Commit 1ca796e4 authored by Mikołaj Wawrzyniak's avatar Mikołaj Wawrzyniak

Merge branch 'deprecated_but_keep_support_for_klar_up_to_3' into 'master'

Deprecate but keep support for Klar

See merge request gitlab-org/gitlab!57281
parents 97d7e378 52972c12
---
title: Deprecate but keep support for Klar up to version 3. A new analyzer based on
Trivy will be used from version 4 onwards
merge_request: 57281
author:
type: changed
...@@ -33,6 +33,16 @@ RSpec.describe 'Container-Scanning.gitlab-ci.yml' do ...@@ -33,6 +33,16 @@ RSpec.describe 'Container-Scanning.gitlab-ci.yml' do
end end
context 'by default' do context 'by default' do
it 'includes job' do
expect(build_names).to match_array(%w[container_scanning_deprecated])
end
end
context 'with CS_MAJOR_VERSION greater than 3' do
before do
create(:ci_variable, project: project, key: 'CS_MAJOR_VERSION', value: '4')
end
it 'includes job' do it 'includes job' do
expect(build_names).to match_array(%w[container_scanning]) expect(build_names).to match_array(%w[container_scanning])
end end
......
...@@ -6,14 +6,10 @@ variables: ...@@ -6,14 +6,10 @@ variables:
SECURE_ANALYZERS_PREFIX: "registry.gitlab.com/gitlab-org/security-products/analyzers" SECURE_ANALYZERS_PREFIX: "registry.gitlab.com/gitlab-org/security-products/analyzers"
CS_MAJOR_VERSION: 3 CS_MAJOR_VERSION: 3
container_scanning: .cs_common:
stage: test stage: test
image: "$CS_ANALYZER_IMAGE" image: "$CS_ANALYZER_IMAGE"
variables: variables:
# By default, use the latest clair vulnerabilities database, however, allow it to be overridden here with a specific image
# to enable container scanning to run offline, or to provide a consistent list of vulnerabilities for integration testing purposes
CLAIR_DB_IMAGE_TAG: "latest"
CLAIR_DB_IMAGE: "$SECURE_ANALYZERS_PREFIX/clair-vulnerabilities-db:$CLAIR_DB_IMAGE_TAG"
# Override the GIT_STRATEGY variable in your `.gitlab-ci.yml` file and set it to `fetch` if you want to provide a `clair-whitelist.yml` # Override the GIT_STRATEGY variable in your `.gitlab-ci.yml` file and set it to `fetch` if you want to provide a `clair-whitelist.yml`
# file. See https://docs.gitlab.com/ee/user/application_security/container_scanning/index.html#overriding-the-container-scanning-template # file. See https://docs.gitlab.com/ee/user/application_security/container_scanning/index.html#overriding-the-container-scanning-template
# for details # for details
...@@ -21,19 +17,44 @@ container_scanning: ...@@ -21,19 +17,44 @@ container_scanning:
# CS_ANALYZER_IMAGE is an undocumented variable used internally to allow QA to # CS_ANALYZER_IMAGE is an undocumented variable used internally to allow QA to
# override the analyzer image with a custom value. This may be subject to change or # override the analyzer image with a custom value. This may be subject to change or
# breakage across GitLab releases. # breakage across GitLab releases.
CS_ANALYZER_IMAGE: $SECURE_ANALYZERS_PREFIX/klar:$CS_MAJOR_VERSION CS_ANALYZER_IMAGE: $SECURE_ANALYZERS_PREFIX/$CS_PROJECT:$CS_MAJOR_VERSION
allow_failure: true allow_failure: true
artifacts:
reports:
container_scanning: gl-container-scanning-report.json
dependencies: []
container_scanning_deprecated:
extends: .cs_common
variables:
# By default, use the latest clair vulnerabilities database, however, allow it to be overridden here with a specific image
# to enable container scanning to run offline, or to provide a consistent list of vulnerabilities for integration testing purposes
CLAIR_DB_IMAGE_TAG: "latest"
CLAIR_DB_IMAGE: "$SECURE_ANALYZERS_PREFIX/clair-vulnerabilities-db:$CLAIR_DB_IMAGE_TAG"
CS_PROJECT: 'klar'
services: services:
- name: $CLAIR_DB_IMAGE - name: $CLAIR_DB_IMAGE
alias: clair-vulnerabilities-db alias: clair-vulnerabilities-db
script: script:
- /analyzer run - /analyzer run
rules:
- if: $CONTAINER_SCANNING_DISABLED
when: never
- if: $CI_COMMIT_BRANCH &&
$GITLAB_FEATURES =~ /\bcontainer_scanning\b/ &&
$CS_MAJOR_VERSION =~ /^[0-3]$/
container_scanning:
extends: .cs_common
variables:
CS_PROJECT: 'container-scanning'
script:
- gtcs scan
artifacts: artifacts:
reports: paths: [gl-container-scanning-report.json]
container_scanning: gl-container-scanning-report.json
dependencies: []
rules: rules:
- if: $CONTAINER_SCANNING_DISABLED - if: $CONTAINER_SCANNING_DISABLED
when: never when: never
- if: $CI_COMMIT_BRANCH && - if: $CI_COMMIT_BRANCH &&
$GITLAB_FEATURES =~ /\bcontainer_scanning\b/ $GITLAB_FEATURES =~ /\bcontainer_scanning\b/ &&
$CS_MAJOR_VERSION !~ /^[0-3]$/
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment