Update Auto DevOps template

[ci skip]

Update Auto DevOps template
[ci skip]
4a38b8a1 · Achilleas Pipinellis · a1c0964d · 4a38b8a1
Commit 4a38b8a1 authored Jan 19, 2018 by Achilleas Pipinellis
Hide whitespace changes
Inline Side-by-side

Showing with 40 additions and 2 deletions

vendor/gitlab-ci-yml/Auto-DevOps.gitlab-ci.yml vendor/gitlab-ci-yml/Auto-DevOps.gitlab-ci.yml +40 -2

No files found.
--- a/vendor/gitlab-ci-yml/Auto-DevOps.gitlab-ci.yml
+++ b/vendor/gitlab-ci-yml/Auto-DevOps.gitlab-ci.yml
@@ -42,6 +42,7 @@ stages:
  - build
  - test
  - review
+  - dast
  - staging
  - canary
  - production
@@ -130,6 +131,23 @@ sast:container:
  artifacts:
    paths: [gl-sast-container-report.json]
+dast:
+  stage: dast
+  allow_failure: true
+  image: owasp/zap2docker-stable
+  variables:
+    POSTGRES_DB: "false"
+  script:
+    - dast
+  artifacts:
+    paths: [gl-dast-report.json]
+  only:
+    refs:
+      - branches
+    kubernetes: active
+  except:
+    - master
 review:
  stage: review
  script:
@@ -270,8 +288,8 @@ production:
    docker run -p 6060:6060 --link db:postgres -d --name clair arminc/clair-local-scan:v2.0.1
    apk add -U wget ca-certificates
    docker pull ${CI_APPLICATION_REPOSITORY}:${CI_APPLICATION_TAG}
-    wget https://github.com/arminc/clair-scanner/releases/download/v6/clair-scanner_linux_386
+    wget https://github.com/arminc/clair-scanner/releases/download/v8/clair-scanner_linux_amd64
-    mv clair-scanner_linux_386 clair-scanner
+    mv clair-scanner_linux_amd64 clair-scanner
    chmod +x clair-scanner
    touch clair-whitelist.yml
    ./clair-scanner -c http://docker:6060 --ip $(hostname -i) -r gl-sast-container-report.json -l clair.log -w clair-whitelist.yml ${CI_APPLICATION_REPOSITORY}:${CI_APPLICATION_TAG} || true
@@ -327,6 +345,12 @@ production:
      replicas="$new_replicas"
    fi
+    if [[ "$CI_PROJECT_VISIBILITY" != "public" ]]; then
+      secret_name='gitlab-registry'
+    else
+      secret_name=''
+    fi
    helm upgrade --install \
      --wait \
      --set service.enabled="$service_enabled" \
@@ -334,6 +358,7 @@ production:
      --set image.repository="$CI_APPLICATION_REPOSITORY" \
      --set image.tag="$CI_APPLICATION_TAG" \
      --set image.pullPolicy=IfNotPresent \
+      --set image.secrets[0].name="$secret_name" \
      --set application.track="$track" \
      --set application.database_url="$DATABASE_URL" \
      --set service.url="$CI_ENVIRONMENT_URL" \
@@ -462,6 +487,11 @@ production:
  }
  function create_secret() {
+    echo "Create secret..."
+    if [[ "$CI_PROJECT_VISIBILITY" == "public" ]]; then
+      return
+    fi
    kubectl create secret -n "$KUBE_NAMESPACE" \
      docker-registry gitlab-registry \
      --docker-server="$CI_REGISTRY" \
@@ -471,6 +501,14 @@ production:
      -o yaml --dry-run | kubectl replace -n "$KUBE_NAMESPACE" --force -f -
  }
+  function dast() {
+    export CI_ENVIRONMENT_URL=$(cat environment_url.txt)
+    mkdir /zap/wrk/
+    /zap/zap-baseline.py -J gl-dast-report.json -t "$CI_ENVIRONMENT_URL" || true
+    cp /zap/wrk/gl-dast-report.json .
+  }
  function performance() {
    export CI_ENVIRONMENT_URL=$(cat environment_url.txt)