Configure Container Scanning in .gitlab-ci.yml, creating this file if it does not already exist

2022-03-07 11:01:40 +00:00 · 2022-03-07 11:01:40 +00:00 · 35dc2e5960
commit 35dc2e5960
parent 6a7a0c6485
1 changed files with 46 additions and 40 deletions
--- a/.gitlab-ci.yml
+++ b/.gitlab-ci.yml
@ -1,61 +1,67 @@
-stages:          # List of stages for jobs, and their order of execution
+# You can override the included template(s) by including variable overrides
-  - build
+# SAST customization: https://docs.gitlab.com/ee/user/application_security/sast/#customizing-the-sast-settings
-  - test
+# Secret Detection customization: https://docs.gitlab.com/ee/user/application_security/secret_detection/#customizing-settings
-  - deploy
+# Dependency Scanning customization: https://docs.gitlab.com/ee/user/application_security/dependency_scanning/#customizing-the-dependency-scanning-settings
 # Container Scanning customization: https://docs.gitlab.com/ee/user/application_security/container_scanning/#customizing-the-container-scanning-settings
 # Note that environment variables can be set in several places
 # See https://docs.gitlab.com/ee/ci/variables/#cicd-variable-precedence
 # container_scanning:
 #   variables:
 #     DOCKER_IMAGE: ...
 #     DOCKER_USER: ...
 #     DOCKER_PASSWORD: ...
 stages:
 - build
 - test
 - deploy
 image: debian
 docker-build-push:
  # Use the official docker image.
  image: docker:latest
  stage: build
  services:
-    - docker:dind
+  - docker:dind
  before_script:
-    - docker login -u "$CI_REGISTRY_USER" -p "$CI_REGISTRY_PASSWORD" $CI_REGISTRY
+  - docker login -u "$CI_REGISTRY_USER" -p "$CI_REGISTRY_PASSWORD" $CI_REGISTRY
  # Default branch leaves tag empty (= latest tag)
  # All other branches are tagged with the escaped branch name (commit ref slug)
  script:
-    - |
+  - |
-      if [[ "$CI_COMMIT_BRANCH" == "$CI_DEFAULT_BRANCH" ]]; then
+    if [[ "$CI_COMMIT_BRANCH" == "$CI_DEFAULT_BRANCH" ]]; then
-        tag=""
+      tag=""
-        echo "Running on default branch '$CI_DEFAULT_BRANCH': tag = 'latest'"
+      echo "Running on default branch '$CI_DEFAULT_BRANCH': tag = 'latest'"
-      else
+    else
-        tag=":$CI_COMMIT_REF_SLUG"
+      tag=":$CI_COMMIT_REF_SLUG"
-        echo "Running on branch '$CI_COMMIT_BRANCH': tag = $tag"
+      echo "Running on branch '$CI_COMMIT_BRANCH': tag = $tag"
-      fi
+    fi
-    - docker build --pull -t "$CI_REGISTRY_IMAGE${tag}" .
+  - docker build --pull -t "$CI_REGISTRY_IMAGE${tag}" .
-    - docker push "$CI_REGISTRY_IMAGE${tag}"
+  - docker push "$CI_REGISTRY_IMAGE${tag}"
  only:
-    - master
+  - master
-    - dev
+  - dev
 docker-build:
  image: docker:latest
  stage: build
  services:
-    - docker:dind
+  - docker:dind
  before_script:
-    - docker login -u "$CI_REGISTRY_USER" -p "$CI_REGISTRY_PASSWORD" $CI_REGISTRY
+  - docker login -u "$CI_REGISTRY_USER" -p "$CI_REGISTRY_PASSWORD" $CI_REGISTRY
  script:
-    - docker build --pull -t "$CI_REGISTRY_IMAGE" .
+  - docker build --pull -t "$CI_REGISTRY_IMAGE" .
  except:
-    - master
+  - master
-    - dev
+  - dev
 before_script:
-  - apt-get update -qq
+- apt-get update -qq
-  # Setup SSH deploy keys
+- which ssh-agent || ( apt-get install -qq openssh-client )
-  - 'which ssh-agent || ( apt-get install -qq openssh-client )'
+- eval $(ssh-agent -s)
-  - eval $(ssh-agent -s)
+- ssh-add <(echo "$SSH_PRIVATE_KEY")
-  - ssh-add <(echo "$SSH_PRIVATE_KEY")
+- mkdir -p ~/.ssh
-  - mkdir -p ~/.ssh
+- '[[ -f /.dockerenv ]] && echo -e "Host *\n\tStrictHostKeyChecking no\n\n" > ~/.ssh/config'
  - '[[ -f /.dockerenv ]] && echo -e "Host *\n\tStrictHostKeyChecking no\n\n" > ~/.ssh/config'
 deploy_staging:
  stage: deploy
  script:
-    - ssh $SSH_SERVER "cd /root && docker-compose pull shbot && docker-compose up -d shbot && exit"
+  - ssh $SSH_SERVER "cd /root && docker-compose pull shbot && docker-compose up -d
    shbot && exit"
  only:
-    - master
+  - master
-    
+include:
 - template: Auto-DevOps.gitlab-ci.yml