forked from appsecengineer/devsecops-gitlab-ci
-
Notifications
You must be signed in to change notification settings - Fork 0
/
.gitlab-ci.yml
150 lines (141 loc) · 4.53 KB
/
.gitlab-ci.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
stages:
- sast
- sca
- secrets
- build
- container
- custom_dast
sast_scan:
image: docker:stable
stage: sast
allow_failure: true
variables:
DOCKER_DRIVER: overlay2
services:
- docker:stable-dind
script:
- apk add py-pip
- pip install bandit
- bandit -r -f json -o bandit_result.json --exit-zero app/
artifacts:
paths: [bandit_result.json]
expire_in: 1 week
pyraider_dependency_scanning:
image: python:3.7-alpine
stage: sca
script:
- pip install pyraider
- pyraider check -f app/requirements.txt -e json pyraider.json
artifacts:
paths: [pyraider.json]
expire_in: 1 week
gitleaks:
image: docker:stable
stage: secrets
allow_failure: true
variables:
DOCKER_DRIVER: overlay2
services:
- docker:dind
script:
- docker run --rm --name=gitleaks -v $PWD/:/code zricethezav/gitleaks detect --source /code --report-path /code/gitleaks.json || true
artifacts:
paths: [gitleaks.json]
expire_in: 1 week
build:
image: docker:latest
stage: build
services:
- docker:dind
before_script:
- docker login -u "$CI_REGISTRY_USER" -p "$CI_REGISTRY_PASSWORD" $CI_REGISTRY
script:
- echo "$CI_REGISTRY_IMAGE:$CI_COMMIT_SHA"
- docker build --pull -t "$CI_REGISTRY_IMAGE:$CI_COMMIT_SHA" .
- docker push "$CI_REGISTRY_IMAGE:$CI_COMMIT_SHA"
dockerfile_scan:
image: docker:stable
stage: container
variables:
DOCKER_DRIVER: overlay2
allow_failure: true
services:
- docker:dind
before_script:
- docker login -u "$CI_REGISTRY_USER" -p "$CI_REGISTRY_PASSWORD" $CI_REGISTRY
script:
- docker run hadolint/hadolint < Dockerfile >> hadolint-results.txt
artifacts:
paths: [hadolint-results.txt]
expire_in: 1 week
trivy_scan:
image:
name: docker:stable
stage: container
services:
- docker:dind
variables:
TRIVY_AUTH_URL: $CI_REGISTRY
TRIVY_USERNAME: $CI_REGISTRY_USER
TRIVY_PASSWORD: $CI_REGISTRY_PASSWORD
before_script:
- docker login -u "$CI_REGISTRY_USER" -p "$CI_REGISTRY_PASSWORD" $CI_REGISTRY
- docker pull ${CI_REGISTRY_IMAGE}:${CI_COMMIT_SHA}
- apk add -U wget ca-certificates tar curl git
- export VERSION=$(curl --silent "https://api.github.com/repos/aquasecurity/trivy/releases/latest" | grep '"tag_name":' | sed -E 's/.*"v([^"]+)".*/\1/')
- wget https://github.com/aquasecurity/trivy/releases/download/v${VERSION}/trivy_${VERSION}_Linux-64bit.tar.gz
- tar zxvf trivy_${VERSION}_Linux-64bit.tar.gz
script:
- ./trivy image --exit-code 0 -o trivy_result.json -f json ${CI_REGISTRY_IMAGE}:${CI_COMMIT_SHA}
artifacts:
paths:
- trivy_result.json
expire_in: 1 week
build:
image: docker:latest
stage: build
services:
- docker:dind
before_script:
- docker login -u "$CI_REGISTRY_USER" -p "$CI_REGISTRY_PASSWORD" $CI_REGISTRY
script:
- echo "$CI_REGISTRY_IMAGE:$CI_COMMIT_SHA"
- docker build --pull -t "$CI_REGISTRY_IMAGE:$CI_COMMIT_SHA" .
- docker push "$CI_REGISTRY_IMAGE:$CI_COMMIT_SHA"
owasp_zap:
image:
name: docker:stable
stage: custom_dast
variables:
DOCKER_DRIVER: overlay2
services:
- docker:dind
before_script:
- apk add curl
- apk add python3 py3-pip openjdk11 bash jq
- pip3 install --upgrade --ignore-installed six==1.16.0
- pip3 install requests==2.31.0 zaproxy python-owasp-zap-v2.4
- pwd
- mkdir -p ./zap && cd ./zap
- wget https://github.com/zaproxy/zaproxy/releases/download/v2.15.0/ZAP_2.15.0_Linux.tar.gz
- tar -zxvf ZAP_2.15.0_Linux.tar.gz && rm ZAP_2.15.0_Linux.tar.gz
- cd ZAP_2.15.0/plugin && wget https://github.com/zaproxy/zap-extensions/releases/download/exportreport-v6/exportreport-alpha-6.zap && cd $CI_PROJECT_DIR
- echo 'export PATH_ZAP_SH=./zap/ZAP_2.15.0/zap.sh' >> ~/.bashrc
- echo 'export ZAP_PORT=8090' >> ~/.bashrc
- echo "Running Target Application"
- docker login -u "$CI_REGISTRY_USER" -p "$CI_REGISTRY_PASSWORD" $CI_REGISTRY
- docker pull ${CI_REGISTRY_IMAGE}:${CI_COMMIT_SHA}
- docker run -d -p 5050:5050 --name vul_flask --restart on-failure ${CI_REGISTRY_IMAGE}:${CI_COMMIT_SHA}
- sleep 10
- docker ps
- curl -XGET -i http://docker:5050 || true
- ./zap/ZAP_2.15.0/zap.sh -daemon -host 0.0.0.0 -port 8090 -config api.addrs.addr.name=".*" -config api.addrs.addr.regex=true -config api.disablekey=true > /dev/null &
- sleep 120
- curl -X GET http://localhost:8090/JSON/core/view/urls/ | jq
script:
- cd ./tests/
- python3 e2e_zap.py
artifacts:
paths:
- ./tests/zap-report.json
expire_in: 1 week