docker - docker 图像存储在 gitlab ci 中的什么位置？

问题描述

我已经成功构建了一个 docker 映像并将其标记为testdock:latest($CI_REGISTRY_IMAGE:latest) $CI_REGISTRY 变量保存在 GitLab 项目变量中。

我还有另一个阶段，通过使用开始扫描testdock图像Trivy：该过程只是卡住而没有进展。我猜是找不到图像或 GitLab 中的 docker 环境有问题。

   Where is the `docker image (testdock)` stored?

这是我用来Trivy扫描testdock图像的命令：

$ TRIVY_INSECURE=true trivy --skip-update --output "$CI_PROJECT_DIR/scanning-report.json"  $CI_REGISTRY_IMAGE:latest

yml：

build:
  stage: build
  image: $CI_REGISTRY/devops/docker:latest
  services:
    - $CI_REGISTRY/devops/docker:dind-nx1.0
  #tags:
  #  - docker
  variables:
    # No need to clone the repo, we exclusively work on artifacts.  See
    # https://docs.gitlab.com/ee/ci/runners/README.html#git-strategy
    TRIVY_USERNAME: "$CI_REGISTRY_USER"
    TRIVY_PASSWORD: "$CI_REGISTRY_PASSWORD"
    TRIVY_AUTH_URL: "$CI_REGISTRY"
    FULL_IMAGE_NAME: $CI_REGISTRY_IMAGE:$CI_COMMIT_SHA
    # Tell docker CLI how to talk to Docker daemon.
    DOCKER_HOST: tcp://localhost:2375/
    # Use the overlayfs driver for improved performance.
    DOCKER_DRIVER: overlay2
    # Disable TLS since we're running inside local network.
    DOCKER_TLS_CERTDIR: ""
  before_script:
    - docker login -u "$CI_REGISTRY_USER" -p "$CI_REGISTRY_PASSWORD" $CI_REGISTRY
  script:
    - docker build -t $FULL_IMAGE_NAME  .
   # - docker push $CI_REGISTRY_IMAGE:latest

security_scan:
  stage: test
  image: 
    name: $CI_REGISTRY/devops/trivy/trivy:0.20.1
    entrypoint: [""]
  services:
    - $CI_REGISTRY/devops/docker:dind-nx1.0
  #tags:
   # - docker
  variables:
    # No need to clone the repo, we exclusively work on artifacts.  See
    # https://docs.gitlab.com/ee/ci/runners/README.html#git-strategy
  #  GIT_STRATEGY: none
    TRIVY_USERNAME: "$CI_REGISTRY_USER"
    TRIVY_PASSWORD: "$CI_REGISTRY_PASSWORD"
    TRIVY_AUTH_URL: "$CI_REGISTRY"
    FULL_IMAGE_NAME: $CI_REGISTRY_IMAGE:$CI_COMMIT_SHA
    # Tell docker CLI how to talk to Docker daemon.
    DOCKER_HOST: tcp://localhost:2375/
    # Use the overlayfs driver for improved performance.
    DOCKER_DRIVER: overlay2
    # Disable TLS since we're running inside local network.
    DOCKER_TLS_CERTDIR: ""
  before_script:
    - git config --global http.sslVerify false
    - git clone $CI_REPOSITORY_URL
    - echo "the project directory is - $CI_PROJECT_DIR"
    - echo "the CI_REGISTRY_IMAGE variable is - $CI_REGISTRY_IMAGE"
    - echo "the full image name is - $FULL_IMAGE_NAME"
    - ls -la
    - trivy -h | grep cache
    - mkdir -p /root/.cache/trivy/db
    - ls -la
    - cp "eval-trivy-2/trivy-offline.db.tgz" "/root/.cache/trivy/db"
    - cd /root/.cache/trivy/db
    - tar xvf trivy-offline.db.tgz
    - ls -la
  script:
    - trivy --version
    - time trivy image --clear-cache
    # running 1 hr and stopped.
    #- TRIVY_INSECURE=true trivy --skip-update $CI_REGISTRY_IMAGE:latest
    #- TRIVY_INSECURE=true trivy --skip-update -f json -o scanning-report.json $CI_REGISTRY/devops/aquasec/trivy:0.16.0
    - TRIVY_INSECURE=true trivy --skip-update -o "$CI_PROJECT_DIR/scanning-report.json" $FULL_IMAGE_NAME
    #keep loading by using testdock:latest
    #- TRIVY_INSECURE=true trivy --skip-update -o "$CI_PROJECT_DIR/scanning-report.json"  testdock:latest
   # - TRIVY_INSECURE=true trivy --skip-update --exit-code 1 --severity CRITICAL $CI_REGISTRY/devops/aquasec/trivy:0.16.0
  artifacts:
    when:                          always
    reports:
      container_scanning:          scanning-report.json

标签： dockergitlab-citrivy