64 lines
3.1 KiB
YAML
64 lines
3.1 KiB
YAML
# Read more about this feature here: https://docs.gitlab.com/ee/user/project/merge_requests/container_scanning.html
|
|
|
|
container_scanning:
|
|
stage: test
|
|
image: docker:stable
|
|
variables:
|
|
DOCKER_DRIVER: overlay2
|
|
# Defining two new variables based on GitLab's CI/CD predefined variables
|
|
# https://docs.gitlab.com/ee/ci/variables/#predefined-environment-variables
|
|
CI_APPLICATION_REPOSITORY: $CI_REGISTRY_IMAGE/$CI_COMMIT_REF_SLUG
|
|
CI_APPLICATION_TAG: $CI_COMMIT_SHA
|
|
# Prior to this, you need to have the Container Registry running for your project and setup a build job
|
|
# with at least the following steps:
|
|
#
|
|
# docker build -t $CI_REGISTRY_IMAGE/$CI_COMMIT_REF_SLUG .
|
|
# docker push $CI_REGISTRY_IMAGE/$CI_COMMIT_REF_SLUG:$CI_COMMIT_SHA
|
|
#
|
|
# Container Scanning deals with Docker images only so no need to import the project's Git repository:
|
|
GIT_STRATEGY: none
|
|
# Services and containers running in the same Kubernetes pod are all sharing the same localhost address
|
|
# https://docs.gitlab.com/runner/executors/kubernetes.html
|
|
DOCKER_SERVICE: docker
|
|
DOCKER_HOST: tcp://${DOCKER_SERVICE}:2375/
|
|
# https://hub.docker.com/r/arminc/clair-local-scan/tags
|
|
CLAIR_LOCAL_SCAN_VERSION: v2.0.8_fe9b059d930314b54c78f75afe265955faf4fdc1
|
|
## Disable the proxy for clair-local-scan, otherwise Container Scanning will
|
|
## fail when a proxy is used.
|
|
NO_PROXY: ${DOCKER_SERVICE},localhost
|
|
allow_failure: true
|
|
services:
|
|
- docker:stable-dind
|
|
script:
|
|
- if [[ -n "$KUBERNETES_PORT" ]]; then { export DOCKER_SERVICE="localhost" ; export DOCKER_HOST="tcp://${DOCKER_SERVICE}:2375" ; } fi
|
|
- |
|
|
if [[ -n "$CI_REGISTRY_USER" ]]; then
|
|
echo "Logging to GitLab Container Registry with CI credentials..."
|
|
docker login -u "$CI_REGISTRY_USER" -p "$CI_REGISTRY_PASSWORD" "$CI_REGISTRY"
|
|
echo ""
|
|
fi
|
|
- docker run -d --name db arminc/clair-db:latest
|
|
- docker run -p 6060:6060 --link db:postgres -d --name clair --restart on-failure arminc/clair-local-scan:${CLAIR_LOCAL_SCAN_VERSION}
|
|
- apk add -U wget ca-certificates
|
|
- docker pull ${CI_APPLICATION_REPOSITORY}:${CI_APPLICATION_TAG}
|
|
- wget https://github.com/arminc/clair-scanner/releases/download/v8/clair-scanner_linux_amd64
|
|
- mv clair-scanner_linux_amd64 clair-scanner
|
|
- chmod +x clair-scanner
|
|
- touch clair-whitelist.yml
|
|
- retries=0
|
|
- echo "Waiting for clair daemon to start"
|
|
- while( ! wget -T 10 -q -O /dev/null http://${DOCKER_SERVICE}:6060/v1/namespaces ) ; do sleep 1 ; echo -n "." ; if [ $retries -eq 10 ] ; then echo " Timeout, aborting." ; exit 1 ; fi ; retries=$(($retries+1)) ; done
|
|
- ./clair-scanner -c http://${DOCKER_SERVICE}:6060 --ip $(hostname -i) -r gl-container-scanning-report.json -l clair.log -w clair-whitelist.yml ${CI_APPLICATION_REPOSITORY}:${CI_APPLICATION_TAG} || true
|
|
artifacts:
|
|
reports:
|
|
container_scanning: gl-container-scanning-report.json
|
|
dependencies: []
|
|
only:
|
|
refs:
|
|
- branches
|
|
variables:
|
|
- $GITLAB_FEATURES =~ /\bcontainer_scanning\b/
|
|
except:
|
|
variables:
|
|
- $CONTAINER_SCANNING_DISABLED
|