Created
May 6, 2021 19:16
-
-
Save YannMjl/637bb60813a9f058b4aea67e3babe7df to your computer and use it in GitHub Desktop.
DevSecOps with Gitlab secure -- This file including security scans
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
variables: | |
VERSION: v2 | |
MYNAME: Charlie | |
stages: | |
- npmtest | |
- sastscan | |
- dockerbuild | |
# test is the default Gitlad stage name when setting up SAST | |
- test | |
- runapp | |
npm test: | |
stage: npmtest | |
image: node:11 | |
script: | |
- echo "Welcome $MYNAME" | |
- npm install express node-fetch mocha | |
- npm test | |
sast: | |
stage: sastscan | |
include: | |
- template: Security/SAST.gitlab-ci.yml | |
# - template: DAST.gitlab-ci.yml | |
- template: Container-Scanning.gitlab-ci.yml | |
- template: Dependency-Scanning.gitlab-ci.yml | |
- template: Security/Secret-Detection.gitlab-ci.yml | |
# Overriding the container scanning template | |
container_scanning: | |
variables: | |
IMAGE: $CI_REGISTRY_IMAGE/$CI_COMMIT_REF_SLUG:$CI_COMMIT_SHA | |
DS_DISABLE_DIND: "true" # disable docker-in-docker for dependency scanning | |
artifacts: | |
paths: [gl-container-scanning-report.json] | |
# build image that follows the predefined CI/CD variables rcongied by continaer scanning template | |
build: | |
stage: dockerbuild | |
image: docker:stable | |
services: | |
- docker:dind | |
variables: | |
IMAGE: $CI_REGISTRY_IMAGE/$CI_COMMIT_REF_SLUG:$CI_COMMIT_SHA | |
before_script: | |
- docker info | |
- docker login registry.gitlab.com -u ${CI_REGISTRY_USER} -p ${CI_REGISTRY_PASSWORD} | |
script: | |
# Run `docker build --no-cache .` to update dependencies | |
- docker build -t $IMAGE . | |
- docker push $IMAGE | |
after_script: | |
- docker logout ${CI_REGISTRY} | |
# run the node js app from the docker image | |
runapp: | |
stage: runapp | |
image: docker:stable | |
services: | |
- docker:dind | |
variables: | |
IMAGE_TAG: $CI_REGISTRY_IMAGE/$CI_COMMIT_REF_SLUG:$CI_COMMIT_SHA | |
before_script: | |
- docker info | |
- docker login registry.gitlab.com -u ${CI_REGISTRY_USER} -p ${CI_REGISTRY_PASSWORD} | |
script: | |
# Run `docker build --no-cache .` to update dependencies | |
- docker build -t $IMAGE_TAG . | |
- docker run -p 49160:30100 -d $IMAGE_TAG | |
- apk --no-cache add curl | |
- curl docker:49160 | |
after_script: | |
- docker logout ${CI_REGISTRY} |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment