-
Notifications
You must be signed in to change notification settings - Fork 89
/
.image-gitlab-ci.yml
88 lines (80 loc) · 2.49 KB
/
.image-gitlab-ci.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
variables:
DOCKER_CLI_EXPERIMENTAL: enabled
DOCKER_TLS_CERTDIR: ""
IMAGE: {{ IMAGE }}
PLATFORMS: linux/amd64,linux/arm64,linux/arm/v6,linux/arm/v7
REGISTRY: $REGISTRY_URI/$CI_PROJECT_PATH
TRIVY_VERSION: 0.54.1
stages:
- Static Code Analysis
- Create Image
- Functional Tests
- Security Scan
- Promote Image
image: docker:24.0.5
.registry_template: ®istry_login
before_script:
- export TAG=bld_$CI_PIPELINE_IID_${CI_COMMIT_SHORT_SHA}
- docker login -u $CI_REGISTRY_USER -p $CI_JOB_TOKEN $REGISTRY
services: [ "docker:dind" ]
analysis:
stage: Static Code Analysis
image: instantlinux/python-builder:latest
script: cd images/$IMAGE && make analysis
create_image:
<<: *registry_login
stage: Create Image
script: apk add make && cd images/$IMAGE && make create_image
services: [ { name: "docker:dind", command: ["--experimental"] } ]
test:
stage: Functional Tests
script: apk add make && cd images/$IMAGE && make test_functional
security_scan_trivy:
services: [ "docker:dind" ]
image:
name: aquasec/trivy:$TRIVY_VERSION
entrypoint: [""]
stage: Security Scan
variables:
GIT_STRATEGY: none
TRIVY_CACHE_DIR: .trivycache/
TRIVY_DEBUG: "true"
TRIVY_EXIT_CODE: 1
TRIVY_FORMAT: json
TRIVY_OUTPUT: gl-container-scanning-report.json
TRIVY_SEVERITY: HIGH,CRITICAL
TRIVY_VULN_TYPE: os,library
script:
- export TAG=bld_$CI_PIPELINE_IID_${CI_COMMIT_SHORT_SHA}
- trivy clean --all
- trivy image --download-db-only --no-progress
- trivy image "${REGISTRY}/${IMAGE}:${TAG}" --severity LOW,MEDIUM
--exit-code 0 --format table --output medium-vulns.txt
- cat medium-vulns.txt
- echo CVE-2023-2253 > .trivyignore
# These are for blacklist image, there's a won't-fix note for zlib1g
- echo CVE-2023-31484 >> .trivyignore
- echo CVE-2023-45853 >> .trivyignore
# TODO remove this openssh bypass once repo is updated
- echo CVE-2024-6387 >> .trivyignore
- trivy image "${REGISTRY}/${IMAGE}:${TAG}"
cache:
paths: [ .trivycache ]
interruptible: true
retry:
max: 2
when: [ runner_system_failure, stuck_or_timeout_failure ]
timeout: 5m
artifacts:
reports:
container_scanning: gl-container-scanning-report.json
expire_in: 30 days
paths: [ medium-vulns.txt ]
promote_image:
stage: Promote Image
<<: *registry_login
script: apk add curl jq make && cd images/$IMAGE && make promote_image
interruptible: true
only:
refs: [ main, tags ]
variables: [ $REGISTRY_URI == "registry.gitlab.com" ]