "YXB0LWdldCB1cGRhdGUgJiYgYXB0LWdldCB1cGdyYWRlIC15IGFwdA==" } ] }
```
## Security Dashboard[](#security-dashboard "Permalink")
[安全仪表板](../security_dashboard/index.html)向您显示组,项目和管道中所有安全漏洞的概述.
## Vulnerabilities database update[](#vulnerabilities-database-update "Permalink")
有关漏洞数据库更新的更多信息,请查看[维护表](../index.html#maintenance-and-update-of-the-vulnerabilities-database) .
## Interacting with the vulnerabilities[](#interacting-with-the-vulnerabilities "Permalink")
一旦发现漏洞,便可以[与其进行交互](../index.html#interacting-with-the-vulnerabilities) .
## Solutions for vulnerabilities (auto-remediation)[](#solutions-for-vulnerabilities-auto-remediation "Permalink")
可以通过应用 GitLab 自动生成的解决方案来修复某些漏洞.
为了使整治的支持,对扫描工具*必须*能够访问`Dockerfile`指定由[`DOCKERFILE_PATH`](#available-variables)环境变量. 为确保扫描工具可以访问此文件,有必要设置[`GIT_STRATEGY: fetch`](../../../ci/yaml/README.html#git-strategy)按照本文档中" [覆盖容器扫描模板"](#overriding-the-container-scanning-template)部分中介绍的说明,在`.gitlab-ci.yml`文件中进行[`GIT_STRATEGY: fetch`](../../../ci/yaml/README.html#git-strategy) .
阅读有关[漏洞解决方案的](../index.html#solutions-for-vulnerabilities-auto-remediation)更多信息.
## Troubleshooting[](#troubleshooting "Permalink")
### `docker: Error response from daemon: failed to copy xattrs`[](#docker-error-response-from-daemon-failed-to-copy-xattrs "Permalink")
当 GitLab Runner 使用 Docker 执行程序并使用 NFS 时(例如, `/var/lib/docker`在 NFS 挂载上),容器扫描可能会失败,并显示以下错误:
```
docker: Error response from daemon: failed to copy xattrs: failed to set xattr "security.selinux" on /path/to/file: operation not supported.
```
这是由于 Docker 中的一个错误而导致的,该错误现已[修复](https://github.com/containerd/continuity/pull/138 "fs:添加 WithAllowXAttrErrors CopyOpt") . 为避免该错误,请确保 Runner 使用的 Docker 版本为`18.09.03`或更高. 有关更多信息,请参见[问题#10241](https://gitlab.com/gitlab-org/gitlab/-/issues/10241 "调查为什么容器扫描不适用于 NFS 挂载") .
- GitLab Docs
- Installation
- Requirements
- GitLab cloud native Helm Chart
- Install GitLab with Docker
- Installation from source
- Install GitLab on Microsoft Azure
- Installing GitLab on Google Cloud Platform
- Installing GitLab on Amazon Web Services (AWS)
- Analytics
- Code Review Analytics
- Productivity Analytics
- Value Stream Analytics
- Kubernetes clusters
- Adding and removing Kubernetes clusters
- Adding EKS clusters
- Adding GKE clusters
- Group-level Kubernetes clusters
- Instance-level Kubernetes clusters
- Canary Deployments
- Cluster Environments
- Deploy Boards
- GitLab Managed Apps
- Crossplane configuration
- Cluster management project (alpha)
- Kubernetes Logs
- Runbooks
- Serverless
- Deploying AWS Lambda function using GitLab CI/CD
- Securing your deployed applications
- Groups
- Contribution Analytics
- Custom group-level project templates
- Epics
- Manage epics
- Group Import/Export
- Insights
- Issues Analytics
- Iterations
- Public access
- SAML SSO for GitLab.com groups
- SCIM provisioning using SAML SSO for GitLab.com groups
- Subgroups
- Roadmap
- Projects
- GitLab Secure
- Security Configuration
- Container Scanning
- Dependency Scanning
- Dependency List
- Static Application Security Testing (SAST)
- Secret Detection
- Dynamic Application Security Testing (DAST)
- GitLab Security Dashboard
- Offline environments
- Standalone Vulnerability pages
- Security scanner integration
- Badges
- Bulk editing issues and merge requests at the project level
- Code Owners
- Compliance
- License Compliance
- Compliance Dashboard
- Create a project
- Description templates
- Deploy Keys
- Deploy Tokens
- File finder
- Project integrations
- Integrations
- Atlassian Bamboo CI Service
- Bugzilla Service
- Custom Issue Tracker service
- Discord Notifications service
- Enabling emails on push
- GitHub project integration
- Hangouts Chat service
- Atlassian HipChat
