forked from MaibornWolff/dd-import
-
Notifications
You must be signed in to change notification settings - Fork 0
/
.gitlab-ci.yml
140 lines (129 loc) · 3.16 KB
/
.gitlab-ci.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
variables:
DOCKER_ARTIFACT_URL: "maibornwolff/dd-import:latest"
DD_PRODUCT_TYPE_NAME: "Research and Development"
DD_PRODUCT_NAME: "DefectDojo Importer"
DD_ENGAGEMENT_NAME: "GitLab"
# include:
# - template: Security/SAST.gitlab-ci.yml
# bandit-sast:
# artifacts:
# paths:
# - gl-sast-report.json
# when: always
# expire_in: 1 day
stages:
- test
- upload
trivy:
stage: test
tags:
- build
variables:
GIT_STRATEGY: none
before_script:
- export TRIVY_VERSION=$(wget -qO - "https://api.github.com/repos/aquasecurity/trivy/releases/latest" | grep '"tag_name":' | sed -E 's/.*"v([^"]+)".*/\1/')
- echo $TRIVY_VERSION
- wget --no-verbose https://github.com/aquasecurity/trivy/releases/download/v${TRIVY_VERSION}/trivy_${TRIVY_VERSION}_Linux-64bit.tar.gz -O - | tar -zxvf -
allow_failure: true
script:
- ./trivy image --no-progress -f json -o trivy.json "$DOCKER_ARTIFACT_URL"
artifacts:
paths:
- trivy.json
when: always
expire_in: 1 day
dockle:
stage: test
tags:
- build
variables:
GIT_STRATEGY: none
before_script:
- apk -Uuv add bash git curl tar sed grep
- |
VERSION=$(
curl --silent "https://api.github.com/repos/goodwithtech/dockle/releases/latest" | \
grep '"tag_name":' | \
sed -E 's/.*"v([^"]+)".*/\1/' \
) && curl -L -o dockle.tar.gz https://github.com/goodwithtech/dockle/releases/download/v${VERSION}/dockle_${VERSION}_Linux-64bit.tar.gz && \
tar zxvf dockle.tar.gz
allow_failure: true
script:
- ./dockle -f json -o dockle.json --exit-code 0 "$DOCKER_ARTIFACT_URL"
artifacts:
paths:
- dockle.json
when: always
expire_in: 1 day
cloc:
stage: test
image: node:16
tags:
- build
before_script:
- npm install -g cloc
script:
- cloc . --json -out cloc.json
artifacts:
paths:
- cloc.json
when: always
expire_in: 1 day
# upload_bandit:
# stage: upload
# image: ${DOCKER_ARTIFACT_URL}
# needs:
# - job: bandit-sast
# artifacts: true
# variables:
# GIT_STRATEGY: none
# DD_TEST_NAME: "Bandit"
# DD_TEST_TYPE_NAME: "GitLab SAST Report"
# DD_FILE_NAME: "gl-sast-report.json"
# script:
# - dd-reimport-findings.sh
upload_trivy:
stage: upload
image: ${DOCKER_ARTIFACT_URL}
needs:
- job: trivy
artifacts: true
variables:
GIT_STRATEGY: none
DD_TEST_NAME: "Trivy"
DD_TEST_TYPE_NAME: "Trivy Scan"
DD_FILE_NAME: "trivy.json"
script:
- dd-reimport-findings.sh
upload-dockle:
stage: upload
image: ${DOCKER_ARTIFACT_URL}
needs:
- job: dockle
artifacts: true
tags:
- build
variables:
GIT_STRATEGY: none
DD_TEST_NAME: "Dockle"
DD_TEST_TYPE_NAME: "Dockle Scan"
DD_FILE_NAME: "dockle.json"
DD_SERVICE: "dd-import"
DD_BUILD_ID: "$CI_PIPELINE_ID"
DD_COMMIT_HASH: "$CI_COMMIT_SHA"
DD_BRANCH_TAG: "$CI_COMMIT_REF_NAME"
script:
- dd-reimport-findings.sh
upload-cloc:
stage: upload
image: ${DOCKER_ARTIFACT_URL}
needs:
- job: cloc
artifacts: true
tags:
- build
variables:
GIT_STRATEGY: none
DD_FILE_NAME: "cloc.json"
script:
- dd-import-languages.sh