diff options
| author | Victor Zagorodny <vzagorodny@gitlab.com> | 2019-03-28 10:42:53 +0200 |
|---|---|---|
| committer | Victor Zagorodny <vzagorodny@gitlab.com> | 2019-03-28 10:42:53 +0200 |
| commit | e42af54a670d7fa4575679ad6edb927cf379218e (patch) | |
| tree | c6f4ae970757669af77de8d2bf306f0f6e12cebb | |
| parent | 7732db2249da843cd87e4cdd3d6f968d66c0586f (diff) | |
| download | gitlab-ce-9244-wrap-clair-scanner-in-own-tool-ce.tar.gz | |
Update CS template to use container-scanning tool9244-wrap-clair-scanner-in-own-tool-ce
| -rw-r--r-- | lib/gitlab/ci/templates/Security/Container-Scanning.gitlab-ci.yml | 44 |
1 files changed, 29 insertions, 15 deletions
diff --git a/lib/gitlab/ci/templates/Security/Container-Scanning.gitlab-ci.yml b/lib/gitlab/ci/templates/Security/Container-Scanning.gitlab-ci.yml index ea1e6ae5fdc..357acda0302 100644 --- a/lib/gitlab/ci/templates/Security/Container-Scanning.gitlab-ci.yml +++ b/lib/gitlab/ci/templates/Security/Container-Scanning.gitlab-ci.yml @@ -7,33 +7,47 @@ container_scanning: DOCKER_DRIVER: overlay2 # Defining two new variables based on GitLab's CI/CD predefined variables # https://docs.gitlab.com/ee/ci/variables/#predefined-environment-variables - CI_APPLICATION_REPOSITORY: $CI_REGISTRY_IMAGE/$CI_COMMIT_REF_SLUG - CI_APPLICATION_TAG: $CI_COMMIT_SHA + CS_IMAGE_REPOSITORY: $CI_REGISTRY_IMAGE/$CI_COMMIT_REF_SLUG + CS_IMAGE_TAG: $CI_COMMIT_SHA # Prior to this, you need to have the Container Registry running for your project and setup a build job # with at least the following steps: # # docker build -t $CI_REGISTRY_IMAGE/$CI_COMMIT_REF_SLUG . # docker push $CI_REGISTRY_IMAGE/$CI_COMMIT_REF_SLUG:$CI_COMMIT_SHA # - # Container Scanning deals with Docker images only so no need to import the project's Git repository: - GIT_STRATEGY: none + # Also, one can specify a CS_IMAGE variable to scan a custom or external image + # + # Docker registry credentials + CS_REGISTRY_USERNAME: gitlab-ci-token + CS_REGISTRY_PASSWORD: $CI_JOB_TOKEN + CS_REGISTRY: $CI_REGISTRY allow_failure: true services: - docker:stable-dind script: + - export CS_VERSION=${SP_VERSION:-$(echo "$CI_SERVER_VERSION" | sed 's/^\([0-9]*\)\.\([0-9]*\).*/\1-\2-stable/')} + - export CS_IMAGE=${CS_IMAGE:-${CS_IMAGE_REPOSITORY}:${CS_IMAGE_TAG}} - docker run -d --name db arminc/clair-db:latest - docker run -p 6060:6060 --link db:postgres -d --name clair --restart on-failure arminc/clair-local-scan:v2.0.6 - - apk add -U wget ca-certificates - - docker pull ${CI_APPLICATION_REPOSITORY}:${CI_APPLICATION_TAG} - - wget https://github.com/arminc/clair-scanner/releases/download/v8/clair-scanner_linux_amd64 - - mv clair-scanner_linux_amd64 clair-scanner - - chmod +x clair-scanner - - touch clair-whitelist.yml - - while( ! wget -q -O /dev/null http://docker:6060/v1/namespaces ) ; do sleep 1 ; done - - retries=0 - - echo "Waiting for clair daemon to start" - - while( ! wget -T 10 -q -O /dev/null http://docker:6060/v1/namespaces ) ; do sleep 1 ; echo -n "." ; if [ $retries -eq 10 ] ; then echo " Timeout, aborting." ; exit 1 ; fi ; retries=$(($retries+1)) ; done - - ./clair-scanner -c http://docker:6060 --ip $(hostname -i) -r gl-container-scanning-report.json -l clair.log -w clair-whitelist.yml ${CI_APPLICATION_REPOSITORY}:${CI_APPLICATION_TAG} || true + - | + if [[ "${CS_SKIP_REGISTRY_LOGIN}" != 1 ]]; then + echo "Logging in with user ${CS_REGISTRY_USERNAME}..." + echo ${CS_REGISTRY_PASSWORD} | docker login --username ${CS_REGISTRY_USERNAME} --password-stdin ${CS_REGISTRY} + fi + - docker pull ${CS_IMAGE} + - | + docker run \ + -v /var/run/docker.sock:/var/run/docker.sock \ + -v "$PWD:/output" \ + -w /output \ + --link clair \ + registry.gitlab.com/gitlab-org/security-products/container-scanning:${CS_VERSION} \ + /analyze \ + ${CS_WHITELIST_FILE:+-w "${CS_WHITELIST_FILE}"} \ + ${CS_LOG_FILE:+-l "${CS_LOG_FILE}"} \ + ${CS_REPORT_FILE:+-r "${CS_REPORT_FILE}"} \ + ${CS_IMAGE} \ + || true # always succeed to upload the artifacts artifacts: reports: container_scanning: gl-container-scanning-report.json |