# Read more about this feature here: https://docs.gitlab.com/ee/user/application_security/container_scanning/

variables:
  # Setting this variable will affect all Security templates
  # (SAST, Dependency Scanning, ...)
  SECURE_ANALYZERS_PREFIX: "registry.gitlab.com/gitlab-org/security-products/analyzers"
  CS_MAJOR_VERSION: 3

.cs_common:
  stage: test
  image: "$CS_ANALYZER_IMAGE"
  variables:
    # Override the GIT_STRATEGY variable in your `.gitlab-ci.yml` file and set it to `fetch` if you want to provide a `clair-whitelist.yml`
    # file. See https://docs.gitlab.com/ee/user/application_security/container_scanning/index.html#overriding-the-container-scanning-template
    # for details
    GIT_STRATEGY: none
    # CS_ANALYZER_IMAGE is an undocumented variable used internally to allow QA to
    # override the analyzer image with a custom value. This may be subject to change or
    # breakage across GitLab releases.
    CS_ANALYZER_IMAGE: $SECURE_ANALYZERS_PREFIX/$CS_PROJECT:$CS_MAJOR_VERSION
  allow_failure: true
  artifacts:
    reports:
      container_scanning: gl-container-scanning-report.json
  dependencies: []

container_scanning:
  extends: .cs_common
  variables:
    # By default, use the latest clair vulnerabilities database, however, allow it to be overridden here with a specific image
    # to enable container scanning to run offline, or to provide a consistent list of vulnerabilities for integration testing purposes
    CLAIR_DB_IMAGE_TAG: "latest"
    CLAIR_DB_IMAGE: "$SECURE_ANALYZERS_PREFIX/clair-vulnerabilities-db:$CLAIR_DB_IMAGE_TAG"
    CS_PROJECT: 'klar'
  services:
    - name: $CLAIR_DB_IMAGE
      alias: clair-vulnerabilities-db
  script:
    - /analyzer run
  rules:
    - if: $CONTAINER_SCANNING_DISABLED
      when: never
    - if: $CI_COMMIT_BRANCH &&
          $GITLAB_FEATURES =~ /\bcontainer_scanning\b/ &&
          $CS_MAJOR_VERSION =~ /^[0-3]$/

container_scanning_new:
  extends: .cs_common
  variables:
    CS_PROJECT: 'container-scanning'
  script:
    - gtcs scan
  artifacts:
    paths: [gl-container-scanning-report.json]
  rules:
    - if: $CONTAINER_SCANNING_DISABLED
      when: never
    - if: $CI_COMMIT_BRANCH &&
          $GITLAB_FEATURES =~ /\bcontainer_scanning\b/ &&
          $CS_MAJOR_VERSION !~ /^[0-3]$/