blob: 357acda03021c6b16021abe0e7c9c02183a0da18 (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
|
# Read more about this feature here: https://docs.gitlab.com/ee/user/project/merge_requests/container_scanning.html
container_scanning:
stage: test
image: docker:stable
variables:
DOCKER_DRIVER: overlay2
# Defining two new variables based on GitLab's CI/CD predefined variables
# https://docs.gitlab.com/ee/ci/variables/#predefined-environment-variables
CS_IMAGE_REPOSITORY: $CI_REGISTRY_IMAGE/$CI_COMMIT_REF_SLUG
CS_IMAGE_TAG: $CI_COMMIT_SHA
# Prior to this, you need to have the Container Registry running for your project and setup a build job
# with at least the following steps:
#
# docker build -t $CI_REGISTRY_IMAGE/$CI_COMMIT_REF_SLUG .
# docker push $CI_REGISTRY_IMAGE/$CI_COMMIT_REF_SLUG:$CI_COMMIT_SHA
#
# Also, one can specify a CS_IMAGE variable to scan a custom or external image
#
# Docker registry credentials
CS_REGISTRY_USERNAME: gitlab-ci-token
CS_REGISTRY_PASSWORD: $CI_JOB_TOKEN
CS_REGISTRY: $CI_REGISTRY
allow_failure: true
services:
- docker:stable-dind
script:
- export CS_VERSION=${SP_VERSION:-$(echo "$CI_SERVER_VERSION" | sed 's/^\([0-9]*\)\.\([0-9]*\).*/\1-\2-stable/')}
- export CS_IMAGE=${CS_IMAGE:-${CS_IMAGE_REPOSITORY}:${CS_IMAGE_TAG}}
- docker run -d --name db arminc/clair-db:latest
- docker run -p 6060:6060 --link db:postgres -d --name clair --restart on-failure arminc/clair-local-scan:v2.0.6
- |
if [[ "${CS_SKIP_REGISTRY_LOGIN}" != 1 ]]; then
echo "Logging in with user ${CS_REGISTRY_USERNAME}..."
echo ${CS_REGISTRY_PASSWORD} | docker login --username ${CS_REGISTRY_USERNAME} --password-stdin ${CS_REGISTRY}
fi
- docker pull ${CS_IMAGE}
- |
docker run \
-v /var/run/docker.sock:/var/run/docker.sock \
-v "$PWD:/output" \
-w /output \
--link clair \
registry.gitlab.com/gitlab-org/security-products/container-scanning:${CS_VERSION} \
/analyze \
${CS_WHITELIST_FILE:+-w "${CS_WHITELIST_FILE}"} \
${CS_LOG_FILE:+-l "${CS_LOG_FILE}"} \
${CS_REPORT_FILE:+-r "${CS_REPORT_FILE}"} \
${CS_IMAGE} \
|| true # always succeed to upload the artifacts
artifacts:
reports:
container_scanning: gl-container-scanning-report.json
dependencies: []
only:
refs:
- branches
variables:
- $GITLAB_FEATURES =~ /\bcontainer_scanning\b/
except:
variables:
- $CONTAINER_SCANNING_DISABLED
|