parent
a1c0964d71
commit
4a38b8a160
|
@ -42,6 +42,7 @@ stages:
|
|||
- build
|
||||
- test
|
||||
- review
|
||||
- dast
|
||||
- staging
|
||||
- canary
|
||||
- production
|
||||
|
@ -130,6 +131,23 @@ sast:container:
|
|||
artifacts:
|
||||
paths: [gl-sast-container-report.json]
|
||||
|
||||
dast:
|
||||
stage: dast
|
||||
allow_failure: true
|
||||
image: owasp/zap2docker-stable
|
||||
variables:
|
||||
POSTGRES_DB: "false"
|
||||
script:
|
||||
- dast
|
||||
artifacts:
|
||||
paths: [gl-dast-report.json]
|
||||
only:
|
||||
refs:
|
||||
- branches
|
||||
kubernetes: active
|
||||
except:
|
||||
- master
|
||||
|
||||
review:
|
||||
stage: review
|
||||
script:
|
||||
|
@ -270,8 +288,8 @@ production:
|
|||
docker run -p 6060:6060 --link db:postgres -d --name clair arminc/clair-local-scan:v2.0.1
|
||||
apk add -U wget ca-certificates
|
||||
docker pull ${CI_APPLICATION_REPOSITORY}:${CI_APPLICATION_TAG}
|
||||
wget https://github.com/arminc/clair-scanner/releases/download/v6/clair-scanner_linux_386
|
||||
mv clair-scanner_linux_386 clair-scanner
|
||||
wget https://github.com/arminc/clair-scanner/releases/download/v8/clair-scanner_linux_amd64
|
||||
mv clair-scanner_linux_amd64 clair-scanner
|
||||
chmod +x clair-scanner
|
||||
touch clair-whitelist.yml
|
||||
./clair-scanner -c http://docker:6060 --ip $(hostname -i) -r gl-sast-container-report.json -l clair.log -w clair-whitelist.yml ${CI_APPLICATION_REPOSITORY}:${CI_APPLICATION_TAG} || true
|
||||
|
@ -327,6 +345,12 @@ production:
|
|||
replicas="$new_replicas"
|
||||
fi
|
||||
|
||||
if [[ "$CI_PROJECT_VISIBILITY" != "public" ]]; then
|
||||
secret_name='gitlab-registry'
|
||||
else
|
||||
secret_name=''
|
||||
fi
|
||||
|
||||
helm upgrade --install \
|
||||
--wait \
|
||||
--set service.enabled="$service_enabled" \
|
||||
|
@ -334,6 +358,7 @@ production:
|
|||
--set image.repository="$CI_APPLICATION_REPOSITORY" \
|
||||
--set image.tag="$CI_APPLICATION_TAG" \
|
||||
--set image.pullPolicy=IfNotPresent \
|
||||
--set image.secrets[0].name="$secret_name" \
|
||||
--set application.track="$track" \
|
||||
--set application.database_url="$DATABASE_URL" \
|
||||
--set service.url="$CI_ENVIRONMENT_URL" \
|
||||
|
@ -462,6 +487,11 @@ production:
|
|||
}
|
||||
|
||||
function create_secret() {
|
||||
echo "Create secret..."
|
||||
if [[ "$CI_PROJECT_VISIBILITY" == "public" ]]; then
|
||||
return
|
||||
fi
|
||||
|
||||
kubectl create secret -n "$KUBE_NAMESPACE" \
|
||||
docker-registry gitlab-registry \
|
||||
--docker-server="$CI_REGISTRY" \
|
||||
|
@ -471,6 +501,14 @@ production:
|
|||
-o yaml --dry-run | kubectl replace -n "$KUBE_NAMESPACE" --force -f -
|
||||
}
|
||||
|
||||
function dast() {
|
||||
export CI_ENVIRONMENT_URL=$(cat environment_url.txt)
|
||||
|
||||
mkdir /zap/wrk/
|
||||
/zap/zap-baseline.py -J gl-dast-report.json -t "$CI_ENVIRONMENT_URL" || true
|
||||
cp /zap/wrk/gl-dast-report.json .
|
||||
}
|
||||
|
||||
function performance() {
|
||||
export CI_ENVIRONMENT_URL=$(cat environment_url.txt)
|
||||
|
||||
|
|
Loading…
Reference in New Issue