# To contribute improvements to CI/CD templates, please follow the Development guide at: # https://docs.gitlab.com/ee/development/cicd/templates.html # This specific template is located at: # https://gitlab.com/gitlab-org/gitlab/-/blob/master/lib/gitlab/ci/templates/Jobs/Container-Scanning.latest.gitlab-ci.yml # Use this template to enable container scanning in your project. # You should add this template to an existing `.gitlab-ci.yml` file by using the `include:` # keyword. # The template should work without modifications but you can customize the template settings if # needed: https://docs.gitlab.com/ee/user/application_security/container_scanning/#customizing-the-container-scanning-settings # # Requirements: # - A `test` stage to be present in the pipeline. # - You must define the image to be scanned in the CS_IMAGE variable. If CS_IMAGE is the # same as $CI_APPLICATION_REPOSITORY:$CI_APPLICATION_TAG, you can skip this. # - Container registry credentials defined by `CS_REGISTRY_USER` and `CS_REGISTRY_PASSWORD` variables if the # image to be scanned is in a private registry. # - For auto-remediation, a readable Dockerfile in the root of the project or as defined by the # CS_DOCKERFILE_PATH variable. # # Configure container scanning with CI/CD variables (https://docs.gitlab.com/ee/ci/variables/index.html). # List of available variables: https://docs.gitlab.com/ee/user/application_security/container_scanning/#available-variables variables: CS_ANALYZER_IMAGE: "$CI_TEMPLATE_REGISTRY_HOST/security-products/container-scanning:5" CS_SCHEMA_MODEL: 15 container_scanning: image: "$CS_ANALYZER_IMAGE$CS_IMAGE_SUFFIX" stage: test variables: # To provide a `vulnerability-allowlist.yml` file, override the GIT_STRATEGY variable in your # `.gitlab-ci.yml` file and set it to `fetch`. # For details, see the following links: # https://docs.gitlab.com/ee/user/application_security/container_scanning/index.html#overriding-the-container-scanning-template # https://docs.gitlab.com/ee/user/application_security/container_scanning/#vulnerability-allowlisting GIT_STRATEGY: none allow_failure: true artifacts: reports: container_scanning: gl-container-scanning-report.json dependency_scanning: gl-dependency-scanning-report.json paths: [gl-container-scanning-report.json, gl-dependency-scanning-report.json, "**/gl-sbom-*.cdx.json"] dependencies: [] script: - gtcs scan rules: - if: $CONTAINER_SCANNING_DISABLED == 'true' || $CONTAINER_SCANNING_DISABLED == '1' when: never # Add the job to merge request pipelines if there's an open merge request. - if: $CI_PIPELINE_SOURCE == "merge_request_event" && $CI_GITLAB_FIPS_MODE == "true" && $CS_ANALYZER_IMAGE !~ /-(fips|ubi)\z/ variables: CS_IMAGE_SUFFIX: -fips - if: $CI_PIPELINE_SOURCE == "merge_request_event" # Don't add it to a *branch* pipeline if it's already in a merge request pipeline. - if: $CI_OPEN_MERGE_REQUESTS when: never # Add the job to branch pipelines. - if: $CI_COMMIT_BRANCH && $CI_GITLAB_FIPS_MODE == "true" && $CS_ANALYZER_IMAGE !~ /-(fips|ubi)\z/ variables: CS_IMAGE_SUFFIX: -fips - if: $CI_COMMIT_BRANCH