- Irker IRC Gateway
- GitLab Jira integration
- Mattermost Notifications Service
- Mattermost slash commands
- Microsoft Teams service
- Mock CI Service
- Prometheus integration
- Redmine Service
- Slack Notifications Service
- Slack slash commands
- GitLab Slack application
- Webhooks
- YouTrack Service
- Insights
- Issues
- Crosslinking Issues
- Design Management
- Confidential issues
- Due dates
- Issue Boards
- Issue Data and Actions
- Labels
- Managing issues
- Milestones
- Multiple Assignees for Issues
- Related issues
- Service Desk
- Sorting and ordering issue lists
- Issue weight
- Associate a Zoom meeting with an issue
- Merge requests
- Allow collaboration on merge requests across forks
- Merge Request Approvals
- Browser Performance Testing
- How to create a merge request
- Cherry-pick changes
- Code Quality
- Load Performance Testing
- Merge Request dependencies
- Fast-forward merge requests
- Merge when pipeline succeeds
- Merge request conflict resolution
- Reverting changes
- Reviewing and managing merge requests
- Squash and merge
- Merge requests versions
- Draft merge requests
- Members of a project
- Migrating projects to a GitLab instance
- Import your project from Bitbucket Cloud to GitLab
- Import your project from Bitbucket Server to GitLab
- Migrating from ClearCase
- Migrating from CVS
- Import your project from FogBugz to GitLab
- Gemnasium
- Import your project from GitHub to GitLab
- Project importing from GitLab.com to your private GitLab instance
- Import your project from Gitea to GitLab
- Import your Jira project issues to GitLab
- Migrating from Perforce Helix
- Import Phabricator tasks into a GitLab project
- Import multiple repositories by uploading a manifest file
- Import project from repo by URL
- Migrating from SVN to GitLab
- Migrating from TFVC to Git
- Push Options
- Releases
- Repository
- Branches
- Git Attributes
- File Locking
- Git file blame
- Git file history
- Repository mirroring
- Protected branches
- Protected tags
- Push Rules
- Reduce repository size
- Signing commits with GPG
- Syntax Highlighting
- GitLab Web Editor
- Web IDE
- Requirements Management
- Project settings
- Project import/export
- Project access tokens (Alpha)
- Share Projects with other Groups
- Snippets
- Static Site Editor
- Wiki
- Project operations
- Monitor metrics for your CI/CD environment
- Set up alerts for Prometheus metrics
- Embedding metric charts within GitLab-flavored Markdown
- Embedding Grafana charts
- Using the Metrics Dashboard
- Dashboard YAML properties
- Metrics dashboard settings
- Panel types for dashboards
- Using Variables
- Templating variables for metrics dashboards
- Prometheus Metrics library
- Monitoring AWS Resources
- Monitoring HAProxy
- Monitoring Kubernetes
- Monitoring NGINX
- Monitoring NGINX Ingress Controller
- Monitoring NGINX Ingress Controller with VTS metrics
- Alert Management
- Error Tracking
- Tracing
- Incident Management
- GitLab Status Page
- Feature Flags
- GitLab CI/CD
- GitLab CI/CD pipeline configuration reference
- GitLab CI/CD include examples
- Introduction to CI/CD with GitLab
- Getting started with GitLab CI/CD
- How to enable or disable GitLab CI/CD
- Using SSH keys with GitLab CI/CD
- Migrating from CircleCI
- Migrating from Jenkins
- Auto DevOps
- Getting started with Auto DevOps
- Requirements for Auto DevOps
- Customizing Auto DevOps
- Stages of Auto DevOps
- Upgrading PostgreSQL for Auto DevOps
- Cache dependencies in GitLab CI/CD
- GitLab ChatOps
- Cloud deployment
- Docker integration
- Building Docker images with GitLab CI/CD
- Using Docker images
- Building images with kaniko and GitLab CI/CD
- GitLab CI/CD environment variables
