running twistcli from a container securely #26
Description
Is your feature request related to a problem?
we are building containers and the containers needs to be scanned for CVE's. we chose twistlock to do the job. we use gitlab and gitlab-runners are running as containers on a shared kubernetes infra where running privileged containers is disallowed.
As mentioned in the sample code, here cicd/gitlab/.gitlab-ci.yml you need to depend on dind (docker-in-docker) container to run twistcli. As twistcli requires a docker socket to scan the container image.
This is insecure ways of running a container. And in our production environments, we are disallowed to run privileged containers. I explored few solutions but cannot seem to find any alternatives.
Describe the solution you'd like
twistcli must be run from a container with out the need for the container to be running in a privileged mode.
Describe alternatives you've considered
As of now, i have to setup a standalone virtual machine, install docker on it and configure a gitlab-runner there & setup a shell executor to execute the twistcli remotely on this agent host.
Additional context
Can we help run twistlock from a container securely. as docker:dind or docker:dood alternatives are not secure.