Update Readme.md and ci file

.gitlab-ci.yml

@@ -34,7 +34,7 @@ include:
   - project: interop/checkqualys
     file: templates/.check-qualys-job.yml
 
-container_scan:
+image_scan:
   stage: build
   extends: qualys_scan
   variables:

README.md

@@ -10,6 +10,7 @@
         * [Externalized Configurations](#externalized-configurations)
         * [Starting](#starting)
         * [Monitoring](#monitoring)
+        * [Container Image Scanning](#container-image-scanning)
     * [Hardware Requirements](#hardware-requirements)
     * [Known Issues](#known-issues)
     * [Enterprise Integration Secure Agent](#enterprise-integration-secure-agent)
@@ -54,6 +55,23 @@ The image is based on Ubuntu 18.04.  It downloads and installs necessary depende
 [odbc]: #odbc
 ODBC support has been added to this image, specifically support for SQLite3 and Snowflake.  An odbc.ini file can be mounted into the container as /home/agent/.odbc.ini for setting up connections.  Local files can be mounted or copied into the container as necessary.
 
+### Image Scanning
+[imagescan]: #image-scanning
+The image is scanned by [Qualys](https://qualysguard.qg2.apps.qualys.com/cs/help/get_started/get_started.htm), a container image vulnerability
+scanning system, through a Gitlab CI/CD job: `image_scan`. It will report any vulnerabilities occur when a pipeline is scheduled for master branch or created/updated in a merge request. The CI/CD job `image_scan` is built upon the `qualy_scan` job in the`check-qualys-job.yml` template in [checkQualys](https://git.doit.wisc.edu/interop/checkqualys) tool repository. The scan job is scheduled daily.
+
+To enable container image scanning, you need first check following criteria: 
+
+* A Gitlab API Personal Access Token is valid and stored as `CI_TOKEN` in **Settings -> CI/CD -> Environemnt Variables**, if not, you need to generate one, following the instruction [here](https://docs.gitlab.com/ee/user/profile/personal_access_tokens.html);
+* A Gitlab runner in **Settings -> CI/CD -> Runners** with **qualys** tag is enabled;
+* A pipeline is scheduled for master branch or created/updated in a merge request.
+
+Notes: 
+
+* Using a Gitlab API personal Access Token is the only way to access the Gitlab API that allows the `checkQualys` tool to post issues back to the project that is being scanned.
+* A default manual `qualys_scan` job at post stage will be created and cannot be removed when including a job template, but it can be ignored.
+* This scan job will report all vulnerabilities occur, if there are a particular vulnerability that does not impact this image, an `.cveignore` file can be added at the root level to ignore it.
+
 ## Containers
 [container]: #containers
 The container executes a bash script called run_agent.sh upon start.  It needs INFORMATICA_USER and INFORMATICA_PASSWORD environment variables set during runtime in order to communicate with the Informatica API to check and register the Secure Agent.
@@ -166,7 +184,6 @@ If volume mapping is not used use `docker exec` to attach to the running contain
 ```shell
 docker exec -it <container_name> less agentcore.log
 ```
-
 ## Hardware Requirements
 [hardware]: #hardware-requirements
 Minimum Hardware Specs ([reference](https://network.informatica.com/servlet/JiveServlet/download/189174-25674/Informatica%20Cloud%20Secure%20Agent%20Minimum%20Requirements.pdf)):