summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorAchilleas Pipinellis <axil@gitlab.com>2018-01-19 09:41:26 +0100
committerAchilleas Pipinellis <axil@gitlab.com>2018-01-19 09:41:26 +0100
commit4a38b8a1608023cb65b1595d1cb1590fabcfb5f4 (patch)
tree753213097fb309e6be8b9709fae6ed9e4d995a58
parenta1c0964d7170a98214c37e1a45ce8223c83a33f5 (diff)
downloadgitlab-ce-update-auto-devops-template.tar.gz
Update Auto DevOps templateupdate-auto-devops-template
[ci skip]
-rw-r--r--vendor/gitlab-ci-yml/Auto-DevOps.gitlab-ci.yml42
1 files changed, 40 insertions, 2 deletions
diff --git a/vendor/gitlab-ci-yml/Auto-DevOps.gitlab-ci.yml b/vendor/gitlab-ci-yml/Auto-DevOps.gitlab-ci.yml
index eec356b9f47..5ebad58e171 100644
--- a/vendor/gitlab-ci-yml/Auto-DevOps.gitlab-ci.yml
+++ b/vendor/gitlab-ci-yml/Auto-DevOps.gitlab-ci.yml
@@ -42,6 +42,7 @@ stages:
- build
- test
- review
+ - dast
- staging
- canary
- production
@@ -130,6 +131,23 @@ sast:container:
artifacts:
paths: [gl-sast-container-report.json]
+dast:
+ stage: dast
+ allow_failure: true
+ image: owasp/zap2docker-stable
+ variables:
+ POSTGRES_DB: "false"
+ script:
+ - dast
+ artifacts:
+ paths: [gl-dast-report.json]
+ only:
+ refs:
+ - branches
+ kubernetes: active
+ except:
+ - master
+
review:
stage: review
script:
@@ -270,8 +288,8 @@ production:
docker run -p 6060:6060 --link db:postgres -d --name clair arminc/clair-local-scan:v2.0.1
apk add -U wget ca-certificates
docker pull ${CI_APPLICATION_REPOSITORY}:${CI_APPLICATION_TAG}
- wget https://github.com/arminc/clair-scanner/releases/download/v6/clair-scanner_linux_386
- mv clair-scanner_linux_386 clair-scanner
+ wget https://github.com/arminc/clair-scanner/releases/download/v8/clair-scanner_linux_amd64
+ mv clair-scanner_linux_amd64 clair-scanner
chmod +x clair-scanner
touch clair-whitelist.yml
./clair-scanner -c http://docker:6060 --ip $(hostname -i) -r gl-sast-container-report.json -l clair.log -w clair-whitelist.yml ${CI_APPLICATION_REPOSITORY}:${CI_APPLICATION_TAG} || true
@@ -327,6 +345,12 @@ production:
replicas="$new_replicas"
fi
+ if [[ "$CI_PROJECT_VISIBILITY" != "public" ]]; then
+ secret_name='gitlab-registry'
+ else
+ secret_name=''
+ fi
+
helm upgrade --install \
--wait \
--set service.enabled="$service_enabled" \
@@ -334,6 +358,7 @@ production:
--set image.repository="$CI_APPLICATION_REPOSITORY" \
--set image.tag="$CI_APPLICATION_TAG" \
--set image.pullPolicy=IfNotPresent \
+ --set image.secrets[0].name="$secret_name" \
--set application.track="$track" \
--set application.database_url="$DATABASE_URL" \
--set service.url="$CI_ENVIRONMENT_URL" \
@@ -462,6 +487,11 @@ production:
}
function create_secret() {
+ echo "Create secret..."
+ if [[ "$CI_PROJECT_VISIBILITY" == "public" ]]; then
+ return
+ fi
+
kubectl create secret -n "$KUBE_NAMESPACE" \
docker-registry gitlab-registry \
--docker-server="$CI_REGISTRY" \
@@ -471,6 +501,14 @@ production:
-o yaml --dry-run | kubectl replace -n "$KUBE_NAMESPACE" --force -f -
}
+ function dast() {
+ export CI_ENVIRONMENT_URL=$(cat environment_url.txt)
+
+ mkdir /zap/wrk/
+ /zap/zap-baseline.py -J gl-dast-report.json -t "$CI_ENVIRONMENT_URL" || true
+ cp /zap/wrk/gl-dast-report.json .
+ }
+
function performance() {
export CI_ENVIRONMENT_URL=$(cat environment_url.txt)