-
Notifications
You must be signed in to change notification settings - Fork 21
/
.gitlab-ci.yml
76 lines (70 loc) · 2.18 KB
/
.gitlab-ci.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
default:
image: docker:27.1.1
services:
- docker:27.1.1-dind
stages:
- build
- lint
- test
- scan
- deploy
Build:
stage: build
script:
- docker buildx build -t ciromota/nessus-scanner:latest .
Lint:
stage: lint
image: hadolint/hadolint:latest-debian
script:
- hadolint Dockerfile
Test:
stage: test
before_script:
- docker buildx build -t ciromota/nessus-scanner:latest .
script:
- docker container run -td --name nessus-scanner -p 8834:8834 ciromota/nessus-scanner:latest
container_scanning:
stage: scan
image: docker:27.1.1
services:
- name: docker:27.1.1-dind
entrypoint: ["env", "-u", "DOCKER_HOST"]
command: ["dockerd-entrypoint.sh"]
variables:
DOCKER_HOST: tcp://docker:2375/
DOCKER_DRIVER: overlay2
DOCKER_TLS_CERTDIR: ""
IMAGE: trivy-ci-test:$CI_COMMIT_SHA
TRIVY_NO_PROGRESS: "true"
TRIVY_CACHE_DIR: ".trivycache/"
before_script:
- export TRIVY_VERSION=$(wget -qO - "https://api.github.com/repos/aquasecurity/trivy/releases/latest" | grep '"tag_name":' | sed -E 's/.*"v([^"]+)".*/\1/')
- echo $TRIVY_VERSION
- wget --no-verbose https://github.com/aquasecurity/trivy/releases/download/v${TRIVY_VERSION}/trivy_${TRIVY_VERSION}_Linux-64bit.tar.gz -O - | tar -zxvf -
allow_failure: true
script:
- docker build -t $IMAGE .
- ./trivy image --exit-code 0 --format template -o gl-container-scanning-report.json $IMAGE
- ./trivy image --exit-code 0 --severity LOW $IMAGE
- ./trivy image --exit-code 1 --severity CRITICAL $IMAGE
cache:
paths:
- .trivycache/
# push_and_sign:
# stage: deploy
# image: docker:27.1.1
# services:
# - docker:27.1.1-dind
# variables:
# COSIGN_YES: "true"
# id_tokens:
# SIGSTORE_ID_TOKEN:
# aud: sigstore
# before_script:
# - apk add --update cosign
# - echo $DOCKERHUB_TOKEN | cosign login docker.io -u $DOCKER_USER --password-stdin
# script:
# - docker buildx build -t ciromota/nessus-scanner:latest .
# - docker push ciromota/nessus-scanner:latest
# - IMAGE_DIGEST=$(docker inspect --format='{{index .RepoDigests 0}}' ciromota/nessus-scanner)
# - cosign sign $IMAGE_DIGEST