Compare commits
2 commits
eb5021441b
...
bca3f9b9c4
| Author | SHA1 | Date | |
|---|---|---|---|
bca3f9b9c4
|
|||
|
d12d8522fb
|
2 changed files with 60 additions and 28 deletions
|
|
@ -1,29 +1,76 @@
|
|||
include:
|
||||
- template: Security/Secret-Detection.gitlab-ci.yml
|
||||
- template: Security/SAST.gitlab-ci.yml
|
||||
- template: Security/Container-Scanning.gitlab-ci.yml
|
||||
|
||||
stages:
|
||||
- verify
|
||||
- test
|
||||
- build
|
||||
- trivy
|
||||
|
||||
variables:
|
||||
IMAGE_NAME: "$CI_REGISTRY_IMAGE"
|
||||
|
||||
image: docker:latest
|
||||
STORAGE_DRIVER: vfs
|
||||
BUILDAH_FORMAT: docker
|
||||
BUILDAH_ISOLATION: chroot
|
||||
|
||||
# Beyond this point, each top level item is a Job name (beside templates)
|
||||
# NB: each job is run on a separate container
|
||||
|
||||
docker:lint:
|
||||
stage: verify
|
||||
stage: test
|
||||
image: projectatomic/dockerfile-lint
|
||||
script:
|
||||
- dockerfile_lint -p -f ansible.Dockerfile
|
||||
|
||||
build:
|
||||
stage: build
|
||||
image: docker:latest
|
||||
image: fedora
|
||||
script:
|
||||
- docker login -u "$CI_REGISTRY_USER" -p "$CI_BUILD_TOKEN" "$CI_REGISTRY"
|
||||
- export DATE=$(date +%Y%m%d)
|
||||
- docker build -f ansible.Dockerfile -t $CI_REGISTRY_IMAGE:$DATE .
|
||||
- docker push $CI_REGISTRY_IMAGE:$DATE
|
||||
- docker build -f ansible.Dockerfile -t $CI_REGISTRY_IMAGE:latest .
|
||||
- docker push $CI_REGISTRY_IMAGE:latest
|
||||
- dnf install -y podman buildah git
|
||||
- sed -i '/^mountopt =.*/d' /etc/containers/storage.conf
|
||||
- podman login -u "$CI_REGISTRY_USER" -p "$CI_BUILD_TOKEN" "$CI_REGISTRY"
|
||||
- podman pull "$CI_REGISTRY_IMAGE:latest"
|
||||
- export DATE=$(date +%Y%m%d --date="@`git show -s --format=%ct $CI_COMMIT_SHA`")
|
||||
- podman build --cache-from "$CI_REGISTRY_IMAGE:latest" -f ansible.Dockerfile -t ${CI_REGISTRY_IMAGE}:$DATE -t ${CI_REGISTRY_IMAGE}:latest .
|
||||
- podman push ${CI_REGISTRY_IMAGE}:$DATE
|
||||
- podman push ${CI_REGISTRY_IMAGE}:latest
|
||||
|
||||
# Scan with Trivy. Normaly image is at ${CI_APPLICATION_REPOSITORY}:${CI_APPLICATION_TAG}
|
||||
#container_scanning:trivy:
|
||||
trivy:
|
||||
stage: trivy
|
||||
image: docker.io/aquasec/trivy:latest
|
||||
allow_failure: true
|
||||
interruptible: true
|
||||
variables:
|
||||
GIT_STRATEGY: fetch
|
||||
CI_APPLICATION_REPOSITORY: ""
|
||||
CI_APPLICATION_TAG: ""
|
||||
TRIVY_USERNAME: "$CI_REGISTRY_USER"
|
||||
TRIVY_PASSWORD: "$CI_REGISTRY_PASSWORD"
|
||||
TRIVY_AUTH_URL: "$CI_REGISTRY"
|
||||
TRIVY_SEVERITY: "HIGH,CRITICAL"
|
||||
script:
|
||||
- export DATE=$(date +%Y%m%d --date="@`git show -s --format=%ct $CI_COMMIT_SHA`")
|
||||
- trivy --version
|
||||
# Build report
|
||||
- trivy --exit-code 0 --cache-dir .trivycache/ --no-progress --format template --template "@/contrib/gitlab.tpl" -o gl-container-scanning-report.json ${CI_REGISTRY_IMAGE}:$DATE
