111 lines
2.8 KiB
YAML
111 lines
2.8 KiB
YAML
---
|
|
image: ubuntu:latest
|
|
stages:
|
|
- Scan Early
|
|
- Build
|
|
- Scan
|
|
- Release
|
|
before_script: []
|
|
variables:
|
|
REGISTRY: registry.gitlab.com/$CI_PROJECT_NAMESPACE/$CI_PROJECT_NAME
|
|
DOCKER_HOST: tcp://docker:2375/
|
|
DOCKER_DRIVER: overlay2
|
|
DOCKER_TLS_CERTDIR: ""
|
|
IMAGE_TARBALL: container-$CI_COMMIT_SHORT_SHA.tar
|
|
IMAGE_TAG: $REGISTRY:$CI_COMMIT_SHORT_SHA
|
|
IMAGE_TAG_RELEASE: $REGISTRY:$CI_COMMIT_TAG
|
|
IMAGE_TAG_BLEEDING: $REGISTRY:bleeding
|
|
IMAGE_TAG_LATEST: $REGISTRY:latest
|
|
default:
|
|
interruptible: yes
|
|
retry: 2
|
|
services:
|
|
- name: docker:dind
|
|
alias: docker
|
|
command: ["--tls=false"]
|
|
cache:
|
|
- key: trivy-db
|
|
paths:
|
|
- .trivy
|
|
# Lightweight scanning where we check for repo misconfigs
|
|
Trivy Secrets:
|
|
image:
|
|
name: aquasec/trivy
|
|
entrypoint: [""]
|
|
stage: Scan Early
|
|
retry: 0
|
|
script:
|
|
- trivy fs --exit-code 1 ./
|
|
Trivy Misconfiguration:
|
|
image:
|
|
name: aquasec/trivy
|
|
entrypoint: [""]
|
|
stage: Scan Early
|
|
retry: 0
|
|
script:
|
|
- trivy config --severity HIGH,CRITICAL --exit-code 1 ./
|
|
|
|
# Building
|
|
Build Container:
|
|
image: docker:latest
|
|
cache: []
|
|
before_script: []
|
|
stage: Build
|
|
script:
|
|
# Basic Docker setup
|
|
- docker --version
|
|
- docker login -u gitlab-ci-token -p $CI_JOB_TOKEN $REGISTRY
|
|
- echo "$CI_REGISTRY_PASSWORD" | docker login $CI_REGISTRY -u $CI_REGISTRY_USER --password-stdin
|
|
# Set up build environment
|
|
- docker buildx create --use
|
|
- docker buildx inspect --bootstrap
|
|
# Build the container
|
|
- docker buildx build
|
|
--platform linux/amd64
|
|
--tag=$IMAGE_TAG
|
|
--output type=oci,dest=$IMAGE_TARBALL
|
|
# Last-minute debug info
|
|
- docker images
|
|
artifacts:
|
|
paths:
|
|
- $IMAGE_TARBALL
|
|
expire_in: 1h
|
|
|
|
# Meaty scanning for package vulns
|
|
Scan Container:
|
|
image:
|
|
name: aquasec/trivy
|
|
entrypoint: [""]
|
|
stage: Scan
|
|
allow_failure: true
|
|
retry: 0
|
|
before_script:
|
|
- mkdir container
|
|
- tar xf $IMAGE_TARBALL -C container
|
|
script:
|
|
- trivy image
|
|
--input container
|
|
--platform linux/amd64
|
|
--scanners vuln,secret,misconfig
|
|
--severity HIGH,CRITICAL
|
|
--ignore-unfixed
|
|
--exit-code 1
|
|
|
|
# OCI image tagging
|
|
Tag SHA:
|
|
image:
|
|
name: quay.io/containers/skopeo:latest
|
|
entrypoint: [""]
|
|
interruptible: no # W: truthy value should be one of [false, true]
|
|
cache: []
|
|
before_script: []
|
|
stage: Release
|
|
script:
|
|
- echo "$CI_REGISTRY_PASSWORD" | skopeo login $CI_REGISTRY -u $CI_REGISTRY_USER --password-stdin # E: line too long (100 > 80 characters)
|
|
- skopeo inspect oci-archive:$IMAGE_TARBALL
|
|
- skopeo copy --all oci-archive:$IMAGE_TARBALL docker://$IMAGE_TAG
|
|
- skopeo copy --all oci-archive:$IMAGE_TARBALL docker://$IMAGE_TAG_BLEEDING
|
|
rules:
|
|
- if: $CI_COMMIT_BRANCH == $CI_DEFAULT_BRANCH
|
|
- if: $CI_COMMIT_TAG
|