Commit 9e1a2cba authored by Börner, Steffen's avatar Börner, Steffen
Browse files

Merge branch 'Jona.Meyer-master-patch-52147' into 'master'

Jona.meyer master patch 52147

See merge request !2
parents 61bb6f5e fdc54589
# Hadolint Template
include:
project: 'devsecops/gitlabcitemplates/'
ref: master
file: 'templates/hadolint_test.yml'
hadolint-test:
extends: .hadolint_scan
## Description
The template starts Hadolint, which scans the Dockerfile for best-practices.
The pipeline fails, if Hadolint finds an issue in the Dockerfile.
With the `.hadolint.yaml` file in the same directory like the Dockerfile, rules can be added to ignore best practices.
It is also possible to add trusted registries in the `.hadolint.yaml` file, so that hadolint can check if the parent image gets pulled from a trusted registry.
Example for `.hadolint.yaml` from the [documentation](https://github.com/hadolint/hadolint):
```
ignored:
- DL3000
- SC1010
trustedRegistries:
- docker.io
- my-company.com:5000
```
A report is available as artifact.
# Trivy Build Template
variables:
IMAGE_NAME:
IMAGE_TAG:
SEVERITY:
include:
project: 'devsecops/gitlabcitemplates/'
ref: master
file: 'templates/trivy_test.yml'
trivy_scan:
extends:
- .trivy_scan
## Description
The template starts [Trivy](https://github.com/aquasecurity/trivy) to analyse your image in the Gitlab-Registry to find known CVEs in the installed packages. This includes packages which where installed with a package-manager like `apt`, `apk` or `yum` and application depencies, which are listed [here](https://github.com/aquasecurity/trivy#application-dependencies).
The report is available as an artifact.
## Variables
- `IMAGE_NAME`: The name of the Image
- `IMAGE_TAG`: The tag of the Image
- `SEVERITY`: List of severities, where the pipeline should fail.
Example for all Vulnerabilities: `LOW,MEDIUM,HIGH,CRITICAL`
.hadolint_scan:
image: hadolint/hadolint:v1.23.0-alpine
script:
- mkdir -p reports
- hadolint Dockerfile > reports/hadolint
artifacts:
name: "Hadolint-Report $CI_PROJECT_NAME Commit:$CI_COMMIT_SHA"
expire_in: 1 week
when: always
paths:
- "reports/*"
.trivy_scan:
image:
name: docker.io/aquasec/trivy:latest
entrypoint: [""]
variables:
# No need to clone the repo, we exclusively work on artifacts. See
# https://docs.gitlab.com/ee/ci/runners/README.html#git-strategy
# GIT_STRATEGY: none
# TRIVY_USERNAME: "$CI_REGISTRY_USER"
# TRIVY_PASSWORD: "$CI_REGISTRY_PASSWORD"
# TRIVY_AUTH_URL: "$CI_REGISTRY"
FULL_IMAGE_NAME: $IMAGE_NAME:$IMAGE_TAG
script:
- trivy --version
# cache cleanup is needed when scanning images with the same tags, it does not remove the database
- time trivy image --clear-cache
# update vulnerabilities db
- time trivy --download-db-only --no-progress --cache-dir .trivycache/
# save report
- time trivy --exit-code 0 --cache-dir .trivycache/ -o "$CI_PROJECT_DIR/trivy_report.txt" --no-progress "$FULL_IMAGE_NAME"
# print scanresults
- time trivy --exit-code 0 --cache-dir .trivycache/ --no-progress "$FULL_IMAGE_NAME"
# fail pipeline, if the severity is reached
- time trivy --exit-code 1 --cache-dir .trivycache/ --severity $SEVERITY --no-progress "$FULL_IMAGE_NAME"
cache:
paths:
- .trivycache/
artifacts:
name: "Trivy-Report $CI_PROJECT_NAME Commit:$CI_COMMIT_SHA"
expire_in: 1 week
when: always
paths:
- "$CI_PROJECT_DIR/trivy_report.txt"
Supports Markdown
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment