34 lines
1.5 KiB
YAML
34 lines
1.5 KiB
YAML
# Use this template to enable cluster image scanning in your project.
|
|
# You should add this template to an existing `.gitlab-ci.yml` file by using the `include:`
|
|
# keyword.
|
|
# The template should work without modifications but you can customize the template settings if
|
|
# needed: https://docs.gitlab.com/ee/user/application_security/cluster_image_scanning/#customize-the-container-scanning-settings
|
|
#
|
|
# Requirements:
|
|
# - A `test` stage to be present in the pipeline.
|
|
# - You must define the `CIS_KUBECONFIG` variable to allow analyzer to connect to your Kubernetes cluster and fetch found vulnerabilities.
|
|
#
|
|
# Configure container scanning with CI/CD variables (https://docs.gitlab.com/ee/ci/variables/index.html).
|
|
# List of available variables: https://docs.gitlab.com/ee/user/application_security/cluster_image_scanning/#available-variables
|
|
|
|
variables:
|
|
CIS_ANALYZER_IMAGE: registry.gitlab.com/gitlab-org/security-products/analyzers/cluster-image-scanning:0
|
|
|
|
cluster_image_scanning:
|
|
image: "$CIS_ANALYZER_IMAGE"
|
|
stage: test
|
|
allow_failure: true
|
|
artifacts:
|
|
reports:
|
|
cluster_image_scanning: gl-cluster-image-scanning-report.json
|
|
paths: [gl-cluster-image-scanning-report.json]
|
|
dependencies: []
|
|
script:
|
|
- /analyzer run
|
|
rules:
|
|
- if: $CLUSTER_IMAGE_SCANNING_DISABLED
|
|
when: never
|
|
- if: '($KUBECONFIG == null || $KUBECONFIG == "") && ($CIS_KUBECONFIG == null || $CIS_KUBECONFIG == "")'
|
|
when: never
|
|
- if: $CI_COMMIT_BRANCH &&
|
|
$GITLAB_FEATURES =~ /\bcluster_image_scanning\b/
|