- Predefined environment variables reference
- Where variables can be used
- Deprecated GitLab CI/CD variables
- Environments and deployments
- Protected Environments
- GitLab CI/CD Examples
- Test a Clojure application with GitLab CI/CD
- Using Dpl as deployment tool
- Testing a Phoenix application with GitLab CI/CD
- End-to-end testing with GitLab CI/CD and WebdriverIO
- DevOps and Game Dev with GitLab CI/CD
- Deploy a Spring Boot application to Cloud Foundry with GitLab CI/CD
- How to deploy Maven projects to Artifactory with GitLab CI/CD
- Testing PHP projects
- Running Composer and NPM scripts with deployment via SCP in GitLab CI/CD
- Test and deploy Laravel applications with GitLab CI/CD and Envoy
- Test and deploy a Python application with GitLab CI/CD
- Test and deploy a Ruby application with GitLab CI/CD
- Test and deploy a Scala application to Heroku
- GitLab CI/CD for external repositories
- Using GitLab CI/CD with a Bitbucket Cloud repository
- Using GitLab CI/CD with a GitHub repository
- GitLab Pages
- GitLab Pages
- GitLab Pages domain names, URLs, and baseurls
- Create a GitLab Pages website from scratch
- Custom domains and SSL/TLS Certificates
- GitLab Pages integration with Let's Encrypt
- GitLab Pages Access Control
- Exploring GitLab Pages
- Incremental Rollouts with GitLab CI/CD
- Interactive Web Terminals
- Optimizing GitLab for large repositories
- Metrics Reports
- CI/CD pipelines
- Pipeline Architecture
- Directed Acyclic Graph
- Multi-project pipelines
- Parent-child pipelines
- Pipelines for Merge Requests
- Pipelines for Merged Results
- Merge Trains
- Job artifacts
- Pipeline schedules
- Pipeline settings
- Triggering pipelines through the API
- Review Apps
- Configuring GitLab Runners
- GitLab CI services examples
- Using MySQL
- Using PostgreSQL
- Using Redis
- Troubleshooting CI/CD
- GitLab Package Registry
- GitLab Container Registry
- Dependency Proxy
- GitLab Composer Repository
- GitLab Conan Repository
- GitLab Maven Repository
- GitLab NPM Registry
- GitLab NuGet Repository
- GitLab PyPi Repository
- API Docs
- API resources
- .gitignore API
- GitLab CI YMLs API
- Group and project access requests API
- Appearance API
- Applications API
- Audit Events API
- Avatar API
- Award Emoji API
- Project badges API
- Group badges API
- Branches API
- Broadcast Messages API
- Project clusters API
- Group clusters API
- Instance clusters API
- Commits API
- Container Registry API
- Custom Attributes API
- Dashboard annotations API
- Dependencies API
- Deploy Keys API
- Deployments API
- Discussions API
- Dockerfiles API
- Environments API
- Epics API
- Events
- Feature Flags API
- Feature flag user lists API
- Freeze Periods API
- Geo Nodes API
- Group Activity Analytics API
- Groups API
- Import API
- Issue Boards API
- Group Issue Boards API
- Issues API
- Epic Issues API
- Issues Statistics API
- Jobs API
- Keys API
- Labels API
- Group Labels API
- License
- Licenses API
- Issue links API
- Epic Links API
- Managed Licenses API
- Markdown API
- Group and project members API
- Merge request approvals API
- Merge requests API
- Project milestones API
- Group milestones API
- Namespaces API
- Notes API
- Notification settings API
- Packages API
- Pages domains API
- Pipeline schedules API
- Pipeline triggers API
- Pipelines API
- Project Aliases API
- Project import/export API
- Project repository storage moves API
- Project statistics API
- Project templates API
- Projects API
- Protected branches API
- Protected tags API
- Releases API
- Release links API
- Repositories API
- Repository files API
- Repository submodules API
- Resource label events API
- Resource milestone events API
- Resource weight events API
- Runners API
