Created
February 8, 2021 18:28
-
-
Save rbalazs/6ea6680a16a3b3e023f4c3ab7f3e3d56 to your computer and use it in GitHub Desktop.
proto
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
variables: | |
DOCKERFILE: "$CI_PROJECT_DIR/src/Dockerfile" | |
SHOWSTOPPER_PRIORITY: "CRITICAL" | |
TRIVYCACHE: "$CI_PROJECT_DIR/.cache" | |
ARTIFACT_FOLDER: "$CI_PROJECT_DIR/.artifact" | |
DOCKERIMAGE: "nginx-image-test-build" | |
stages: | |
- lint | |
- build | |
- scan | |
- report | |
- publish | |
- upload | |
# | |
#only on branches: | |
# rules: | |
# - if: '$CI_COMMIT_TAG == null' | |
# script: | |
# - echo $CI_BUILD_REF_SLUG | |
# | |
#only on tags: | |
# rules: | |
# - if: '$CI_COMMIT_TAG != null' | |
# script: | |
# - env | |
# - echo $CI_PROJECT_NAME-$CI_COMMIT_TAG$ | |
Build_dockerfile: | |
stage: build | |
image: docker:dind | |
when: always | |
script: | |
- docker build -t $DOCKERIMAGE src/ | |
HadoLint: | |
when: always | |
# Basic lint analysis of Dockerfile instructions | |
stage: lint | |
image: hadolint/hadolint | |
after_script: | |
- cat $ARTIFACT_FOLDER/hadolint_results.json | |
script: | |
# NB: hadolint will always exit with 0 exit code | |
- hadolint -f json $DOCKERFILE > $ARTIFACT_FOLDER/hadolint_results.json || exit 0 | |
artifacts: | |
when: always # return artifacts even after job failure | |
paths: | |
- $ARTIFACT_FOLDER/hadolint_results.json | |
# Analysing best practices about docker image (users permissions, instructions followed when image was built, etc.) | |
Dockle: | |
when: always | |
stage: scan | |
image: docker:git | |
after_script: | |
- cat $ARTIFACT_FOLDER/dockle_results.json | |
script: | |
- export VERSION=$(wget -q -O - https://api.github.com/repos/goodwithtech/dockle/releases/latest | grep '"tag_name":' | sed -E 's/.*"v([^"]+)".*/\1/') | |
- wget https://github.com/goodwithtech/dockle/releases/download/v${VERSION}/dockle_${VERSION}_Linux-64bit.tar.gz && tar zxf dockle_${VERSION}_Linux-64bit.tar.gz | |
- ./dockle --exit-code 1 -f json --output $ARTIFACT_FOLDER/dockle_results.json $DOCKERIMAGE | |
artifacts: | |
when: always # return artifacts even after job failure | |
paths: | |
- $ARTIFACT_FOLDER/dockle_results.json | |
# Analysing docker image and package dependencies against several CVE bases | |
Trivy: | |
when: always | |
stage: scan | |
image: docker:git | |
script: | |
# getting the latest Trivy | |
- apk add rpm | |
- export VERSION=$(wget -q -O - https://api.github.com/repos/knqyf263/trivy/releases/latest | grep '"tag_name":' | sed -E 's/.*"v([^"]+)".*/\1/') | |
- wget https://github.com/knqyf263/trivy/releases/download/v${VERSION}/trivy_${VERSION}_Linux-64bit.tar.gz && tar zxf trivy_${VERSION}_Linux-64bit.tar.gz | |
# displaying all vulnerabilities w/o failing the build | |
- ./trivy -d --cache-dir $TRIVYCACHE -f json -o $ARTIFACT_FOLDER/trivy_results.json --exit-code 0 $DOCKERIMAGE | |
# write vulnerabilities info to stdout in human readable format (reading pure json is not fun, eh?). You can remove this if you don't need this. | |
- ./trivy -d --cache-dir $TRIVYCACHE --exit-code 0 $DOCKERIMAGE | |
# failing the build if the SHOWSTOPPER priority is found | |
- ./trivy -d --cache-dir $TRIVYCACHE --exit-code 1 --severity $SHOWSTOPPER_PRIORITY --quiet $DOCKERIMAGE | |
artifacts: | |
when: always # return artifacts even after job failure | |
paths: | |
- $ARTIFACT_FOLDER/trivy_results.json | |
cache: | |
paths: | |
- .cache | |
Report: | |
# combining tools outputs into one HTML | |
stage: report | |
when: always | |
image: python:3.5 | |
script: | |
- mkdir json | |
- cp $ARTIFACT_FOLDER/*.json ./json/ | |
- pip install json2html | |
- wget https://raw.githubusercontent.com/shad0wrunner/docker_cicd/master/convert_json_results.py | |
- python ./convert_json_results.py | |
artifacts: | |
paths: | |
- results.html | |
Upload: | |
stage: upload | |
when: always | |
image: docker:git | |
before_script: | |
- 'which ssh-agent || ( apt-get update -y && apt-get install openssh-client -y )' | |
- eval $(ssh-agent -s) | |
- printenv GIT_SSH_PRIV_KEY | ssh-add - | |
- mkdir -p ~/.ssh | |
script: | |
- git config --global user.email "xyz@gitlab" | |
- git config --global user.name "CI USER" | |
- git clone git@git.ecdh.hu:${CI_PROJECT_PATH}.git | |
- cd ${CI_PROJECT_NAME} | |
- git checkout -f $CI_COMMIT_REF_NAME | |
- scp ../results.html results.html | |
- git add -f results.html | |
- git commit -m "Uploading results.html from $CI_COMMIT_SHORT_SHA [skip ci]" || echo "No changes, nothing to commit!" | |
- git push --force origin $CI_COMMIT_REF_NAME |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment