include:
  - template: Security/Secret-Detection.gitlab-ci.yml
  - template: Security/SAST.gitlab-ci.yml
  - template: Security/Container-Scanning.gitlab-ci.yml

stages:
  - test
  - build
  - trivy

variables:
  STORAGE_DRIVER: vfs
  BUILDAH_FORMAT: docker
  BUILDAH_ISOLATION: chroot

# Beyond this point, each top level item is a Job name (beside templates)
# NB: each job is run on a separate container

docker:lint:
  stage: test
  image: projectatomic/dockerfile-lint
  script:
    - dockerfile_lint -p -f ansible.Dockerfile

build:
  stage: build
  image: fedora
  script:
    - dnf install -y podman buildah git
    - sed -i '/^mountopt =.*/d' /etc/containers/storage.conf
    - podman login -u "$CI_REGISTRY_USER" -p "$CI_BUILD_TOKEN" "$CI_REGISTRY"
    - podman pull "$CI_REGISTRY_IMAGE:latest"
    - export DATE=$(date +%Y%m%d --date="@`git show -s --format=%ct $CI_COMMIT_SHA`")
    - podman build --cache-from "$CI_REGISTRY_IMAGE:latest" -f ansible.Dockerfile -t ${CI_REGISTRY_IMAGE}:$DATE -t ${CI_REGISTRY_IMAGE}:latest .
    - podman push ${CI_REGISTRY_IMAGE}:$DATE
    - podman push ${CI_REGISTRY_IMAGE}:latest

# Scan with Trivy. Normaly image is at ${CI_APPLICATION_REPOSITORY}:${CI_APPLICATION_TAG}
#container_scanning:trivy:
trivy:
  stage: trivy
  image: docker.io/aquasec/trivy:latest
  allow_failure: true
  interruptible: true
  variables:
    GIT_STRATEGY: fetch
    CI_APPLICATION_REPOSITORY: ""
    CI_APPLICATION_TAG: ""
    TRIVY_USERNAME: "$CI_REGISTRY_USER"
    TRIVY_PASSWORD: "$CI_REGISTRY_PASSWORD"
    TRIVY_AUTH_URL: "$CI_REGISTRY"
    TRIVY_SEVERITY: "HIGH,CRITICAL"
  script:
    - export DATE=$(date +%Y%m%d --date="@`git show -s --format=%ct $CI_COMMIT_SHA`")
    - trivy --version
    # Build report
    - trivy --exit-code 0 --cache-dir .trivycache/ --no-progress --format template --template "@/contrib/gitlab.tpl" -o gl-container-scanning-report.json ${CI_REGISTRY_IMAGE}:$DATE
    # Print report
    - trivy --exit-code 0 --cache-dir .trivycache/ --no-progress ${CI_REGISTRY_IMAGE}:$DATE
    # Fail on high and critical vulnerabilities
    - trivy --exit-code 1 --cache-dir .trivycache/ --no-progress ${CI_REGISTRY_IMAGE}:$DATE
  cache:
    paths:
      - .trivycache/
  artifacts:
    reports:
      container_scanning: gl-container-scanning-report.json
  dependencies: []
#  only:
#    refs:
#      - branches
#    variables:
#      - $GITLAB_FEATURES =~ /\bcontainer_scanning\b/
  except:
    variables:
      - $CONTAINER_SCANNING_DISABLED