diff options
| author | Victor Zagorodny <vzagorodny@gitlab.com> | 2019-03-01 20:52:55 +0200 |
|---|---|---|
| committer | Victor Zagorodny <vzagorodny@gitlab.com> | 2019-03-07 19:01:49 +0200 |
| commit | 8230b04ffc39b379e1cf527dbd924cc712d6bd11 (patch) | |
| tree | 7acc93fe59e1d909bdbd72f54b458bbd58d7d2f7 | |
| parent | 7aa3c9b30fc82e91a6b0f72b52343cd935740ee3 (diff) | |
| download | gitlab-ce-8662-add-ci-template-for-container-scanning-ce.tar.gz | |
Add vendored template for Container Scanning job in EE8662-add-ci-template-for-container-scanning-ce
| -rw-r--r-- | lib/gitlab/ci/templates/Security/Container-Scanning.gitlab-ci.yml | 51 |
1 files changed, 51 insertions, 0 deletions
diff --git a/lib/gitlab/ci/templates/Security/Container-Scanning.gitlab-ci.yml b/lib/gitlab/ci/templates/Security/Container-Scanning.gitlab-ci.yml new file mode 100644 index 00000000000..9eaab08b884 --- /dev/null +++ b/lib/gitlab/ci/templates/Security/Container-Scanning.gitlab-ci.yml @@ -0,0 +1,51 @@ +# Read more about this feature here: https://docs.gitlab.com/ee/user/project/merge_requests/container_scanning.html + +stages: + - test + +container_scanning: + stage: test + image: docker:stable + variables: + DOCKER_DRIVER: overlay2 + # Defining two new variables based on GitLab's CI/CD predefined variables + # https://docs.gitlab.com/ee/ci/variables/#predefined-environment-variables + CI_APPLICATION_REPOSITORY: $CI_REGISTRY_IMAGE/$CI_COMMIT_REF_SLUG + CI_APPLICATION_TAG: $CI_COMMIT_SHA + # Prior to this, you need to have the Container Registry running for your project and setup a build job + # with at least the following steps: + # + # docker build -t $CI_REGISTRY_IMAGE/$CI_COMMIT_REF_SLUG . + # docker push $CI_REGISTRY_IMAGE/$CI_COMMIT_REF_SLUG:$CI_COMMIT_SHA + # + # Container Scanning deals with Docker images only so no need to import the project's Git repository: + GIT_STRATEGY: none + allow_failure: true + services: + - docker:stable-dind + script: + - docker run -d --name db arminc/clair-db:latest + - docker run -p 6060:6060 --link db:postgres -d --name clair --restart on-failure arminc/clair-local-scan:v2.0.1 + - apk add -U wget ca-certificates + - docker pull ${CI_APPLICATION_REPOSITORY}:${CI_APPLICATION_TAG} + - wget https://github.com/arminc/clair-scanner/releases/download/v8/clair-scanner_linux_amd64 + - mv clair-scanner_linux_amd64 clair-scanner + - chmod +x clair-scanner + - touch clair-whitelist.yml + - while( ! wget -q -O /dev/null http://docker:6060/v1/namespaces ) ; do sleep 1 ; done + - retries=0 + - echo "Waiting for clair daemon to start" + - while( ! wget -T 10 -q -O /dev/null http://docker:6060/v1/namespaces ) ; do sleep 1 ; echo -n "." ; if [ $retries -eq 10 ] ; then echo " Timeout, aborting." ; exit 1 ; fi ; retries=$(($retries+1)) ; done + - ./clair-scanner -c http://docker:6060 --ip $(hostname -i) -r gl-container-scanning-report.json -l clair.log -w clair-whitelist.yml ${CI_APPLICATION_REPOSITORY}:${CI_APPLICATION_TAG} || true + artifacts: + reports: + container_scanning: gl-container-scanning-report.json + dependencies: [] + only: + refs: + - branches + variables: + - $GITLAB_FEATURES =~ /\bcontainer_scanning\b/ + except: + variables: + - $CONTAINER_SCANNING_DISABLED |