lib/gitlab/ci/templates/Security/Container-Scanning.gitlab-ci.yml


1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62

# Read more about this feature here: https://docs.gitlab.com/ee/user/project/merge_requests/container_scanning.html

container_scanning:
  stage: test
  image: docker:stable
  variables:
    DOCKER_DRIVER: overlay2
    # Defining two new variables based on GitLab's CI/CD predefined variables
    # https://docs.gitlab.com/ee/ci/variables/#predefined-environment-variables
    CS_IMAGE_REPOSITORY: $CI_REGISTRY_IMAGE/$CI_COMMIT_REF_SLUG
    CS_IMAGE_TAG: $CI_COMMIT_SHA
    # Prior to this, you need to have the Container Registry running for your project and setup a build job
    # with at least the following steps:
    #
    # docker build -t $CI_REGISTRY_IMAGE/$CI_COMMIT_REF_SLUG .
    # docker push $CI_REGISTRY_IMAGE/$CI_COMMIT_REF_SLUG:$CI_COMMIT_SHA
    #
    # Also, one can specify a CS_IMAGE variable to scan a custom or external image
    #
    # Docker registry credentials
    CS_REGISTRY_USERNAME: gitlab-ci-token
    CS_REGISTRY_PASSWORD: $CI_JOB_TOKEN
    CS_REGISTRY: $CI_REGISTRY
  allow_failure: true
  services:
    - docker:stable-dind
  script:
    - export CS_VERSION=${SP_VERSION:-$(echo "$CI_SERVER_VERSION" | sed 's/^\([0-9]*\)\.\([0-9]*\).*/\1-\2-stable/')}
    - export CS_IMAGE=${CS_IMAGE:-${CS_IMAGE_REPOSITORY}:${CS_IMAGE_TAG}}
    - docker run -d --name db arminc/clair-db:latest
    - docker run -p 6060:6060 --link db:postgres -d --name clair --restart on-failure arminc/clair-local-scan:v2.0.6
    - |
      if [[ "${CS_SKIP_REGISTRY_LOGIN}" != 1 ]]; then
        echo "Logging in with user ${CS_REGISTRY_USERNAME}..."
        echo ${CS_REGISTRY_PASSWORD} | docker login --username ${CS_REGISTRY_USERNAME} --password-stdin ${CS_REGISTRY}
      fi
    - docker pull ${CS_IMAGE}
    - |
      docker run \
        -v /var/run/docker.sock:/var/run/docker.sock \
        -v "$PWD:/output" \
        -w /output \
        --link clair \
        registry.gitlab.com/gitlab-org/security-products/container-scanning:${CS_VERSION} \
        /analyze \
        ${CS_WHITELIST_FILE:+-w "${CS_WHITELIST_FILE}"} \
        ${CS_LOG_FILE:+-l "${CS_LOG_FILE}"} \
        ${CS_REPORT_FILE:+-r "${CS_REPORT_FILE}"} \
        ${CS_IMAGE} \
        || true # always succeed to upload the artifacts
  artifacts:
    reports:
      container_scanning: gl-container-scanning-report.json
  dependencies: []
  only:
    refs:
      - branches
    variables:
      - $GITLAB_FEATURES =~ /\bcontainer_scanning\b/
  except:
    variables:
      - $CONTAINER_SCANNING_DISABLED