- SCIM API
- Search API
- Services API
- Application settings API
- Sidekiq Metrics API
- Snippets API
- Project snippets
- Application statistics API
- Suggest Changes API
- System hooks API
- Tags API
- Todos API
- Users API
- Project-level Variables API
- Group-level Variables API
- Version API
- Vulnerabilities API
- Vulnerability Findings API
- Wikis API
- GraphQL API
- Getting started with GitLab GraphQL API
- GraphQL API Resources
- API V3 to API V4
- Validate the .gitlab-ci.yml (API)
- User Docs
- Abuse reports
- User account
- Active sessions
- Deleting a User account
- Permissions
- Personal access tokens
- Profile preferences
- Threads
- GitLab and SSH keys
- GitLab integrations
- Git
- GitLab.com settings
- Infrastructure as code with Terraform and GitLab
- GitLab keyboard shortcuts
- GitLab Markdown
- AsciiDoc
- GitLab Notification Emails
- GitLab Quick Actions
- Autocomplete characters
- Reserved project and group names
- Search through GitLab
- Advanced Global Search
- Advanced Syntax Search
- Time Tracking
- GitLab To-Do List
- Administrator Docs
- Reference architectures
- Reference architecture: up to 1,000 users
- Reference architecture: up to 2,000 users
- Reference architecture: up to 3,000 users
- Reference architecture: up to 5,000 users
- Reference architecture: up to 10,000 users
- Reference architecture: up to 25,000 users
- Reference architecture: up to 50,000 users
- Troubleshooting a reference architecture set up
- Working with the bundled Consul service
- Configuring PostgreSQL for scaling
- Configuring GitLab application (Rails)
- Load Balancer for multi-node GitLab
- Configuring a Monitoring node for Scaling and High Availability
- NFS
- Working with the bundled PgBouncer service
- Configuring Redis for scaling
- Configuring Sidekiq
- Admin Area settings
- Continuous Integration and Deployment Admin settings
- Custom instance-level project templates
- Diff limits administration
- Enable and disable GitLab features deployed behind feature flags
- Geo nodes Admin Area
- GitLab Pages administration
- Health Check
- Job logs
- Labels administration
- Log system
- PlantUML & GitLab
- Repository checks
- Repository storage paths
- Repository storage types
- Account and limit settings
- Service templates
- System hooks
- Changing your time zone
- Uploads administration
- Abuse reports
- Activating and deactivating users
- Audit Events
- Blocking and unblocking users
- Broadcast Messages
- Elasticsearch integration
- Gitaly
- Gitaly Cluster
- Gitaly reference
- Monitoring GitLab
- Monitoring GitLab with Prometheus
- Performance Bar
- Usage statistics
- Object Storage
- Performing Operations in GitLab
- Cleaning up stale Redis sessions
- Fast lookup of authorized SSH keys in the database
- Filesystem Performance Benchmarking
- Moving repositories managed by GitLab
- Run multiple Sidekiq processes
- Sidekiq MemoryKiller
- Switching to Puma
- Understanding Unicorn and unicorn-worker-killer
- User lookup via OpenSSH's AuthorizedPrincipalsCommand
- GitLab Package Registry administration
- GitLab Container Registry administration
- Replication (Geo)
- Geo database replication
- Geo with external PostgreSQL instances
- Geo configuration
- Using a Geo Server
- Updating the Geo nodes
- Geo with Object storage
- Docker Registry for a secondary node
- Geo for multiple nodes
- Geo security review (Q&A)
- Location-aware Git remote URL with AWS Route53
- Tuning Geo
- Removing secondary Geo nodes
- Geo data types support
- Geo Frequently Asked Questions
- Geo Troubleshooting
- Geo validation tests
- Disaster Recovery (Geo)
- Disaster recovery for planned failover
- Bring a demoted primary node back online
- Automatic background verification
