First pass at gitlab CI
This commit is contained in:
The Shittinator
110
.gitlab-ci.yml
Normal file
110
.gitlab-ci.yml
Normal file
@ -0,0 +1,110 @@
|
||||
---
|
||||
image: ubuntu:latest
|
||||
stages:
|
||||
- Scan Early
|
||||
- Build
|
||||
- Scan
|
||||
- Release
|
||||
before_script: []
|
||||
variables:
|
||||
REGISTRY: registry.gitlab.com/$CI_PROJECT_NAMESPACE/$CI_PROJECT_NAME
|
||||
DOCKER_HOST: tcp://docker:2375/
|
||||
DOCKER_DRIVER: overlay2
|
||||
DOCKER_TLS_CERTDIR: ""
|
||||
IMAGE_TARBALL: container-$CI_COMMIT_SHORT_SHA.tar
|
||||
IMAGE_TAG: $REGISTRY:$CI_COMMIT_SHORT_SHA
|
||||
IMAGE_TAG_RELEASE: $REGISTRY:$CI_COMMIT_TAG
|
||||
IMAGE_TAG_BLEEDING: $REGISTRY:bleeding
|
||||
IMAGE_TAG_LATEST: $REGISTRY:latest
|
||||
default:
|
||||
interruptible: yes
|
||||
retry: 2
|
||||
services:
|
||||
- name: docker:dind
|
||||
alias: docker
|
||||
command: ["--tls=false"]
|
||||
cache:
|
||||
- key: trivy-db
|
||||
paths:
|
||||
- .trivy
|
||||
# Lightweight scanning where we check for repo misconfigs
|
||||
Trivy Secrets:
|
||||
image:
|
||||
name: aquasec/trivy
|
||||
entrypoint: [""]
|
||||
stage: Scan Early
|
||||
retry: 0
|
||||
script:
|
||||
- trivy fs --exit-code 1 ./
|
||||
Trivy Misconfiguration:
|
||||
image:
|
||||
name: aquasec/trivy
|
||||
entrypoint: [""]
|
||||
stage: Scan Early
|
||||
retry: 0
|
||||
script:
|
||||
- trivy config --severity HIGH,CRITICAL --exit-code 1 ./
|
||||
|
||||
# Building
|
||||
Build Container:
|
||||
image: docker:latest
|
||||
cache: []
|
||||
before_script: []
|
||||
stage: Build
|
||||
script:
|
||||
# Basic Docker setup
|
||||
- docker --version
|
||||
- docker login -u gitlab-ci-token -p $CI_JOB_TOKEN $REGISTRY
|
||||
- echo "$CI_REGISTRY_PASSWORD" | docker login $CI_REGISTRY -u $CI_REGISTRY_USER --password-stdin
|
||||
# Set up build environment
|
||||
- docker buildx create --use
|
||||
- docker buildx inspect --bootstrap
|
||||
# Build the container
|
||||
- docker buildx build
|
||||
--platform linux/amd64
|
||||
--tag=$IMAGE_TAG
|
||||
--output type=oci,dest=$IMAGE_TARBALL
|
||||
# Last-minute debug info
|
||||
- docker images
|
||||
artifacts:
|
||||
paths:
|
||||
- $IMAGE_TARBALL
|
||||
expire_in: 1h
|
||||
|
||||
# Meaty scanning for package vulns
|
||||
Scan Container:
|
||||
image:
|
||||
name: aquasec/trivy
|
||||
entrypoint: [""]
|
||||
stage: Scan
|
||||
allow_failure: true
|
||||
retry: 0
|
||||
before_script:
|
||||
- mkdir container
|
||||
- tar xf $IMAGE_TARBALL -C container
|
||||
script:
|
||||
- trivy image
|
||||
--input container
|
||||
--platform linux/amd64
|
||||
--scanners vuln,secret,misconfig
|
||||
--severity HIGH,CRITICAL
|
||||
--ignore-unfixed
|
||||
--exit-code 1
|
||||
|
||||
# OCI image tagging
|
||||
Tag SHA:
|
||||
image:
|
||||
name: quay.io/containers/skopeo:latest
|
||||
entrypoint: [""]
|
||||
interruptible: no # W: truthy value should be one of [false, true]
|
||||
cache: []
|
||||
before_script: []
|
||||
stage: Release
|
||||
script:
|
||||
- echo "$CI_REGISTRY_PASSWORD" | skopeo login $CI_REGISTRY -u $CI_REGISTRY_USER --password-stdin # E: line too long (100 > 80 characters)
|
||||
- skopeo inspect oci-archive:$IMAGE_TARBALL
|
||||
- skopeo copy --all oci-archive:$IMAGE_TARBALL docker://$IMAGE_TAG
|
||||
- skopeo copy --all oci-archive:$IMAGE_TARBALL docker://$IMAGE_TAG_BLEEDING
|
||||
rules:
|
||||
- if: $CI_COMMIT_BRANCH == $CI_DEFAULT_BRANCH
|
||||
- if: $CI_COMMIT_TAG
|
||||
Reference in New Issue
Block a user