From d12d8522fb10d68ef0312e5643e1fb31f9c23330 Mon Sep 17 00:00:00 2001 From: Adrien Reslinger Date: Sat, 2 Oct 2021 23:42:14 +0200 Subject: [PATCH] Update gitlab-ci --- .gitlab-ci.yml | 71 +++++++++++++++++++++++++++++++++++++++++--------- 1 file changed, 59 insertions(+), 12 deletions(-) diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml index 6ce201f..b17b725 100644 --- a/.gitlab-ci.yml +++ b/.gitlab-ci.yml @@ -1,29 +1,76 @@ +include: + - template: Security/Secret-Detection.gitlab-ci.yml + - template: Security/SAST.gitlab-ci.yml + - template: Security/Container-Scanning.gitlab-ci.yml stages: - - verify + - test - build + - trivy variables: - IMAGE_NAME: "$CI_REGISTRY_IMAGE" - -image: docker:latest + STORAGE_DRIVER: vfs + BUILDAH_FORMAT: docker + BUILDAH_ISOLATION: chroot # Beyond this point, each top level item is a Job name (beside templates) # NB: each job is run on a separate container docker:lint: - stage: verify + stage: test image: projectatomic/dockerfile-lint script: - dockerfile_lint -p -f ansible.Dockerfile build: stage: build - image: docker:latest + image: fedora script: - - docker login -u "$CI_REGISTRY_USER" -p "$CI_BUILD_TOKEN" "$CI_REGISTRY" - - export DATE=$(date +%Y%m%d) - - docker build -f ansible.Dockerfile -t $CI_REGISTRY_IMAGE:$DATE . - - docker push $CI_REGISTRY_IMAGE:$DATE - - docker build -f ansible.Dockerfile -t $CI_REGISTRY_IMAGE:latest . - - docker push $CI_REGISTRY_IMAGE:latest + - dnf install -y podman buildah git + - sed -i '/^mountopt =.*/d' /etc/containers/storage.conf + - podman login -u "$CI_REGISTRY_USER" -p "$CI_BUILD_TOKEN" "$CI_REGISTRY" + - podman pull "$CI_REGISTRY_IMAGE:latest" + - export DATE=$(date +%Y%m%d --date="@`git show -s --format=%ct $CI_COMMIT_SHA`") + - podman build --cache-from "$CI_REGISTRY_IMAGE:latest" -f ansible.Dockerfile -t ${CI_REGISTRY_IMAGE}:$DATE -t ${CI_REGISTRY_IMAGE}:latest . + - podman push ${CI_REGISTRY_IMAGE}:$DATE + - podman push ${CI_REGISTRY_IMAGE}:latest + +# Scan with Trivy. Normaly image is at ${CI_APPLICATION_REPOSITORY}:${CI_APPLICATION_TAG} +#container_scanning:trivy: +trivy: + stage: trivy + image: docker.io/aquasec/trivy:latest + allow_failure: true + interruptible: true + variables: + GIT_STRATEGY: fetch + CI_APPLICATION_REPOSITORY: "" + CI_APPLICATION_TAG: "" + TRIVY_USERNAME: "$CI_REGISTRY_USER" + TRIVY_PASSWORD: "$CI_REGISTRY_PASSWORD" + TRIVY_AUTH_URL: "$CI_REGISTRY" + TRIVY_SEVERITY: "HIGH,CRITICAL" + script: + - export DATE=$(date +%Y%m%d --date="@`git show -s --format=%ct $CI_COMMIT_SHA`") + - trivy --version + # Build report + - trivy --exit-code 0 --cache-dir .trivycache/ --no-progress --format template --template "@/contrib/gitlab.tpl" -o gl-container-scanning-report.json ${CI_REGISTRY_IMAGE}:$DATE + # Print report + - trivy --exit-code 0 --cache-dir .trivycache/ --no-progress ${CI_REGISTRY_IMAGE}:$DATE + # Fail on high and critical vulnerabilities + - trivy --exit-code 1 --cache-dir .trivycache/ --no-progress ${CI_REGISTRY_IMAGE}:$DATE + cache: + paths: + - .trivycache/ + artifacts: + reports: + container_scanning: gl-container-scanning-report.json + dependencies: [] +# only: +# refs: +# - branches +# variables: +# - $GITLAB_FEATURES =~ /\bcontainer_scanning\b/ + except: + variables: + - $CONTAINER_SCANNING_DISABLED \ No newline at end of file