92 lines
3.5 KiB
YAML
92 lines
3.5 KiB
YAML
|
# This template is provided and maintained by Indeni, an official Technology Partner with GitLab.
|
||
|
# See https://about.gitlab.com/partners/technology-partners/#security for more information.
|
||
|
|
||
|
# For more information about Indeni Cloudrail: https://indeni.com/cloudrail/
|
||
|
#
|
||
|
# This file shows an example of using Indeni Cloudrail with GitLab CI/CD.
|
||
|
# It is not designed to be included in an existing CI/CD configuration with the "include:" keyword.
|
||
|
# Documentation about this integration: https://indeni.com/doc-indeni-cloudrail/integrate-with-ci-cd/gitlab-instructions
|
||
|
#
|
||
|
# For an example of this used in a GitLab repository, see: https://gitlab.com/indeni/cloudrail-demo/-/blob/master/.gitlab-ci.yml
|
||
|
|
||
|
# The sast-report output complies with GitLab's format. This report displays Cloudrail's
|
||
|
# results in the Security tab in the pipeline view, if you have that feature enabled
|
||
|
# (GitLab Ultimate only). Otherwise, Cloudrail generates a JUnit report, which displays
|
||
|
# in the "Test summary" in merge requests.
|
||
|
|
||
|
# Note that Cloudrail's input is the Terraform plan. That is why we've included in this
|
||
|
# template an example of doing that. You are welcome to replace it with your own way
|
||
|
# of generating a Terraform plan.
|
||
|
|
||
|
# Before you can use this template, get a Cloudrail API key from the Cloudrail web
|
||
|
# user interface. Save it as a CI/CD variable named CLOUDRAIL_API_KEY in your project
|
||
|
# settings.
|
||
|
|
||
|
variables:
|
||
|
TEST_ROOT: ${CI_PROJECT_DIR}/my_folder_with_terraform_content
|
||
|
|
||
|
default:
|
||
|
before_script:
|
||
|
- cd ${CI_PROJECT_DIR}/my_folder_with_terraform_content
|
||
|
|
||
|
stages:
|
||
|
- init_and_plan
|
||
|
- cloudrail
|
||
|
|
||
|
init_and_plan:
|
||
|
stage: init_and_plan
|
||
|
image: registry.gitlab.com/gitlab-org/terraform-images/releases/0.13
|
||
|
rules:
|
||
|
- if: $SAST_DISABLED
|
||
|
when: never
|
||
|
- if: $CI_COMMIT_BRANCH
|
||
|
exists:
|
||
|
- '**/*.tf'
|
||
|
script:
|
||
|
- terraform init
|
||
|
- terraform plan -out=plan.out
|
||
|
artifacts:
|
||
|
name: "$CI_COMMIT_BRANCH-terraform_plan"
|
||
|
paths:
|
||
|
- ./**/plan.out
|
||
|
- ./**/.terraform
|
||
|
|
||
|
cloudrail_scan:
|
||
|
stage: cloudrail
|
||
|
image: indeni/cloudrail-cli:1.2.44
|
||
|
rules:
|
||
|
- if: $SAST_DISABLED
|
||
|
when: never
|
||
|
- if: $CI_COMMIT_BRANCH
|
||
|
exists:
|
||
|
- '**/*.tf'
|
||
|
script:
|
||
|
- |
|
||
|
if [[ "${GITLAB_FEATURES}" == *"security_dashboard"* ]]; then
|
||
|
echo "You are licensed for GitLab Security Dashboards. Your scan results will display in the Security Dashboard."
|
||
|
cloudrail run --tf-plan plan.out \
|
||
|
--directory . \
|
||
|
--api-key ${CLOUDRAIL_API_KEY} \
|
||
|
--origin ci \
|
||
|
--build-link "$CI_PROJECT_URL/-/jobs/$CI_JOB_ID" \
|
||
|
--execution-source-identifier "$CI_COMMIT_BRANCH - $CI_JOB_ID" \
|
||
|
--output-format json-gitlab-sast \
|
||
|
--output-file ${CI_PROJECT_DIR}/cloudrail-sast-report.json \
|
||
|
--auto-approve
|
||
|
else
|
||
|
echo "Your scan results will display in the GitLab Test results visualization panel."
|
||
|
cloudrail run --tf-plan plan.out \
|
||
|
--directory . \
|
||
|
--api-key ${CLOUDRAIL_API_KEY} \
|
||
|
--origin ci \
|
||
|
--build-link "$CI_PROJECT_URL/-/jobs/$CI_JOB_ID" \
|
||
|
--execution-source-identifier "$CI_COMMIT_BRANCH - $CI_JOB_ID" \
|
||
|
--output-format junit \
|
||
|
--output-file ${CI_PROJECT_DIR}/cloudrail-junit-report.xml \
|
||
|
--auto-approve
|
||
|
fi
|
||
|
artifacts:
|
||
|
reports:
|
||
|
sast: cloudrail-sast-report.json
|
||
|
junit: cloudrail-junit-report.xml
|