-
Notifications
You must be signed in to change notification settings - Fork 1
/
.gitlab-ci.yml
115 lines (110 loc) · 3.98 KB
/
.gitlab-ci.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
stages:
- build
- scan
build:
image: docker:latest
stage: build
services:
- docker:dind
before_script:
- docker login -u "$CI_REGISTRY_USER" -p "$CI_REGISTRY_PASSWORD" $CI_REGISTRY
script:
- echo "$CI_REGISTRY_IMAGE:$CI_COMMIT_SHA"
- docker build --pull -t "$CI_REGISTRY_IMAGE:$CI_COMMIT_SHA" .
- docker push "$CI_REGISTRY_IMAGE:$CI_COMMIT_SHA"
dockerfile_scan:
image: docker:stable
stage: scan
variables:
DOCKER_DRIVER: overlay2
allow_failure: true
services:
- docker:dind
before_script:
- docker login -u "$CI_REGISTRY_USER" -p "$CI_REGISTRY_PASSWORD" $CI_REGISTRY
script:
- docker run hadolint/hadolint < Dockerfile >> hadolint-results.txt
artifacts:
paths: [hadolint-results.txt]
expire_in: 1 week
clair_scan:
image: docker:stable
stage: scan
variables:
DOCKER_DRIVER: overlay2
allow_failure: true
services:
- docker:dind
before_script:
- docker login -u "$CI_REGISTRY_USER" -p "$CI_REGISTRY_PASSWORD" $CI_REGISTRY
script:
- docker run -d --name db arminc/clair-db:latest
- docker run -p 6060:6060 --link db:postgres -d --name clair --restart on-failure arminc/clair-local-scan:v2.0.1
- apk add -U wget ca-certificates
- docker pull ${CI_REGISTRY_IMAGE}:${CI_COMMIT_SHA}
- wget https://github.com/arminc/clair-scanner/releases/download/v8/clair-scanner_linux_amd64
- mv clair-scanner_linux_amd64 clair-scanner
- chmod +x clair-scanner
- touch clair-whitelist.yml
- while( ! wget -q -O /dev/null http://docker:6060/v1/namespaces ) ; do sleep 1 ; done
- retries=0
- echo "Waiting for clair daemon to start"
- while( ! wget -T 10 -q -O /dev/null http://docker:6060/v1/namespaces ) ; do sleep 1 ; echo -n "." ; if [ $retries -eq 10 ] ; then echo " Timeout, aborting." ; exit 1 ; fi ; retries=$(($retries+1)) ; done
- ./clair-scanner -c http://docker:6060 --ip $(hostname -i) -r clair-scan-report.json -l clair.log -w clair-whitelist.yml ${CI_REGISTRY_IMAGE}:${CI_COMMIT_SHA} || true
artifacts:
paths: [clair-scan-report.json]
expire_in: 1 week
anchore_scan:
image:
name: anchore/anchore-engine:v0.3.0
entrypoint: [""]
stage: scan
services:
- name: anchore/engine-db-preload:v0.3.0
alias: anchore-db
variables:
GIT_STRATEGY: none
ANCHORE_FAIL_ON_POLICY: "false"
ANCHORE_TIMEOUT: 500
script:
- |
curl -o /tmp/anchore_ci_tools.py https://raw.githubusercontent.com/anchore/ci-tools/v0.3.0/scripts/anchore_ci_tools.py
chmod +x /tmp/anchore_ci_tools.py
ln -s /tmp/anchore_ci_tools.py /usr/local/bin/anchore_ci_tools
- anchore_ci_tools --setup
- anchore-cli --u admin --p foobar registry add "$CI_REGISTRY" gitlab-ci-token "$CI_JOB_TOKEN" --skip-validate
- anchore_ci_tools --analyze --report --image "${CI_REGISTRY_IMAGE}:${CI_COMMIT_SHA}" --timeout "$ANCHORE_TIMEOUT"
- |
if [ "$ANCHORE_FAIL_ON_POLICY" == "true" ]; then
anchore-cli evaluate check "${CI_REGISTRY_IMAGE}:${CI_COMMIT_SHA}"
else
set +o pipefail
anchore-cli evaluate check "${CI_REGISTRY_IMAGE}:${CI_COMMIT_SHA}" | tee /dev/null
fi
artifacts:
paths:
- anchore-reports/*
expire_in: 1 week
trivy_scan:
image:
name: docker:stable
stage: scan
services:
- docker:dind
variables:
TRIVY_AUTH_URL: $CI_REGISTRY
TRIVY_USERNAME: $CI_REGISTRY_USER
TRIVY_PASSWORD: $CI_REGISTRY_PASSWORD
before_script:
- docker login -u "$CI_REGISTRY_USER" -p "$CI_REGISTRY_PASSWORD" $CI_REGISTRY
- docker pull ${CI_REGISTRY_IMAGE}:${CI_COMMIT_SHA}
- apk add -U wget ca-certificates tar curl git
- export VERSION=0.15.0
- wget https://github.com/aquasecurity/trivy/releases/download/v${VERSION}/trivy_${VERSION}_Linux-64bit.tar.gz
- tar zxvf trivy_${VERSION}_Linux-64bit.tar.gz
script:
- ./trivy -f json -o trivy_result.json --exit-code 0 --auto-refresh ${CI_REGISTRY_IMAGE}:${CI_COMMIT_SHA}
artifacts:
paths:
- trivy_result.json
expire_in: 1 week