2023-03-04 22:38:38 +05:30
|
|
|
# To contribute improvements to CI/CD templates, please follow the Development guide at:
|
|
|
|
# https://docs.gitlab.com/ee/development/cicd/templates.html
|
|
|
|
# This specific template is located at:
|
|
|
|
# https://gitlab.com/gitlab-org/gitlab/-/blob/master/lib/gitlab/ci/templates/Jobs/Container-Scanning.gitlab-ci.yml
|
|
|
|
|
|
|
|
# Use this template to enable container scanning in your project.
|
|
|
|
# You should add this template to an existing `.gitlab-ci.yml` file by using the `include:`
|
|
|
|
# keyword.
|
|
|
|
# The template should work without modifications but you can customize the template settings if
|
|
|
|
# needed: https://docs.gitlab.com/ee/user/application_security/container_scanning/#customizing-the-container-scanning-settings
|
|
|
|
#
|
|
|
|
# Requirements:
|
|
|
|
# - A `test` stage to be present in the pipeline.
|
|
|
|
# - You must define the image to be scanned in the CS_IMAGE variable. If CS_IMAGE is the
|
|
|
|
# same as $CI_APPLICATION_REPOSITORY:$CI_APPLICATION_TAG, you can skip this.
|
|
|
|
# - Container registry credentials defined by `CS_REGISTRY_USER` and `CS_REGISTRY_PASSWORD` variables if the
|
|
|
|
# image to be scanned is in a private registry.
|
|
|
|
# - For auto-remediation, a readable Dockerfile in the root of the project or as defined by the
|
|
|
|
# CS_DOCKERFILE_PATH variable.
|
|
|
|
#
|
|
|
|
# Configure container scanning with CI/CD variables (https://docs.gitlab.com/ee/ci/variables/index.html).
|
|
|
|
# List of available variables: https://docs.gitlab.com/ee/user/application_security/container_scanning/#available-variables
|
|
|
|
|
|
|
|
variables:
|
|
|
|
CS_ANALYZER_IMAGE: "$CI_TEMPLATE_REGISTRY_HOST/security-products/container-scanning:5"
|
2023-05-27 22:25:52 +05:30
|
|
|
CS_SCHEMA_MODEL: 15
|
2023-03-04 22:38:38 +05:30
|
|
|
|
|
|
|
container_scanning:
|
|
|
|
image: "$CS_ANALYZER_IMAGE$CS_IMAGE_SUFFIX"
|
|
|
|
stage: test
|
|
|
|
variables:
|
|
|
|
# To provide a `vulnerability-allowlist.yml` file, override the GIT_STRATEGY variable in your
|
|
|
|
# `.gitlab-ci.yml` file and set it to `fetch`.
|
|
|
|
# For details, see the following links:
|
|
|
|
# https://docs.gitlab.com/ee/user/application_security/container_scanning/index.html#overriding-the-container-scanning-template
|
|
|
|
# https://docs.gitlab.com/ee/user/application_security/container_scanning/#vulnerability-allowlisting
|
|
|
|
GIT_STRATEGY: none
|
|
|
|
allow_failure: true
|
|
|
|
artifacts:
|
|
|
|
reports:
|
|
|
|
container_scanning: gl-container-scanning-report.json
|
|
|
|
dependency_scanning: gl-dependency-scanning-report.json
|
2023-06-20 00:43:36 +05:30
|
|
|
paths: [gl-container-scanning-report.json, gl-dependency-scanning-report.json, "**/gl-sbom-*.cdx.json"]
|
2023-03-04 22:38:38 +05:30
|
|
|
dependencies: []
|
|
|
|
script:
|
|
|
|
- gtcs scan
|
|
|
|
rules:
|
|
|
|
- if: $CONTAINER_SCANNING_DISABLED
|
|
|
|
when: never
|
|
|
|
- if: $CI_COMMIT_BRANCH &&
|
|
|
|
$CI_GITLAB_FIPS_MODE == "true" &&
|
|
|
|
$CS_ANALYZER_IMAGE !~ /-(fips|ubi)\z/
|
|
|
|
variables:
|
|
|
|
CS_IMAGE_SUFFIX: -fips
|
|
|
|
- if: $CI_COMMIT_BRANCH
|