2019-12-04 20:38:33 +05:30
|
|
|
# Read more about this feature here: https://docs.gitlab.com/ee/user/application_security/container_scanning/
|
2019-07-07 11:18:12 +05:30
|
|
|
|
2019-12-21 20:55:43 +05:30
|
|
|
variables:
|
2020-05-24 23:13:21 +05:30
|
|
|
# Setting this variable will affect all Security templates
|
|
|
|
|
# (SAST, Dependency Scanning, ...)
|
|
|
|
|
SECURE_ANALYZERS_PREFIX: "registry.gitlab.com/gitlab-org/security-products/analyzers"
|
2021-01-29 00:20:46 +05:30
|
|
|
CS_MAJOR_VERSION: 3
|
2019-12-21 20:55:43 +05:30
|
|
|
|
2021-04-29 21:17:54 +05:30
|
|
|
.cs_common:
|
2019-07-07 11:18:12 +05:30
|
|
|
stage: test
|
2021-02-22 17:27:13 +05:30
|
|
|
image: "$CS_ANALYZER_IMAGE"
|
2019-07-07 11:18:12 +05:30
|
|
|
variables:
|
2019-12-26 22:10:19 +05:30
|
|
|
# Override the GIT_STRATEGY variable in your `.gitlab-ci.yml` file and set it to `fetch` if you want to provide a `clair-whitelist.yml`
|
|
|
|
|
# file. See https://docs.gitlab.com/ee/user/application_security/container_scanning/index.html#overriding-the-container-scanning-template
|
2019-12-04 20:38:33 +05:30
|
|
|
# for details
|
2019-07-07 11:18:12 +05:30
|
|
|
GIT_STRATEGY: none
|
2021-04-17 20:07:23 +05:30
|
|
|
# CS_ANALYZER_IMAGE is an undocumented variable used internally to allow QA to
|
|
|
|
|
# override the analyzer image with a custom value. This may be subject to change or
|
|
|
|
|
# breakage across GitLab releases.
|
2021-04-29 21:17:54 +05:30
|
|
|
CS_ANALYZER_IMAGE: $SECURE_ANALYZERS_PREFIX/$CS_PROJECT:$CS_MAJOR_VERSION
|
2019-07-07 11:18:12 +05:30
|
|
|
allow_failure: true
|
2021-04-29 21:17:54 +05:30
|
|
|
artifacts:
|
|
|
|
|
reports:
|
|
|
|
|
container_scanning: gl-container-scanning-report.json
|
|
|
|
|
dependencies: []
|
|
|
|
|
|
|
|
|
|
container_scanning:
|
|
|
|
|
extends: .cs_common
|
|
|
|
|
variables:
|
|
|
|
|
# By default, use the latest clair vulnerabilities database, however, allow it to be overridden here with a specific image
|
|
|
|
|
# to enable container scanning to run offline, or to provide a consistent list of vulnerabilities for integration testing purposes
|
|
|
|
|
CLAIR_DB_IMAGE_TAG: "latest"
|
|
|
|
|
CLAIR_DB_IMAGE: "$SECURE_ANALYZERS_PREFIX/clair-vulnerabilities-db:$CLAIR_DB_IMAGE_TAG"
|
|
|
|
|
CS_PROJECT: 'klar'
|
2019-07-07 11:18:12 +05:30
|
|
|
services:
|
2019-12-26 22:10:19 +05:30
|
|
|
- name: $CLAIR_DB_IMAGE
|
2019-12-04 20:38:33 +05:30
|
|
|
alias: clair-vulnerabilities-db
|
2019-07-07 11:18:12 +05:30
|
|
|
script:
|
2020-04-08 14:13:33 +05:30
|
|
|
- /analyzer run
|
2021-04-29 21:17:54 +05:30
|
|
|
rules:
|
|
|
|
|
- if: $CONTAINER_SCANNING_DISABLED
|
|
|
|
|
when: never
|
|
|
|
|
- if: $CI_COMMIT_BRANCH &&
|
|
|
|
|
$GITLAB_FEATURES =~ /\bcontainer_scanning\b/ &&
|
|
|
|
|
$CS_MAJOR_VERSION =~ /^[0-3]$/
|
|
|
|
|
|
|
|
|
|
container_scanning_new:
|
|
|
|
|
extends: .cs_common
|
|
|
|
|
variables:
|
|
|
|
|
CS_PROJECT: 'container-scanning'
|
|
|
|
|
script:
|
|
|
|
|
- gtcs scan
|
2019-07-07 11:18:12 +05:30
|
|
|
artifacts:
|
2021-04-29 21:17:54 +05:30
|
|
|
paths: [gl-container-scanning-report.json]
|
2020-05-24 23:13:21 +05:30
|
|
|
rules:
|
|
|
|
|
- if: $CONTAINER_SCANNING_DISABLED
|
|
|
|
|
when: never
|
|
|
|
|
- if: $CI_COMMIT_BRANCH &&
|
2021-04-29 21:17:54 +05:30
|
|
|
$GITLAB_FEATURES =~ /\bcontainer_scanning\b/ &&
|
|
|
|
|
$CS_MAJOR_VERSION !~ /^[0-3]$/
|
