-
Notifications
You must be signed in to change notification settings - Fork 1
/
.gitlab-ci.yml
111 lines (102 loc) · 4.13 KB
/
.gitlab-ci.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
# This file is a template, and might need editing before it works on your project.
# This is a sample GitLab CI/CD configuration file that should run without any modifications.
# It demonstrates a basic 3 stage CI/CD pipeline. Instead of real tests or scripts,
# it uses echo commands to simulate the pipeline execution.
#
# A pipeline is composed of independent jobs that run scripts, grouped into stages.
# Stages run in sequential order, but jobs within stages run in parallel.
#
# For more information, see: https://docs.gitlab.com/ee/ci/yaml/index.html#stages
#
# You can copy and paste this template into a new `.gitlab-ci.yml` file.
# You should not add this template to an existing `.gitlab-ci.yml` file by using the `include:` keyword.
#
# To contribute improvements to CI/CD templates, please follow the Development guide at:
# https://docs.gitlab.com/ee/development/cicd/templates.html
# This specific template is located at:
# https://gitlab.com/gitlab-org/gitlab/-/blob/master/lib/gitlab/ci/templates/Getting-Started.gitlab-ci.yml
stages:
- build
- test
- scan
- pages
- integration
integration-job:
stage: integration
script:
- git fetch origin pull/${CI_MERGE_REQUEST_IID}/head:pr-${CI_MERGE_REQUEST_IID}
- git checkout pr-${CI_MERGE_REQUEST_IID}
- echo "Exécution des tests..."
rules:
- if: $GITHUB_ACCESS == "$GITHUB_ACCESS_VALUE"
include:
- template: Jobs/Container-Scanning.gitlab-ci.yml
- template: Security/Container-Scanning.gitlab-ci.yml
container_scanning:
stage: test
variables:
CS_IMAGE: $DOCKER_REGISTRY/opensilex/opensilex-docker-compose:latest
artifacts:
reports:
container_scanning: gl-container-scanning-report.json
# create an docker image
build:image:
image: docker:26.0.2-dind
stage: build
services:
- docker:dind
before_script:
- export IMAGE_TAG=${IMAGE_TAG:latest}
- apk add --no-cache docker-compose
- docker login -u $CI_REGISTRY_USER -p $CI_REGISTRY_PASSWORD $CI_REGISTRY
script:
- if [ -z "$IMAGE_TAG" ]; then echo "Missing IMAGE_TAG variable latest tag will be used"; IMAGE_TAG=latest ; fi
- docker info
- ls
- docker compose --env-file opensilex.env build --build-arg UID=999 --build-arg GID=999 opensilex
- docker tag docker.io/library/opensilex-stack-opensilex $DOCKER_REGISTRY/opensilex/opensilex-docker-compose:$IMAGE_TAG
- docker push $DOCKER_REGISTRY/opensilex/opensilex-docker-compose:$IMAGE_TAG
when: manual
pages:
stage: pages
image: docker:26.0.2-dind
services:
- docker:dind
variables:
# XDG_DATA_HOME: ${CI_PROJECT_DIR}
IMAGE: $DOCKER_REGISTRY/opensilex/opensilex-docker-compose:$IMAGE_TAG
# https://github.com/fatihtokus/scan2html/issues/32#top for alpine
before_script:
# retreive trivy
- export TRIVY_VERSION=$(wget -qO - "https://api.github.com/repos/aquasecurity/trivy/releases/latest" | grep '"tag_name":' | sed -E 's/.*"v([^"]+)".*/\1/')
- echo $TRIVY_VERSION
# connect to forgemia docker registry
- docker login -u $CI_REGISTRY_USER -p $CI_REGISTRY_PASSWORD $CI_REGISTRY
# install requirements for trivy
- apk update
- apk upgrade
- apk add bash
- apk add curl
- apk --no-cache add ca-certificates git
- curl -s -L -o - https://github.com/aquasecurity/trivy/releases/download/v${TRIVY_VERSION}/trivy_${TRIVY_VERSION}_Linux-64bit.tar.gz | tar -xz
allow_failure: true
script:
# pull docker registry image
- if [ -z "$IMAGE_TAG" ]; then echo "Missing IMAGE_TAG variable latest tag will be used"; IMAGE_TAG=latest ; fi
- docker image pull $DOCKER_REGISTRY/opensilex/opensilex-docker-compose:$IMAGE_TAG
- mkdir -p ${CI_PROJECT_DIR}/public && mkdir -p public
# install plugin to create html
- ./trivy plugin install github.com/fatihtokus/scan2html
# test install
- ./trivy plugin list
## run plugin with timeout
- ./trivy --cache-dir .trivycache/ --timeout 45m scan2html image ${IMAGE} index.html
- cp index.html ${CI_PROJECT_DIR}/public
- cp index.html public
artifacts:
paths:
- public
cache: # Cache libraries in between jobs
key: $CI_COMMIT_REF_SLUG
paths:
- .trivycache/