|
||||
# Print report
|
||||
- trivy --exit-code 0 --cache-dir .trivycache/ --no-progress ${CI_REGISTRY_IMAGE}:$DATE
|
||||
# Fail on high and critical vulnerabilities
|
||||
- trivy --exit-code 1 --cache-dir .trivycache/ --no-progress ${CI_REGISTRY_IMAGE}:$DATE
|
||||
cache:
|
||||
paths:
|
||||
- .trivycache/
|
||||
artifacts:
|
||||
reports:
|
||||
container_scanning: gl-container-scanning-report.json
|
||||
dependencies: []
|
||||
# only:
|
||||
# refs:
|
||||
# - branches
|
||||
# variables:
|
||||
# - $GITLAB_FEATURES =~ /\bcontainer_scanning\b/
|
||||
except:
|
||||
variables:
|
||||
- $CONTAINER_SCANNING_DISABLED
|
||||
|
|
@ -19,21 +19,6 @@ RUN apk --no-cache --update add ca-certificates bash curl openssh-client openssl
|
|||
# apk --no-cache upgrade && \
|
||||
ln -s /usr/local/bin/python3 /usr/bin/python3
|
||||
|
||||
#RUN VAULT_VERSION=1.7.3 && \
|
||||
# wget https://releases.hashicorp.com/vault/${VAULT_VERSION}/vault_${VAULT_VERSION}_linux_amd64.zip && \
|
||||
# unzip vault_${VAULT_VERSION}_linux_amd64.zip && \
|
||||
# install vault /usr/local/bin/vault -o root -g root -m 0755 && \
|
||||
# rm -f vault vault_${VAULT_VERSION}_linux_amd64.zip && \
|
||||
RUN KUBECTL_VERSION=v1.21.3 && HELM_VERSION=v3.6.2 && \
|
||||
wget https://storage.googleapis.com/kubernetes-release/release/${KUBECTL_VERSION}/bin/linux/amd64/kubectl && \
|
||||
install kubectl /usr/local/bin/kubectl -o root -g root -m 0755 && \
|
||||
rm -f kubectl && \
|
||||
wget https://get.helm.sh/helm-${HELM_VERSION}-linux-amd64.tar.gz && \
|
||||
tar -zxf helm-${HELM_VERSION}-linux-amd64.tar.gz && \
|
||||
install -o root -g root -m 0755 linux-amd64/helm /usr/local/bin/helm && \
|
||||
rm -fr helm-${HELM_VERSION}-linux-amd64.tar.gz linux-amd64 && \
|
||||
helm plugin install https://github.com/databus23/helm-diff
|
||||
|
||||
RUN apk --update add --virtual build-dependencies gcc rust cargo musl-dev libffi-dev openssl-dev build-base libvirt-dev postgresql-dev && \
|
||||
pip3 install ansible asn1crypto bcrypt cachetools certifi cffi chardet cryptography dictdiffer \
|
||||
docker-py google-auth httplib2 hvac idna ipaddress Jinja2 jmespath jsonpatch jsonpointer jsonschema \
|
||||
|
|
@ -48,6 +33,6 @@ RUN apk --update add --virtual build-dependencies gcc rust cargo musl-dev libffi
|
|||
echo "localhost" >> /etc/ansible/hosts
|
||||
#RUN update-ca-certificates
|
||||
|
||||
RUN ansible-galaxy collection install kubernetes.core ansible.posix community.general community.libvirt ngine_io.cloudstack google.cloud community.digitalocean
|
||||
#RUN ansible-galaxy collection install kubernetes.core ansible.posix community.general community.libvirt ngine_io.cloudstack google.cloud community.digitalocean
|
||||
|
||||
CMD ["ansible"]
|
||||
Loading…
Add table
Add a link
Reference in a new issue