Skip to content

Instantly share code, notes, and snippets.

Embed
What would you like to do?
Build a Docker container and then scan it with Quay Clair.
clair:
tags:
- kubernetes
stage: test
image: docker:stable
variables:
DOCKER_DRIVER: overlay2
DOCKER_HOST: tcp://docker:2375/
## Define two new variables based on GitLab's CI/CD predefined variables
## https://docs.gitlab.com/ee/ci/variables/#predefined-variables-environment-variables
CI_APPLICATION_REPOSITORY: $CI_PROJECT_NAME
CI_APPLICATION_TAG: $CI_COMMIT_SHA
# See https://github.com/docker-library/docker/pull/166
DOCKER_TLS_CERTDIR: ""
allow_failure: true
services:
- name: docker:dind
entrypoint: ["env", "-u", "DOCKER_HOST"]
command: ["dockerd-entrypoint.sh"]
before_script:
- apk add -U wget ca-certificates
- wget https://github.com/arminc/clair-scanner/releases/download/v8/clair-scanner_linux_amd64
- mv clair-scanner_linux_amd64 clair-scanner
- chmod +x clair-scanner
script:
- docker run -d --name db arminc/clair-db:latest
- docker run -p 6060:6060 --link db:postgres -d --name clair --restart on-failure arminc/clair-local-scan:latest
- docker build --build-arg VERSION=${CI_APPLICATION_TAG} -t ${CI_APPLICATION_REPOSITORY}:${CI_APPLICATION_TAG} .
- touch clair-whitelist.yml
- while( ! wget -q -O /dev/null http://docker:6060/v1/namespaces ) ; do sleep 1 ; done
- retries=0
- echo "Waiting for clair daemon to start"
- while( ! wget -T 10 -q -O /dev/null http://docker:6060/v1/namespaces ) ; do sleep 1 ; echo -n "." ; if [ $retries -eq 10 ] ; then echo " Timeout, aborting." ; exit 1 ; fi ; retries=$(($retries+1)) ; done
- ./clair-scanner -c http://docker:6060 --ip $(hostname -i) -r gl-container-scanning-report.json -l clair.log -w clair-whitelist.yml ${CI_APPLICATION_REPOSITORY}:${CI_APPLICATION_TAG} || true
artifacts:
paths: [gl-container-scanning-report.json]
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment