Rename container scanning job and artifact
This commit is contained in:
parent
bbeeb18296
commit
5ad7ac34dd
|
@ -7,10 +7,10 @@ for Vulnerability Static Analysis for containers.
|
|||
|
||||
All you need is a GitLab Runner with the Docker executor (the shared Runners on
|
||||
GitLab.com will work fine). You can then add a new job to `.gitlab-ci.yml`,
|
||||
called `sast:container`:
|
||||
called `container_scanning`:
|
||||
|
||||
```yaml
|
||||
sast:container:
|
||||
container_scanning:
|
||||
image: docker:stable
|
||||
variables:
|
||||
DOCKER_DRIVER: overlay2
|
||||
|
@ -34,12 +34,12 @@ sast:container:
|
|||
- retries=0
|
||||
- echo "Waiting for clair daemon to start"
|
||||
- while( ! wget -T 10 -q -O /dev/null http://docker:6060/v1/namespaces ) ; do sleep 1 ; echo -n "." ; if [ $retries -eq 10 ] ; then echo " Timeout, aborting." ; exit 1 ; fi ; retries=$(($retries+1)) ; done
|
||||
- ./clair-scanner -c http://docker:6060 --ip $(hostname -i) -r gl-sast-container-report.json -l clair.log -w clair-whitelist.yml ${CI_APPLICATION_REPOSITORY}:${CI_APPLICATION_TAG} || true
|
||||
- ./clair-scanner -c http://docker:6060 --ip $(hostname -i) -r gl-container-scanning-report.json -l clair.log -w clair-whitelist.yml ${CI_APPLICATION_REPOSITORY}:${CI_APPLICATION_TAG} || true
|
||||
artifacts:
|
||||
paths: [gl-sast-container-report.json]
|
||||
paths: [gl-container-scanning-report.json]
|
||||
```
|
||||
|
||||
The above example will create a `sast:container` job in your CI/CD pipeline, pull
|
||||
The above example will create a `container_scanning` job in your CI/CD pipeline, pull
|
||||
the image from the [Container Registry](../../user/project/container_registry.md)
|
||||
(whose name is defined from the two `CI_APPLICATION_` variables) and scan it
|
||||
for possible vulnerabilities. The report will be saved as an artifact that you
|
||||
|
@ -52,8 +52,15 @@ in our case its named `clair-whitelist.yml`.
|
|||
TIP: **Tip:**
|
||||
Starting with [GitLab Ultimate][ee] 10.4, this information will
|
||||
be automatically extracted and shown right in the merge request widget. To do
|
||||
so, the CI/CD job must be named `sast:container` and the artifact path must be
|
||||
`gl-sast-container-report.json`.
|
||||
so, the CI/CD job must be named `container_scanning` and the artifact path must be
|
||||
`gl-container-scanning-report.json`.
|
||||
[Learn more on container scanning results shown in merge requests](https://docs.gitlab.com/ee/user/project/merge_requests/container_scanning.html).
|
||||
|
||||
CAUTION: **Caution:**
|
||||
Container Scanning was previously using `sast:container` for job name and
|
||||
`gl-sast-container-report.json` for the artifact name. While these old names
|
||||
are still maintained they have been deprecated with GitLab 11.0 and may be removed
|
||||
in next major release, GitLab 12.0. You are advised to update your current `.gitlab-ci.yml`
|
||||
configuration to reflect that change.
|
||||
|
||||
[ee]: https://about.gitlab.com/products/
|
||||
|
|
|
@ -136,7 +136,7 @@ dependency_scanning:
|
|||
artifacts:
|
||||
paths: [gl-dependency-scanning-report.json]
|
||||
|
||||
sast:container:
|
||||
container_scanning:
|
||||
image: docker:stable
|
||||
variables:
|
||||
DOCKER_DRIVER: overlay2
|
||||
|
@ -145,9 +145,9 @@ sast:container:
|
|||
- docker:stable-dind
|
||||
script:
|
||||
- setup_docker
|
||||
- sast_container
|
||||
- container_scanning
|
||||
artifacts:
|
||||
paths: [gl-sast-container-report.json]
|
||||
paths: [gl-container-scanning-report.json]
|
||||
|
||||
dast:
|
||||
stage: dast
|
||||
|
@ -388,7 +388,7 @@ rollout 100%:
|
|||
# Extract "MAJOR.MINOR" from CI_SERVER_VERSION and generate "MAJOR-MINOR-stable" for Security Products
|
||||
export SP_VERSION=$(echo "$CI_SERVER_VERSION" | sed 's/^\([0-9]*\)\.\([0-9]*\).*/\1-\2-stable/')
|
||||
|
||||
function sast_container() {
|
||||
function container_scanning() {
|
||||
if [[ -n "$CI_REGISTRY_USER" ]]; then
|
||||
echo "Logging to GitLab Container Registry with CI credentials..."
|
||||
docker login -u "$CI_REGISTRY_USER" -p "$CI_REGISTRY_PASSWORD" "$CI_REGISTRY"
|
||||
|
@ -406,7 +406,7 @@ rollout 100%:
|
|||
retries=0
|
||||
echo "Waiting for clair daemon to start"
|
||||
while( ! wget -T 10 -q -O /dev/null http://docker:6060/v1/namespaces ) ; do sleep 1 ; echo -n "." ; if [ $retries -eq 10 ] ; then echo " Timeout, aborting." ; exit 1 ; fi ; retries=$(($retries+1)) ; done
|
||||
./clair-scanner -c http://docker:6060 --ip $(hostname -i) -r gl-sast-container-report.json -l clair.log -w clair-whitelist.yml ${CI_APPLICATION_REPOSITORY}:${CI_APPLICATION_TAG} || true
|
||||
./clair-scanner -c http://docker:6060 --ip $(hostname -i) -r gl-container-scanning-report.json -l clair.log -w clair-whitelist.yml ${CI_APPLICATION_REPOSITORY}:${CI_APPLICATION_TAG} || true
|
||||
}
|
||||
|
||||
function codeclimate() {
|
||||
|
|
Loading…
Reference in New Issue