Merge branch 'container_scanning-INPLATFORM-306' into 'master'

container scanning-INPLATFORM-306

.gitlab-ci.yml

+stages:
+  - build
+  - scan
+
 variables:
   ECR_IMAGE_TAG: "${AWS_ACCOUNT_ID}.dkr.ecr.us-east-1.amazonaws.com/enterprise-integrations/iics_secure_agent:${CI_COMMIT_SHORT_SHA}"
   DOIT_REGISTRY_IMAGE_TAG: $CI_REGISTRY_IMAGE:$CI_COMMIT_REF_SLUG
 
-stages:
-  - build
-
 before_script:
-  - apk update && apk add groff less && apk add py-pip
+  - apk update && apk add groff less && apk add py3-pip
   - pip3 install awscli
   - $(aws ecr get-login --no-include-email --region us-east-1)
   - docker login -u $CI_REGISTRY_USER -p $CI_REGISTRY_PASSWORD $CI_REGISTRY
@@ -32,3 +33,16 @@ build-master:
       - Dockerfile
       - .gitlab-ci.yml
       - run-agent.sh
+
+include:
+  - project: interop/checkqualys
+    file: templates/.check-qualys-job.yml
+
+image_scan:
+  stage: scan
+  extends: qualys_scan
+  variables:
+    CI_TOKEN: $CI_TOKEN
+    DOCKER_IMAGE: $CI_REGISTRY_IMAGE:$CI_COMMIT_REF_SLUG
+  when: on_success
+  allow_failure: false

README.md

@@ -5,6 +5,7 @@
     * [Requirements](#requirements)
     * [The Image](#the-image)
         * [ODBC](#odbc)
+        * [Image Scanning](#image-scanning)
     * [Containers](#containers)
         * [Environment Variables](#environment-variables)
         * [Externalized Configurations](#externalized-configurations)
@@ -54,6 +55,22 @@ The image is based on Ubuntu 18.04.  It downloads and installs necessary depende
 [odbc]: #odbc
 ODBC support has been added to this image, specifically support for SQLite3 and Snowflake.  An odbc.ini file can be mounted into the container as /home/agent/.odbc.ini for setting up connections.  Local files can be mounted or copied into the container as necessary.
 
+### Image Scanning
+[imagescan]: #image-scanning
+The image is scanned by [Qualys](https://qualysguard.qg2.apps.qualys.com/cs/help/get_started/get_started.htm), a container image vulnerability
+scanning system, through a Gitlab CI/CD job: `image_scan`. This job is built upon the `qualy_scan` job from the`check-qualys-job.yml` template in [checkQualys](https://git.doit.wisc.edu/interop/checkqualys) tool repository. An `image_scan` job will be created and a [Gitlab issue](https://git.doit.wisc.edu/interop/iics/iics_secure_agent/-/issues) will be added to this repository for each [CVE vulnerability](https://www.cvedetails.com/) that occurs.
+
+To enable container image scanning, you need to first check following criteria: 
+
+* A Gitlab API Project Access Token for checkQualys tool is valid and stored as `CI_TOKEN` in **Settings -> CI/CD -> Environemnt Variables**, if not, you need to generate one in checkQualys repository under **Settings -> Access Token**, following the instruction [here](https://docs.gitlab.com/ee/user/project/settings/project_access_tokens.html);
+* A Gitlab runner in **Settings -> CI/CD -> Runners** with **qualys** tag is enabled.
+
+Notes: 
+
+* A Gitlab API Project Access Token specify for checkQualys is necessary and can be found in checkQualys repository that allows the checkQualys tool to post issues back to the project that is being scanned.
+* A manual `qualys_scan` job at post stage will be created when including job template from checkQualys, and cannot be removed, but it can be ignored.
+* This scan job will report all vulnerabilities in the Gitlab issue once occur, if there are a particular vulnerability that does not impact this deployment, a `.cveignore` file with certain CVE ID can be added at the root level to ignore/silence it.
+
 ## Containers
 [container]: #containers
 The container executes a bash script called run_agent.sh upon start.  It needs INFORMATICA_USER and INFORMATICA_PASSWORD environment variables set during runtime in order to communicate with the Informatica API to check and register the Secure Agent.
@@ -166,7 +183,6 @@ If volume mapping is not used use `docker exec` to attach to the running contain
 ```shell
 docker exec -it <container_name> less agentcore.log
 ```
-
 ## Hardware Requirements
 [hardware]: #hardware-requirements
 Minimum Hardware Specs ([reference](https://network.informatica.com/servlet/JiveServlet/download/189174-25674/Informatica%20Cloud%20Secure%20Agent%20Minimum%20Requirements.pdf)):