debian-mirror-gitlab/lib/gitlab/ci/templates/Security/Container-Scanning.gitlab-ci.yml

57 lines
2.7 KiB
YAML
Raw Normal View History

2021-09-30 23:02:18 +05:30
# To contribute improvements to CI/CD templates, please follow the Development guide at:
# https://docs.gitlab.com/ee/development/cicd/templates.html
# This specific template is located at:
# https://gitlab.com/gitlab-org/gitlab/-/blob/master/lib/gitlab/ci/templates/Security/Container-Scanning.gitlab-ci.yml
2021-09-04 01:27:46 +05:30
# Use this template to enable container scanning in your project.
# You should add this template to an existing `.gitlab-ci.yml` file by using the `include:`
# keyword.
# The template should work without modifications but you can customize the template settings if
# needed: https://docs.gitlab.com/ee/user/application_security/container_scanning/#customizing-the-container-scanning-settings
#
# Requirements:
# - A `test` stage to be present in the pipeline.
# - You must define the image to be scanned in the DOCKER_IMAGE variable. If DOCKER_IMAGE is the
# same as $CI_APPLICATION_REPOSITORY:$CI_APPLICATION_TAG, you can skip this.
# - Container registry credentials defined by `DOCKER_USER` and `DOCKER_PASSWORD` variables if the
# image to be scanned is in a private registry.
# - For auto-remediation, a readable Dockerfile in the root of the project or as defined by the
# DOCKERFILE_PATH variable.
#
2021-09-30 23:02:18 +05:30
# Configure container scanning with CI/CD variables (https://docs.gitlab.com/ee/ci/variables/index.html).
2021-09-04 01:27:46 +05:30
# List of available variables: https://docs.gitlab.com/ee/user/application_security/container_scanning/#available-variables
2019-07-07 11:18:12 +05:30
2019-12-21 20:55:43 +05:30
variables:
2021-09-04 01:27:46 +05:30
CS_ANALYZER_IMAGE: registry.gitlab.com/security-products/container-scanning:4
2019-12-21 20:55:43 +05:30
2021-09-04 01:27:46 +05:30
container_scanning:
2022-06-21 17:19:12 +05:30
image: "$CS_ANALYZER_IMAGE$CS_IMAGE_SUFFIX"
2021-09-04 01:27:46 +05:30
stage: test
2019-07-07 11:18:12 +05:30
variables:
2021-09-04 01:27:46 +05:30
# To provide a `vulnerability-allowlist.yml` file, override the GIT_STRATEGY variable in your
# `.gitlab-ci.yml` file and set it to `fetch`.
# For details, see the following links:
# https://docs.gitlab.com/ee/user/application_security/container_scanning/index.html#overriding-the-container-scanning-template
# https://docs.gitlab.com/ee/user/application_security/container_scanning/#vulnerability-allowlisting
2019-07-07 11:18:12 +05:30
GIT_STRATEGY: none
allow_failure: true
2021-04-29 21:17:54 +05:30
artifacts:
reports:
container_scanning: gl-container-scanning-report.json
2022-01-26 12:08:38 +05:30
dependency_scanning: gl-dependency-scanning-report.json
paths: [gl-container-scanning-report.json, gl-dependency-scanning-report.json]
2021-04-29 21:17:54 +05:30
dependencies: []
script:
- gtcs scan
2020-05-24 23:13:21 +05:30
rules:
- if: $CONTAINER_SCANNING_DISABLED
when: never
2022-06-21 17:19:12 +05:30
- if: $CI_COMMIT_BRANCH &&
$GITLAB_FEATURES =~ /\bcontainer_scanning\b/ &&
$CI_GITLAB_FIPS_MODE == "true" &&
$CS_ANALYZER_IMAGE !~ /-(fips|ubi)\z/
variables:
CS_IMAGE_SUFFIX: -fips
2020-05-24 23:13:21 +05:30
- if: $CI_COMMIT_BRANCH &&
2021-09-04 01:27:46 +05:30
$GITLAB_FEATURES =~ /\bcontainer_scanning\b/