rbalazs/gist:6ea6680a16a3b3e023f4c3ab7f3e3d56

## gistfile1.txt
variables:
  DOCKERFILE: "$CI_PROJECT_DIR/src/Dockerfile"
  SHOWSTOPPER_PRIORITY: "CRITICAL"
  TRIVYCACHE: "$CI_PROJECT_DIR/.cache"
  ARTIFACT_FOLDER: "$CI_PROJECT_DIR/.artifact"
  DOCKERIMAGE: "nginx-image-test-build"

stages:
  - lint
  - build
  - scan
  - report
  - publish
  - upload

#
#only on branches:
#  rules:
#    - if: '$CI_COMMIT_TAG == null'
#  script:
#    - echo $CI_BUILD_REF_SLUG
#
#only on tags:
#  rules:
#    - if: '$CI_COMMIT_TAG != null'
#  script:
#    - env
#    - echo $CI_PROJECT_NAME-$CI_COMMIT_TAG$

Build_dockerfile:
  stage: build
  image: docker:dind
  when: always
  script:
    - docker build -t $DOCKERIMAGE src/

HadoLint:
  when: always
  # Basic lint analysis of Dockerfile instructions
  stage: lint
  image: hadolint/hadolint

  after_script:
    - cat $ARTIFACT_FOLDER/hadolint_results.json

  script:
    # NB: hadolint will always exit with 0 exit code
    - hadolint -f json $DOCKERFILE > $ARTIFACT_FOLDER/hadolint_results.json || exit 0

  artifacts:
    when: always # return artifacts even after job failure
    paths:
      - $ARTIFACT_FOLDER/hadolint_results.json

  # Analysing best practices about docker image (users permissions, instructions followed when image was built, etc.)
Dockle:
  when: always
  stage: scan
  image: docker:git

  after_script:
    - cat $ARTIFACT_FOLDER/dockle_results.json

  script:
    - export VERSION=$(wget -q -O - https://api.github.com/repos/goodwithtech/dockle/releases/latest | grep '"tag_name":' | sed -E 's/.*"v([^"]+)".*/\1/')
    - wget https://github.com/goodwithtech/dockle/releases/download/v${VERSION}/dockle_${VERSION}_Linux-64bit.tar.gz && tar zxf dockle_${VERSION}_Linux-64bit.tar.gz
    - ./dockle --exit-code 1 -f json --output $ARTIFACT_FOLDER/dockle_results.json $DOCKERIMAGE

  artifacts:
    when: always # return artifacts even after job failure
    paths:
      - $ARTIFACT_FOLDER/dockle_results.json

  # Analysing docker image and package dependencies against several CVE bases
Trivy:
  when: always
  stage: scan
  image: docker:git

  script:
    # getting the latest Trivy
    - apk add rpm
    - export VERSION=$(wget -q -O - https://api.github.com/repos/knqyf263/trivy/releases/latest | grep '"tag_name":' | sed -E 's/.*"v([^"]+)".*/\1/')
    - wget https://github.com/knqyf263/trivy/releases/download/v${VERSION}/trivy_${VERSION}_Linux-64bit.tar.gz && tar zxf trivy_${VERSION}_Linux-64bit.tar.gz

    # displaying all vulnerabilities w/o failing the build
    - ./trivy -d --cache-dir $TRIVYCACHE -f json -o $ARTIFACT_FOLDER/trivy_results.json --exit-code 0 $DOCKERIMAGE

    # write vulnerabilities info to stdout in human readable format (reading pure json is not fun, eh?). You can remove this if you don't need this.
    - ./trivy -d --cache-dir $TRIVYCACHE --exit-code 0 $DOCKERIMAGE

    # failing the build if the SHOWSTOPPER priority is found
    - ./trivy -d --cache-dir $TRIVYCACHE --exit-code 1 --severity $SHOWSTOPPER_PRIORITY --quiet $DOCKERIMAGE

  artifacts:
    when: always # return artifacts even after job failure
    paths:
      - $ARTIFACT_FOLDER/trivy_results.json

  cache:
    paths:
      - .cache

Report:
  # combining tools outputs into one HTML
  stage: report
  when: always
  image: python:3.5

  script:
    - mkdir json
    - cp $ARTIFACT_FOLDER/*.json ./json/
    - pip install json2html
    - wget https://raw.githubusercontent.com/shad0wrunner/docker_cicd/master/convert_json_results.py
    - python ./convert_json_results.py

  artifacts:
    paths:
      - results.html

Upload:
  stage: upload
  when: always
  image: docker:git
  before_script:
    - 'which ssh-agent || ( apt-get update -y && apt-get install openssh-client -y )'
    - eval $(ssh-agent -s)
    - printenv GIT_SSH_PRIV_KEY | ssh-add -
    - mkdir -p ~/.ssh
  script:
    - git config --global user.email "xyz@gitlab"
    - git config --global user.name "CI USER"
    - git clone git@git.ecdh.hu:${CI_PROJECT_PATH}.git
    - cd ${CI_PROJECT_NAME}
    - git checkout -f $CI_COMMIT_REF_NAME
    - scp ../results.html results.html
    - git add -f results.html
    - git commit -m "Uploading results.html from $CI_COMMIT_SHORT_SHA [skip ci]" || echo "No changes, nothing to commit!"
    - git push --force origin $CI_COMMIT_REF_NAME
	variables:
	DOCKERFILE: "$CI_PROJECT_DIR/src/Dockerfile"
	SHOWSTOPPER_PRIORITY: "CRITICAL"
	TRIVYCACHE: "$CI_PROJECT_DIR/.cache"
	ARTIFACT_FOLDER: "$CI_PROJECT_DIR/.artifact"
	DOCKERIMAGE: "nginx-image-test-build"

