adrien/ansible-docker
1
0
Fork 0
Code Issues Pull requests Releases Wiki Activity

Update gitlab-ci

Browse source
This commit is contained in:
Adrien Reslinger 2021-10-02 23:42:14 +02:00
parent eb5021441b
commit d12d8522fb
Signed by: adrien
GPG key ID: DA7B27055C66D6DE
1 changed files with 59 additions and 12 deletions
Download patch file Download diff file Expand all files Collapse all files

71
.gitlab-ci.yml
View file

@ -1,29 +1,76 @@
include:
- template: Security/Secret-Detection.gitlab-ci.yml
- template: Security/SAST.gitlab-ci.yml
- template: Security/Container-Scanning.gitlab-ci.yml
stages: stages:
- verify - test
- build - build
- trivy
variables: variables:
IMAGE_NAME: "$CI_REGISTRY_IMAGE" STORAGE_DRIVER: vfs
BUILDAH_FORMAT: docker
image: docker:latest BUILDAH_ISOLATION: chroot
# Beyond this point, each top level item is a Job name (beside templates) # Beyond this point, each top level item is a Job name (beside templates)
# NB: each job is run on a separate container # NB: each job is run on a separate container
docker:lint: docker:lint:
stage: verify stage: test
image: projectatomic/dockerfile-lint image: projectatomic/dockerfile-lint
script: script:
- dockerfile_lint -p -f ansible.Dockerfile - dockerfile_lint -p -f ansible.Dockerfile
build: build:
stage: build stage: build
image: docker:latest image: fedora
script: script:
- docker login -u "$CI_REGISTRY_USER" -p "$CI_BUILD_TOKEN" "$CI_REGISTRY" - dnf install -y podman buildah git
- export DATE=$(date +%Y%m%d) - sed -i '/^mountopt =.*/d' /etc/containers/storage.conf
- docker build -f ansible.Dockerfile -t $CI_REGISTRY_IMAGE:$DATE . - podman login -u "$CI_REGISTRY_USER" -p "$CI_BUILD_TOKEN" "$CI_REGISTRY"
- docker push $CI_REGISTRY_IMAGE:$DATE - podman pull "$CI_REGISTRY_IMAGE:latest"
- docker build -f ansible.Dockerfile -t $CI_REGISTRY_IMAGE:latest . - export DATE=$(date +%Y%m%d --date="@`git show -s --format=%ct $CI_COMMIT_SHA`")
- docker push $CI_REGISTRY_IMAGE:latest - podman build --cache-from "$CI_REGISTRY_IMAGE:latest" -f ansible.Dockerfile -t ${CI_REGISTRY_IMAGE}:$DATE -t ${CI_REGISTRY_IMAGE}:latest .
- podman push ${CI_REGISTRY_IMAGE}:$DATE
- podman push ${CI_REGISTRY_IMAGE}:latest
# Scan with Trivy. Normaly image is at ${CI_APPLICATION_REPOSITORY}:${CI_APPLICATION_TAG}
#container_scanning:trivy:
trivy:
stage: trivy
image: docker.io/aquasec/trivy:latest
allow_failure: true
interruptible: true
variables:
GIT_STRATEGY: fetch
CI_APPLICATION_REPOSITORY: ""
CI_APPLICATION_TAG: ""
TRIVY_USERNAME: "$CI_REGISTRY_USER"
TRIVY_PASSWORD: "$CI_REGISTRY_PASSWORD"
TRIVY_AUTH_URL: "$CI_REGISTRY"
TRIVY_SEVERITY: "HIGH,CRITICAL"
script:
- export DATE=$(date +%Y%m%d --date="@`git show -s --format=%ct $CI_COMMIT_SHA`")
- trivy --version
# Build report
- trivy --exit-code 0 --cache-dir .trivycache/ --no-progress --format template --template "@/contrib/gitlab.tpl" -o gl-container-scanning-report.json ${CI_REGISTRY_IMAGE}:$DATE
# Print report
- trivy --exit-code 0 --cache-dir .trivycache/ --no-progress ${CI_REGISTRY_IMAGE}:$DATE
# Fail on high and critical vulnerabilities
- trivy --exit-code 1 --cache-dir .trivycache/ --no-progress ${CI_REGISTRY_IMAGE}:$DATE
cache:
paths:
- .trivycache/
artifacts:
reports:
container_scanning: gl-container-scanning-report.json
dependencies: []
# only:
# refs:
# - branches
# variables:
# - $GITLAB_FEATURES =~ /\bcontainer_scanning\b/
except:
variables:
- $CONTAINER_SCANNING_DISABLED