debian-mirror-gitlab/lib/gitlab/ci/templates/Security/Container-Scanning.gitlab-ci.yml

37 lines
1.5 KiB
YAML
Raw Normal View History

2019-12-04 20:38:33 +05:30
# Read more about this feature here: https://docs.gitlab.com/ee/user/application_security/container_scanning/
2019-07-07 11:18:12 +05:30
2019-12-21 20:55:43 +05:30
variables:
2020-05-24 23:13:21 +05:30
# Setting this variable will affect all Security templates
# (SAST, Dependency Scanning, ...)
SECURE_ANALYZERS_PREFIX: "registry.gitlab.com/gitlab-org/security-products/analyzers"
2020-01-01 13:55:28 +05:30
CS_MAJOR_VERSION: 2
2019-12-21 20:55:43 +05:30
2019-07-07 11:18:12 +05:30
container_scanning:
stage: test
2020-05-24 23:13:21 +05:30
image: $SECURE_ANALYZERS_PREFIX/klar:$CS_MAJOR_VERSION
2019-07-07 11:18:12 +05:30
variables:
2019-12-26 22:10:19 +05:30
# By default, use the latest clair vulnerabilities database, however, allow it to be overridden here with a specific image
# to enable container scanning to run offline, or to provide a consistent list of vulnerabilities for integration testing purposes
CLAIR_DB_IMAGE_TAG: "latest"
2020-05-24 23:13:21 +05:30
CLAIR_DB_IMAGE: "$SECURE_ANALYZERS_PREFIX/clair-vulnerabilities-db:$CLAIR_DB_IMAGE_TAG"
2019-12-26 22:10:19 +05:30
# Override the GIT_STRATEGY variable in your `.gitlab-ci.yml` file and set it to `fetch` if you want to provide a `clair-whitelist.yml`
# file. See https://docs.gitlab.com/ee/user/application_security/container_scanning/index.html#overriding-the-container-scanning-template
2019-12-04 20:38:33 +05:30
# for details
2019-07-07 11:18:12 +05:30
GIT_STRATEGY: none
allow_failure: true
services:
2019-12-26 22:10:19 +05:30
- name: $CLAIR_DB_IMAGE
2019-12-04 20:38:33 +05:30
alias: clair-vulnerabilities-db
2019-07-07 11:18:12 +05:30
script:
2020-04-08 14:13:33 +05:30
- /analyzer run
2019-07-07 11:18:12 +05:30
artifacts:
reports:
container_scanning: gl-container-scanning-report.json
dependencies: []
2020-05-24 23:13:21 +05:30
rules:
- if: $CONTAINER_SCANNING_DISABLED
when: never
- if: $CI_COMMIT_BRANCH &&
$GITLAB_FEATURES =~ /\bcontainer_scanning\b/