	stages:
	- lint
	- build
	- scan
	- report
	- publish
	- upload

	#
	#only on branches:
	# rules:
	# - if: '$CI_COMMIT_TAG == null'
	# script:
	# - echo $CI_BUILD_REF_SLUG
	#
	#only on tags:
	# rules:
	# - if: '$CI_COMMIT_TAG != null'
	# script:
	# - env
	# - echo $CI_PROJECT_NAME-$CI_COMMIT_TAG$

	Build_dockerfile:
	stage: build
	image: docker:dind
	when: always
	script:
	- docker build -t $DOCKERIMAGE src/

	HadoLint:
	when: always
	# Basic lint analysis of Dockerfile instructions
	stage: lint
	image: hadolint/hadolint

	after_script:
	- cat $ARTIFACT_FOLDER/hadolint_results.json

	script:
	# NB: hadolint will always exit with 0 exit code
	- hadolint -f json $DOCKERFILE > $ARTIFACT_FOLDER/hadolint_results.json \|\| exit 0

	artifacts:
	when: always # return artifacts even after job failure
	paths:
	- $ARTIFACT_FOLDER/hadolint_results.json

	# Analysing best practices about docker image (users permissions, instructions followed when image was built, etc.)
	Dockle:
	when: always
	stage: scan
	image: docker:git

	after_script:
	- cat $ARTIFACT_FOLDER/dockle_results.json

	script:
	- export VERSION=$(wget -q -O - https://api.github.com/repos/goodwithtech/dockle/releases/latest \| grep '"tag_name":' \| sed -E 's/."v([^"]+)"./\1/')
	- wget https://github.com/goodwithtech/dockle/releases/download/v${VERSION}/dockle_${VERSION}_Linux-64bit.tar.gz && tar zxf dockle_${VERSION}_Linux-64bit.tar.gz
	- ./dockle --exit-code 1 -f json --output $ARTIFACT_FOLDER/dockle_results.json $DOCKERIMAGE

	artifacts:
	when: always # return artifacts even after job failure
	paths:
	- $ARTIFACT_FOLDER/dockle_results.json

	# Analysing docker image and package dependencies against several CVE bases
	Trivy:
	when: always
	stage: scan
	image: docker:git

	script:
	# getting the latest Trivy
	- apk add rpm
	- export VERSION=$(wget -q -O - https://api.github.com/repos/knqyf263/trivy/releases/latest \| grep '"tag_name":' \| sed -E 's/."v([^"]+)"./\1/')
	- wget https://github.com/knqyf263/trivy/releases/download/v${VERSION}/trivy_${VERSION}_Linux-64bit.tar.gz && tar zxf trivy_${VERSION}_Linux-64bit.tar.gz

	# displaying all vulnerabilities w/o failing the build
	- ./trivy -d --cache-dir $TRIVYCACHE -f json -o $ARTIFACT_FOLDER/trivy_results.json --exit-code 0 $DOCKERIMAGE

	# write vulnerabilities info to stdout in human readable format (reading pure json is not fun, eh?). You can remove this if you don't need this.
	- ./trivy -d --cache-dir $TRIVYCACHE --exit-code 0 $DOCKERIMAGE

	# failing the build if the SHOWSTOPPER priority is found
	- ./trivy -d --cache-dir $TRIVYCACHE --exit-code 1 --severity $SHOWSTOPPER_PRIORITY --quiet $DOCKERIMAGE

	artifacts:
	when: always # return artifacts even after job failure
	paths:
	- $ARTIFACT_FOLDER/trivy_results.json

	cache:
	paths:
	- .cache

	Report:
	# combining tools outputs into one HTML
	stage: report
	when: always
	image: python:3.5

	script:
	- mkdir json
	- cp $ARTIFACT_FOLDER/*.json ./json/
	- pip install json2html
	- wget https://raw.githubusercontent.com/shad0wrunner/docker_cicd/master/convert_json_results.py
	- python ./convert_json_results.py

	artifacts:
	paths:
	- results.html

	Upload:
	stage: upload
	when: always
	image: docker:git
	before_script:
	- 'which ssh-agent \|\| ( apt-get update -y && apt-get install openssh-client -y )'
	- eval $(ssh-agent -s)
	- printenv GIT_SSH_PRIV_KEY \| ssh-add -
	- mkdir -p ~/.ssh
	script:
	- git config --global user.email "xyz@gitlab"
	- git config --global user.name "CI USER"
	- git clone git@git.ecdh.hu:${CI_PROJECT_PATH}.git
	- cd ${CI_PROJECT_NAME}
	- git checkout -f $CI_COMMIT_REF_NAME
	- scp ../results.html results.html
	- git add -f results.html
	- git commit -m "Uploading results.html from $CI_COMMIT_SHORT_SHA [skip ci]" \|\| echo "No changes, nothing to commit!"
	- git push --force origin $CI_COMMIT_REF_NAME