How to use Dive in gitlab CI Securely?

Question

How to use Dive in gitlab CI Securely?

baojingh opened this issue 5 months ago · 3 comments

Issue:
My understand to dive is that dive has to pull the image to his local docker engine and then dive could scan the docker image layer.
I use dive in .gitlab-ci.yml.
I have to mount the docker.sock file to my container such as "-v /var/run/docker.sock:/var/run/docker.sock", which is not secure I think.

My question is that how could I use dive in gitlab-ci.yml without "-v /var/run/docker.sock:/var/run/docker.sock"?

Answer 1 · 2024-01-16T08:58:50.000Z

You could supply an image as an archive to circumvent the need for docker, just invoke it with --source docker-archive <path-to-image.tar> and it will read from the file.

How you get the file where you need it is up to you and your CI.

Answer 2 · 2024-01-17T02:12:47.000Z

Yes, Thanks and I got your point.

Answer 3 · 2024-02-04T19:04:29.000Z

If anyone's looking for a more complete GitLab CI example for saving the archive file:

dive:
  image:
    name: wagoodman/dive:latest
    entrypoint: ['']
  script:
    - apk add --no-cache skopeo
    - skopeo copy docker://${IMAGE_NAME}:${IMAGE_TAG} docker-archive:archive.tar
    - dive --source docker-archive archive.tar