-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy path.gitlab-ci.yml
111 lines (106 loc) · 3.28 KB
/
.gitlab-ci.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
stages:
- build
- scan
- package
variables:
ARTIFACT_COMPRESSION_LEVEL: "fast"
CACHE_COMPRESSION_LEVEL: "fast"
set-vars:
stage: .pre
image: docker.io/alpine:3.15
script:
- cat .env >> build.env
- source build.env
- >
echo "IMAGE_NAME=${INTERNAL_REG}/${APP_NAME}:${APP_VERSION}-${CI_COMMIT_REF_NAME}"
>> build.env
artifacts:
reports:
dotenv: build.env
image-build:
stage: build
image:
name: gcr.io/kaniko-project/executor:v1.8.1-debug
entrypoint: [""]
before_script:
- >
echo "${IMAGE_REGISTRY_CA_CERT}"
| base64 -d >> /kaniko/ssl/certs/ca-certificates.crt
- mkdir -p /kaniko/.docker
- >
echo "{\"auths\":{\"${INTERNAL_REG}\":{\"auth\":\"$(printf
"%s:%s" "${IMAGE_REGISTRY_USER}" "${IMAGE_REGISTRY_PASS}"
| base64 | tr -d '\n')\"}}}" > /kaniko/.docker/config.json
script:
- >
/kaniko/executor
--force
--context "${CI_PROJECT_DIR}"
--dockerfile "${CI_PROJECT_DIR}/Dockerfile"
--target=prod
--cache=true
--destination "${IMAGE_NAME}-unverified"
--build-arg APP_VERSION="${APP_VERSION}"
--build-arg PYTHON_IMG_TAG="${PYTHON_IMG_TAG}"
--build-arg MAINTAINER="${MAINTAINER}"
--build-arg EXTERNAL_REG="${EXTERNAL_REG}"
--build-arg INTERNAL_REG="${INTERNAL_REG}"
image-scan:
stage: scan
image:
name: docker.io/aquasec/trivy:0.23.0
entrypoint: [""]
variables:
GIT_STRATEGY: none
before_script:
- >
echo "${IMAGE_REGISTRY_CA_CERT}"
| base64 -d >> /etc/ssl/certs/ca-certificates.crt
script:
- trivy --version
- time trivy image --clear-cache
- time trivy --cache-dir .trivycache/ image --download-db-only --no-progress
# Create report artifact
- >
time trivy --cache-dir .trivycache/ image --exit-code 0 --ignore-unfixed
--no-progress --format template --template "@/contrib/gitlab.tpl"
--output "$CI_PROJECT_DIR/img-scan-report.json"
"$IMAGE_NAME-unverified"
# Print full report
- >
time trivy --cache-dir .trivycache/ image --exit-code 0 --ignore-unfixed
--no-progress "$IMAGE_NAME"-unverified
# Fail on critical vulnerabilities
- >
time trivy --cache-dir .trivycache/ image --exit-code 1 --ignore-unfixed
--severity CRITICAL --no-progress "$IMAGE_NAME"-unverified
cache:
key: trivy-cache
paths:
- .trivycache/
policy: pull-push
artifacts:
when: always
reports:
container_scanning: img-scan-report.json
image-retag:
stage: package
image: docker.io/regclient/regctl:v0.3-alpine
variables:
GIT_STRATEGY: none
before_script:
- export REG_HOST=${INTERNAL_REG%/*}
- >
echo "{\"hosts\":{\"${REG_HOST}\":{\"tls\":\"enabled\",\"regcert\":
\"$(printf "%s" "${IMAGE_REGISTRY_CERT}" | base64 -d
| awk 'NF {sub(/\r/, ""); printf "%s\\n",$0;}')\",\"hostname\":
\"${REG_HOST}\",\"user\":\"${IMAGE_REGISTRY_USER}\",\"pass\":
\"${IMAGE_REGISTRY_PASS}\"}}}" >> /home/appuser/.regctl/config.json
script:
- >
regctl --verbosity debug image copy
"${IMAGE_NAME}-unverified" "${IMAGE_NAME}"
- >
regctl --verbosity debug image copy
"${IMAGE_NAME}" "${INTERNAL_REG}/${APP_NAME}:latest"
- regctl --verbosity debug tag delete "${IMAGE_NAME}-unverified"