debian-mirror-gitlab/lib/gitlab/ci/templates/Security/Container-Scanning.gitlab-ci.yml

# Use this template to enable container scanning in your project.
# You should add this template to an existing `.gitlab-ci.yml` file by using the `include:`
# keyword.
# The template should work without modifications but you can customize the template settings if
# needed: https://docs.gitlab.com/ee/user/application_security/container_scanning/#customizing-the-container-scanning-settings
#
# Requirements:
# - A `test` stage to be present in the pipeline.
# - You must define the image to be scanned in the DOCKER_IMAGE variable. If DOCKER_IMAGE is the
#   same as $CI_APPLICATION_REPOSITORY:$CI_APPLICATION_TAG, you can skip this.
# - Container registry credentials defined by `DOCKER_USER` and `DOCKER_PASSWORD` variables if the
# image to be scanned is in a private registry.
# - For auto-remediation, a readable Dockerfile in the root of the project or as defined by the
#   DOCKERFILE_PATH variable.
#
# Configure container scanning with CI/CD variables (https://docs.gitlab.com/ee/ci/variables/README.html).
# List of available variables: https://docs.gitlab.com/ee/user/application_security/container_scanning/#available-variables

variables:
  CS_ANALYZER_IMAGE: registry.gitlab.com/security-products/container-scanning:4

container_scanning:
  image: "$CS_ANALYZER_IMAGE"
  stage: test
  variables:
    # To provide a `vulnerability-allowlist.yml` file, override the GIT_STRATEGY variable in your
    # `.gitlab-ci.yml` file and set it to `fetch`.
    # For details, see the following links:
    # https://docs.gitlab.com/ee/user/application_security/container_scanning/index.html#overriding-the-container-scanning-template
    # https://docs.gitlab.com/ee/user/application_security/container_scanning/#vulnerability-allowlisting
    GIT_STRATEGY: none
  allow_failure: true
  artifacts:
    reports:
      container_scanning: gl-container-scanning-report.json
    paths: [gl-container-scanning-report.json]
  dependencies: []
  script:
    - gtcs scan
  rules:
    - if: $CONTAINER_SCANNING_DISABLED
      when: never
    - if: $CI_COMMIT_BRANCH &&
          $GITLAB_FEATURES =~ /\bcontainer_scanning\b/
New upstream version 14.0.10 2021-09-04 01:27:46 +05:30			`# Use this template to enable container scanning in your project.`
			# You should add this template to an existing `.gitlab-ci.yml` file by using the `include:`
			`# keyword.`
			`# The template should work without modifications but you can customize the template settings if`
			`# needed: https://docs.gitlab.com/ee/user/application_security/container_scanning/#customizing-the-container-scanning-settings`
			`#`
			`# Requirements:`
			# - A `test` stage to be present in the pipeline.
			`# - You must define the image to be scanned in the DOCKER_IMAGE variable. If DOCKER_IMAGE is the`
			`# same as $CI_APPLICATION_REPOSITORY:$CI_APPLICATION_TAG, you can skip this.`
			# - Container registry credentials defined by `DOCKER_USER` and `DOCKER_PASSWORD` variables if the
			`# image to be scanned is in a private registry.`
			`# - For auto-remediation, a readable Dockerfile in the root of the project or as defined by the`
			`# DOCKERFILE_PATH variable.`
			`#`
			`# Configure container scanning with CI/CD variables (https://docs.gitlab.com/ee/ci/variables/README.html).`
			`# List of available variables: https://docs.gitlab.com/ee/user/application_security/container_scanning/#available-variables`
New upstream version 11.10.8+dfsg 2019-07-07 11:18:12 +05:30
New upstream version 12.4.6 2019-12-21 20:55:43 +05:30			`variables:`
New upstream version 14.0.10 2021-09-04 01:27:46 +05:30			`CS_ANALYZER_IMAGE: registry.gitlab.com/security-products/container-scanning:4`
New upstream version 12.4.6 2019-12-21 20:55:43 +05:30
New upstream version 14.0.10 2021-09-04 01:27:46 +05:30			`container_scanning:`
New upstream version 13.7.7 2021-02-22 17:27:13 +05:30			`image: "$CS_ANALYZER_IMAGE"`
New upstream version 14.0.10 2021-09-04 01:27:46 +05:30			`stage: test`
New upstream version 11.10.8+dfsg 2019-07-07 11:18:12 +05:30			`variables:`
New upstream version 14.0.10 2021-09-04 01:27:46 +05:30			# To provide a `vulnerability-allowlist.yml` file, override the GIT_STRATEGY variable in your
			# `.gitlab-ci.yml` file and set it to `fetch`.
			`# For details, see the following links:`
			`# https://docs.gitlab.com/ee/user/application_security/container_scanning/index.html#overriding-the-container-scanning-template`
			`# https://docs.gitlab.com/ee/user/application_security/container_scanning/#vulnerability-allowlisting`
New upstream version 11.10.8+dfsg 2019-07-07 11:18:12 +05:30			`GIT_STRATEGY: none`
			`allow_failure: true`
New upstream version 13.11.2+ds1 2021-04-29 21:17:54 +05:30			`artifacts:`
			`reports:`
			`container_scanning: gl-container-scanning-report.json`
New upstream version 14.0.10 2021-09-04 01:27:46 +05:30			`paths: [gl-container-scanning-report.json]`
New upstream version 13.11.2+ds1 2021-04-29 21:17:54 +05:30			`dependencies: []`
			`script:`
			`- gtcs scan`
New upstream version 13.0.0 2020-05-24 23:13:21 +05:30			`rules:`
			`- if: $CONTAINER_SCANNING_DISABLED`
			`when: never`
			`- if: $CI_COMMIT_BRANCH &&`
New upstream version 14.0.10 2021-09-04 01:27:46 +05:30			`$GITLAB_FEATURES =~ /\bcontainer_scanning\b/`