76 lines
No EOL
2.4 KiB
YAML
76 lines
No EOL
2.4 KiB
YAML
include:
|
|
- template: Security/Secret-Detection.gitlab-ci.yml
|
|
- template: Security/SAST.gitlab-ci.yml
|
|
- template: Security/Container-Scanning.gitlab-ci.yml
|
|
|
|
stages:
|
|
- test
|
|
- build
|
|
- trivy
|
|
|
|
variables:
|
|
STORAGE_DRIVER: vfs
|
|
BUILDAH_FORMAT: docker
|
|
BUILDAH_ISOLATION: chroot
|
|
|
|
# Beyond this point, each top level item is a Job name (beside templates)
|
|
# NB: each job is run on a separate container
|
|
|
|
docker:lint:
|
|
stage: test
|
|
image: projectatomic/dockerfile-lint
|
|
script:
|
|
- dockerfile_lint -p -f ansible.Dockerfile
|
|
|
|
build:
|
|
stage: build
|
|
image: fedora
|
|
script:
|
|
- dnf install -y podman buildah git
|
|
- sed -i '/^mountopt =.*/d' /etc/containers/storage.conf
|
|
- podman login -u "$CI_REGISTRY_USER" -p "$CI_BUILD_TOKEN" "$CI_REGISTRY"
|
|
- podman pull "$CI_REGISTRY_IMAGE:latest"
|
|
- export DATE=$(date +%Y%m%d --date="@`git show -s --format=%ct $CI_COMMIT_SHA`")
|
|
- podman build --cache-from "$CI_REGISTRY_IMAGE:latest" -f ansible.Dockerfile -t ${CI_REGISTRY_IMAGE}:$DATE -t ${CI_REGISTRY_IMAGE}:latest .
|
|
- podman push ${CI_REGISTRY_IMAGE}:$DATE
|
|
- podman push ${CI_REGISTRY_IMAGE}:latest
|
|
|
|
# Scan with Trivy. Normaly image is at ${CI_APPLICATION_REPOSITORY}:${CI_APPLICATION_TAG}
|
|
#container_scanning:trivy:
|
|
trivy:
|
|
stage: trivy
|
|
image: docker.io/aquasec/trivy:latest
|
|
allow_failure: true
|
|
interruptible: true
|
|
variables:
|
|
GIT_STRATEGY: fetch
|
|
CI_APPLICATION_REPOSITORY: ""
|
|
CI_APPLICATION_TAG: ""
|
|
TRIVY_USERNAME: "$CI_REGISTRY_USER"
|
|
TRIVY_PASSWORD: "$CI_REGISTRY_PASSWORD"
|
|
TRIVY_AUTH_URL: "$CI_REGISTRY"
|
|
TRIVY_SEVERITY: "HIGH,CRITICAL"
|
|
script:
|
|
- export DATE=$(date +%Y%m%d --date="@`git show -s --format=%ct $CI_COMMIT_SHA`")
|
|
- trivy --version
|
|
# Build report
|
|
- trivy --exit-code 0 --cache-dir .trivycache/ --no-progress --format template --template "@/contrib/gitlab.tpl" -o gl-container-scanning-report.json ${CI_REGISTRY_IMAGE}:$DATE
|
|
# Print report
|
|
- trivy --exit-code 0 --cache-dir .trivycache/ --no-progress ${CI_REGISTRY_IMAGE}:$DATE
|
|
# Fail on high and critical vulnerabilities
|
|
- trivy --exit-code 1 --cache-dir .trivycache/ --no-progress ${CI_REGISTRY_IMAGE}:$DATE
|
|
cache:
|
|
paths:
|
|
- .trivycache/
|
|
artifacts:
|
|
reports:
|
|
container_scanning: gl-container-scanning-report.json
|
|
dependencies: []
|
|
# only:
|
|
# refs:
|
|
# - branches
|
|
# variables:
|
|
# - $GITLAB_FEATURES =~ /\bcontainer_scanning\b/
|
|
except:
|
|
variables:
|
|
- $CONTAINER_SCANNING_DISABLED |