Giters

deepfence / SecretScanner

:unlock: :unlock: Find secrets and passwords in container images and file systems :unlock: :unlock:

Home Page:https://deepfence.io

Geek Repo:Geek Repo

Github PK Tool:Github PK Tool

Unable to run secret_scanner in Gitlab pipeline> podman ps:exit status 125

zumkemi opened this issue · comments

commented

tried to run a scan-Job:

image: docker:latest
services:
  - docker:dind 

variables:
  DOCKER_HOST: tcp://docker:2375 
  DOCKER_DRIVER: overlay2 
  DOCKER_TLS_CERTDIR: ""
  IMAGE_NAME: myownimage 
  IMAGE_TAG: v1

secret-detection-image:
  stage: image-scan
  image:
    name: deepfenceio/deepfence_secret_scanner:2.1.0   
    entrypoint: [""]
  script:
    - echo ${REGISTRY_TOKEN} | docker login --username ${REGISTRY_USER} --password-stdin $CI_REGISTRY  
    - /home/deepfence/usr/SecretScanner -config-path /home/deepfence/usr --image-name ${DOCKER_ENV_CI_REGISTRY_IMAGE}/${IMAGE_NAME}:${IMAGE_TAG}

results in:

$ /home/deepfence/usr/SecretScanner -config-path /home/deepfence/usr --image-name ${DOCKER_ENV_CI_REGISTRY_IMAGE}/${IMAGE_NAME}:${IMAGE_TAG}
INFO[2023-11-30T13:58:15Z] main.go:131 Scanning image registry.gitlab.com/...omited.../...omited.../myownimage:v1 for secrets... 
ERRO[2023-11-30T13:58:16Z] utils.go:46 cmd: /usr/bin/podman --remote --url unix:///run/podman/podman.sock ps 
ERRO[2023-11-30T13:58:16Z] utils.go:47 exit status 125                              
WARN[2023-11-30T13:58:16Z] autodetect.go:256 podman ps:exit status 125: Cannot connect to Podman. Please verify your connection to the Linux system using `podman system connection list`, or try `podman machine init` and `podman machine start` to manage a new Linux VM
Error: unable to connect to Podman socket: Get "http://d/v4.5.1/libpod/_ping": dial unix /run/podman/podman.sock: connect: no such file or directory 
ERRO[2023-11-30T13:58:23Z] process_image.go:65 scanImage: Could not save container image: could not detect container runtime. Check if the image name is correct. 
FATA[2023-11-30T13:58:23Z] main.go:134 main: error while scanning image: %scould not detect container runtime 
Cleaning up project directory and file based variables
00:01
ERROR: Job failed: exit code 1
commented

seems to be similar aquasecurity/trivy#2432

commented

Hi @zumkemi . The recommended way to run secret scanner in GitLab CI is here: https://github.com/deepfence/ThreatMapper/blob/main/ci-cd-integrations/gitlab/.gitlab-ci.yml#L50-L66

we run secretscanner inside docker:latest that ensures all the required sock paths (DIND: docker in docker). You can refer to this GitLab CI Pipeline demo that scans an nginx image, https://gitlab.com/harshvkarn/demo-app/-/jobs/6158031549