-
Notifications
You must be signed in to change notification settings - Fork 8
/
.gitlab-ci.yml
60 lines (51 loc) · 3.01 KB
/
.gitlab-ci.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
# This is a sample gitlab CI configuration showing how to use Cloudrail
# to test Terraform content.
# Based on example: https://gitlab.com/gitlab-org/configure/examples/gitlab-terraform-aws/-/blob/master/.gitlab-ci.yml
# The example TF code we use here only works in v0.13, however Cloudrail supports 0.14 as well.
image: registry.gitlab.com/gitlab-org/terraform-images/releases/0.13
variables:
# We're picking a specific test case to run against.
TEST_ROOT: ${CI_PROJECT_DIR}/test/aws/terraform/ec2_role_share_rule/public_and_private_ec2_same_role
before_script:
- cd ${TEST_ROOT}
stages:
- init_and_plan
- cloudrail
# Cloudrail requires a Terraform plan as an input, so we must create a plan first.
init_and_plan:
stage: init_and_plan
script:
- terraform init
- terraform plan -out=plan.out
artifacts:
name: "$CI_JOB_NAME"
paths:
- ./**/plan.out
- ./**/.terraform
# This will run Cloudrail and produce a report. The report may be in one of two formats:
# 1. GitLab SAST, if this is supported by your version of GitLab ("Security Dashboards" feature). In such a case,
# the results will appear in a "Security" tab in the pipeline.
# 2. JUnit format, if the first is not available. The results will appear in the GitLab Test results panel.
# If there are any rules that are set to MANDATE, and they find violations, we will have results listed
# in the report. This will then cause GitLab to stop the pipeline and provide the list of violations found,
# allowing dev's to fix the violations.
# Also note that rules that are set to ADVISE (which is the default) will _not_ be included in the output by default.
cloudrail:
stage: cloudrail
image: indeni/cloudrail-cli:latest
# In the script below, we are not passing the "--api-key" parameter, and are assuming there's an environment
# variable defined called CLOUDRAIL_API_KEY. The cloudrail container knows to look there if "--api-key" is not provided.
# This ensures the API key is never printed to the console.
script:
- |
if [[ "${GITLAB_FEATURES}" == *"security_dashboard"* ]]; then
echo "You are licensed for GitLab Security Dashboards, you will find scanning results in Security Dashboard"
cloudrail run --tf-plan plan.out --directory . --origin ci --build-link "$CI_PROJECT_URL/-/jobs/$CI_JOB_ID" --execution-source-identifier "$CI_COMMIT_BRANCH - $CI_JOB_ID" --output-format json-gitlab-sast --output-file ${CI_PROJECT_DIR}/cloudrail-sast-report.json --cloud-account-id ${AWS_ACCOUNT_ID} --auto-approve
else
echo "You will find scanning results in the GitLab Test results visualization panel"
cloudrail run --tf-plan plan.out --directory . --origin ci --build-link "$CI_PROJECT_URL/-/jobs/$CI_JOB_ID" --execution-source-identifier "$CI_COMMIT_BRANCH - $CI_JOB_ID" --output-format junit --output-file ${CI_PROJECT_DIR}/cloudrail-junit-report.xml --cloud-account-id ${AWS_ACCOUNT_ID} --auto-approve
fi
artifacts:
reports:
sast: cloudrail-sast-report.json
junit: cloudrail-junit-report.xml