- Rake tasks
- Back up and restore GitLab
- Clean up
- Namespaces
- Maintenance Rake tasks
- Geo Rake Tasks
- GitHub import
- Import bare repositories
- Integrity check Rake task
- LDAP Rake tasks
- Listing repository directories
- Praefect Rake tasks
- Project import/export administration
- Repository storage Rake tasks
- Generate sample Prometheus data
- Uploads migrate Rake tasks
- Uploads sanitize Rake tasks
- User management
- Webhooks administration
- X.509 signatures
- Server hooks
- Static objects external storage
- Updating GitLab
- GitLab release and maintenance policy
- Security
- Password Storage
- Custom password length limits
- Restrict allowed SSH key technologies and minimum length
- Rate limits
- Webhooks and insecure internal web services
- Information exclusivity
- How to reset your root password
- How to unlock a locked user from the command line
- User File Uploads
- How we manage the TLS protocol CRIME vulnerability
- User email confirmation at sign-up
- Security of running jobs
- Proxying assets
- CI/CD Environment Variables
- Contributor and Development Docs
- Contribute to GitLab
- Community members & roles
- Implement design & UI elements
- Issues workflow
- Merge requests workflow
- Code Review Guidelines
- Style guides
- GitLab Architecture Overview
- CI/CD development documentation
- Database guides
- Database Review Guidelines
- Database Review Guidelines
- Migration Style Guide
- What requires downtime?
- Understanding EXPLAIN plans
- Rake tasks for developers
- Mass inserting Rails models
- GitLab Documentation guidelines
- Documentation Style Guide
- Documentation structure and template
- Documentation process
- Documentation site architecture
- Global navigation
- GitLab Docs monthly release process
- Telemetry Guide
- Usage Ping Guide
- Snowplow Guide
- Experiment Guide
- Feature flags in development of GitLab
- Feature flags process
- Developing with feature flags
- Feature flag controls
- Document features deployed behind feature flags
- Frontend Development Guidelines
- Accessibility & Readability
- Ajax
- Architecture
- Axios
- Design Patterns
- Frontend Development Process
- DropLab
- Emojis
- Filter
- Frontend FAQ
- GraphQL
- Icons and SVG Illustrations
- InputSetter
- Performance
- Principles
- Security
- Tooling
- Vuex
- Vue
- Geo (development)
- Geo self-service framework (alpha)
- Gitaly developers guide
- GitLab development style guides
- API style guide
- Go standards and style guidelines
- GraphQL API style guide
- Guidelines for shell commands in the GitLab codebase
- HTML style guide
- JavaScript style guide
- Migration Style Guide
- Newlines style guide
- Python Development Guidelines
- SCSS style guide
- Shell scripting standards and style guidelines
- Sidekiq debugging
- Sidekiq Style Guide
- SQL Query Guidelines
- Vue.js style guide
- Instrumenting Ruby code
- Testing standards and style guidelines
- Flaky tests
- Frontend testing standards and style guidelines
- GitLab tests in the Continuous Integration (CI) context
- Review Apps
- Smoke Tests
- Testing best practices
- Testing levels
- Testing Rails migrations at GitLab
- Testing Rake tasks
- End-to-end Testing
- Beginner's guide to writing end-to-end tests
- End-to-end testing Best Practices
- Dynamic Element Validation
- Flows in GitLab QA
- Page objects in GitLab QA
- Resource class in GitLab QA
- Style guide for writing end-to-end tests
- Testing with feature flags
- Translate GitLab to your language
- Internationalization for GitLab
- Translating GitLab
- Proofread Translations
- Merging translations from CrowdIn
- Value Stream Analytics development guide
- GitLab subscription
- Activate GitLab EE with a license