Skip to content
Projects
Groups
Snippets
Help
Loading...
Help
Support
Keyboard shortcuts
?
Submit feedback
Contribute to GitLab
Sign in / Register
Toggle navigation
G
gitlab-ce
Project overview
Project overview
Details
Activity
Releases
Repository
Repository
Files
Commits
Branches
Tags
Contributors
Graph
Compare
Issues
0
Issues
0
List
Boards
Labels
Milestones
Merge Requests
1
Merge Requests
1
Analytics
Analytics
Repository
Value Stream
Wiki
Wiki
Snippets
Snippets
Members
Members
Collapse sidebar
Close sidebar
Activity
Graph
Create a new issue
Commits
Issue Boards
Open sidebar
nexedi
gitlab-ce
Commits
5ad7ac34
Commit
5ad7ac34
authored
May 24, 2018
by
Olivier Gonzalez
Committed by
Achilleas Pipinellis
May 24, 2018
Browse files
Options
Browse Files
Download
Email Patches
Plain Diff
Rename container scanning job and artifact
parent
bbeeb182
Changes
2
Show whitespace changes
Inline
Side-by-side
Showing
2 changed files
with
19 additions
and
12 deletions
+19
-12
doc/ci/examples/container_scanning.md
doc/ci/examples/container_scanning.md
+14
-7
vendor/gitlab-ci-yml/Auto-DevOps.gitlab-ci.yml
vendor/gitlab-ci-yml/Auto-DevOps.gitlab-ci.yml
+5
-5
No files found.
doc/ci/examples/container_scanning.md
View file @
5ad7ac34
...
...
@@ -7,10 +7,10 @@ for Vulnerability Static Analysis for containers.
All you need is a GitLab Runner with the Docker executor (the shared Runners on
GitLab.com will work fine). You can then add a new job to
`.gitlab-ci.yml`
,
called
`
sast:container
`
:
called
`
container_scanning
`
:
```
yaml
sast:container
:
container_scanning
:
image
:
docker:stable
variables
:
DOCKER_DRIVER
:
overlay2
...
...
@@ -34,12 +34,12 @@ sast:container:
-
retries=0
-
echo "Waiting for clair daemon to start"
-
while( ! wget -T 10 -q -O /dev/null http://docker:6060/v1/namespaces ) ; do sleep 1 ; echo -n "." ; if [ $retries -eq 10 ] ; then echo " Timeout, aborting." ; exit 1 ; fi ; retries=$(($retries+1)) ; done
-
./clair-scanner -c http://docker:6060 --ip $(hostname -i) -r gl-
sast-container
-report.json -l clair.log -w clair-whitelist.yml ${CI_APPLICATION_REPOSITORY}:${CI_APPLICATION_TAG} ||
true
-
./clair-scanner -c http://docker:6060 --ip $(hostname -i) -r gl-
container-scanning
-report.json -l clair.log -w clair-whitelist.yml ${CI_APPLICATION_REPOSITORY}:${CI_APPLICATION_TAG} ||
true
artifacts
:
paths
:
[
gl-
sast-container
-report.json
]
paths
:
[
gl-
container-scanning
-report.json
]
```
The above example will create a
`
sast:container
`
job in your CI/CD pipeline, pull
The above example will create a
`
container_scanning
`
job in your CI/CD pipeline, pull
the image from the
[
Container Registry
](
../../user/project/container_registry.md
)
(whose name is defined from the two
`CI_APPLICATION_`
variables) and scan it
for possible vulnerabilities. The report will be saved as an artifact that you
...
...
@@ -52,8 +52,15 @@ in our case its named `clair-whitelist.yml`.
TIP:
**Tip:**
Starting with
[
GitLab Ultimate
][
ee
]
10.4, this information will
be automatically extracted and shown right in the merge request widget. To do
so, the CI/CD job must be named
`
sast:container
`
and the artifact path must be
`gl-
sast-container
-report.json`
.
so, the CI/CD job must be named
`
container_scanning
`
and the artifact path must be
`gl-
container-scanning
-report.json`
.
[
Learn more on container scanning results shown in merge requests
](
https://docs.gitlab.com/ee/user/project/merge_requests/container_scanning.html
)
.
CAUTION:
**Caution:**
Container Scanning was previously using
`sast:container`
for job name and
`gl-sast-container-report.json`
for the artifact name. While these old names
are still maintained they have been deprecated with GitLab 11.0 and may be removed
in next major release, GitLab 12.0. You are advised to update your current
`.gitlab-ci.yml`
configuration to reflect that change.
[
ee
]:
https://about.gitlab.com/products/
vendor/gitlab-ci-yml/Auto-DevOps.gitlab-ci.yml
View file @
5ad7ac34
...
...
@@ -136,7 +136,7 @@ dependency_scanning:
artifacts
:
paths
:
[
gl-dependency-scanning-report.json
]
sast:container
:
container_scanning
:
image
:
docker:stable
variables
:
DOCKER_DRIVER
:
overlay2
...
...
@@ -145,9 +145,9 @@ sast:container:
-
docker:stable-dind
script
:
-
setup_docker
-
sast_container
-
container_scanning
artifacts
:
paths
:
[
gl-
sast-container
-report.json
]
paths
:
[
gl-
container-scanning
-report.json
]
dast
:
stage
:
dast
...
...
@@ -388,7 +388,7 @@ rollout 100%:
# Extract "MAJOR.MINOR" from CI_SERVER_VERSION and generate "MAJOR-MINOR-stable" for Security Products
export SP_VERSION=$(echo "$CI_SERVER_VERSION" | sed 's/^\([0-9]*\)\.\([0-9]*\).*/\1-\2-stable/')
function
sast_container
() {
function
container_scanning
() {
if [[ -n "$CI_REGISTRY_USER" ]]; then
echo "Logging to GitLab Container Registry with CI credentials..."
docker login -u "$CI_REGISTRY_USER" -p "$CI_REGISTRY_PASSWORD" "$CI_REGISTRY"
...
...
@@ -406,7 +406,7 @@ rollout 100%:
retries=0
echo "Waiting for clair daemon to start"
while( ! wget -T 10 -q -O /dev/null http://docker:6060/v1/namespaces ) ; do sleep 1 ; echo -n "." ; if [ $retries -eq 10 ] ; then echo " Timeout, aborting." ; exit 1 ; fi ; retries=$(($retries+1)) ; done
./clair-scanner -c http://docker:6060 --ip $(hostname -i) -r gl-
sast-container
-report.json -l clair.log -w clair-whitelist.yml ${CI_APPLICATION_REPOSITORY}:${CI_APPLICATION_TAG} || true
./clair-scanner -c http://docker:6060 --ip $(hostname -i) -r gl-
container-scanning
-report.json -l clair.log -w clair-whitelist.yml ${CI_APPLICATION_REPOSITORY}:${CI_APPLICATION_TAG} || true
}
function codeclimate() {
...
...
Write
Preview
Markdown
is supported
0%
Try again
or
attach a new file
Attach a file
Cancel
You are about to add
0
people
to the discussion. Proceed with caution.
Finish editing this message first!
Cancel
Please
register
or
sign in
to comment