guinslym/container-scanning.gitlab-ci.yml

## container-scanning.gitlab-ci.yml
.container-scanning:
  before_script: []
  after_script: []
  services: []
  image:
    name: docker.io/aquasec/trivy:0.36.1
    entrypoint: [""]
  stage: test
  variables:
    # No need to clone the repo, we exclusively work on artifacts.  See
    # https://docs.gitlab.com/ee/ci/runners/README.html#git-strategy
    GIT_STRATEGY: none
    TRIVY_AUTH_URL: "$CI_REGISTRY"
    TRIVY_USERNAME: "$CI_REGISTRY_USER"
    TRIVY_PASSWORD: "$CI_REGISTRY_PASSWORD"
    TRIVY_ARGS: "--severity HIGH,CRITICAL --ignore-unfixed --exit-code 1"
    # CVE-2019-14697 only affects 32bit
    TRIVY_GLOBAL_IGNORE: "CVE-2019-14697"
    TRIVY_IGNORE: ".trivyignore"
  script:
    - for i in $TRIVY_GLOBAL_IGNORE; do echo $i | tee -a .trivyignore; done
    - for i in $TRIVY_IGNORE; do echo $i | tee -a .trivyignore; done
    - trivy --quiet image $TRIVY_ARGS $TRIVY_SCAN_IMAGE

## dockerfile_base_app
###########
# BUSTER #
###########
# pull official base image
FROM python:3.10.8-slim

# set work directory
WORKDIR /usr/src/app

# set environment variables
ENV PYTHONDONTWRITEBYTECODE 1
ENV PYTHONUNBUFFERED 1
ENV C_FORCE_ROOT true
ENV DEV_STAGE true

#lh3 ENV file
RUN mkdir /.lh3
RUN touch /.secrets
RUN touch /.config

# copy project
COPY . .

# verifying that files are on the right folder
RUN pwd
RUN ls

RUN apt-get update

# install dependancies
RUN apt-get install -y libtasn1-6=4.16.0-2+deb11u1 jq unzip python3-pandas-lib cron python3-numpy netcat postgresql gcc cmake && \
    pip install --no-cache-dir --upgrade pip && \
    pwd && \
    ls -alh && \
    pip install --no-cache-dir -r requirements/requirements-dev.txt && \
    sed -i 's/\r$//g' entrypoint.sh && \
    chmod +x entrypoint.sh && \
    apt-get -y autoremove --purge && \
    apt-get -y clean && \
    apt-get purge -y --auto-remove -o APT::AutoRemove::RecommendsImportant=false && \
    rm -rf /var/lib/apt/lists/*
	.container-scanning:
	before_script: []
	after_script: []
	services: []
	image:
	name: docker.io/aquasec/trivy:0.36.1
	entrypoint: [""]
	stage: test
	variables:
	# No need to clone the repo, we exclusively work on artifacts. See
	# https://docs.gitlab.com/ee/ci/runners/README.html#git-strategy
	GIT_STRATEGY: none
	TRIVY_AUTH_URL: "$CI_REGISTRY"
	TRIVY_USERNAME: "$CI_REGISTRY_USER"
	TRIVY_PASSWORD: "$CI_REGISTRY_PASSWORD"
	TRIVY_ARGS: "--severity HIGH,CRITICAL --ignore-unfixed --exit-code 1"
	# CVE-2019-14697 only affects 32bit
	TRIVY_GLOBAL_IGNORE: "CVE-2019-14697"
	TRIVY_IGNORE: ".trivyignore"
	script:
	- for i in $TRIVY_GLOBAL_IGNORE; do echo $i \| tee -a .trivyignore; done
	- for i in $TRIVY_IGNORE; do echo $i \| tee -a .trivyignore; done
	- trivy --quiet image $TRIVY_ARGS $TRIVY_SCAN_IMAGE
	###########
	# BUSTER #
	###########
	# pull official base image
	FROM python:3.10.8-slim

	# set work directory
	WORKDIR /usr/src/app

	# set environment variables
	ENV PYTHONDONTWRITEBYTECODE 1
	ENV PYTHONUNBUFFERED 1
	ENV C_FORCE_ROOT true
	ENV DEV_STAGE true

	#lh3 ENV file
	RUN mkdir /.lh3
	RUN touch /.secrets
	RUN touch /.config

	# copy project
	COPY . .

	# verifying that files are on the right folder
	RUN pwd
	RUN ls

	RUN apt-get update

	# install dependancies
	RUN apt-get install -y libtasn1-6=4.16.0-2+deb11u1 jq unzip python3-pandas-lib cron python3-numpy netcat postgresql gcc cmake && \
	pip install --no-cache-dir --upgrade pip && \
	pwd && \
	ls -alh && \
	pip install --no-cache-dir -r requirements/requirements-dev.txt && \
	sed -i 's/\r$//g' entrypoint.sh && \
	chmod +x entrypoint.sh && \
	apt-get -y autoremove --purge && \
	apt-get -y clean && \
	apt-get purge -y --auto-remove -o APT::AutoRemove::RecommendsImportant=false && \
	rm -rf /var/lib/apt/lists/*