# You can override the included template(s) by including variable overrides # See https://docs.gitlab.com/ee/user/application_security/sast/#customizing-the-sast-settings # Note that environment variables can be set in several places # See https://docs.gitlab.com/ee/ci/variables/#priority-of-environment-variables stages: - test - build - push_local - release - push_dockerhub .docker_base: image: docker:20.10.18-dind-rootless services: - name: docker:20.10.18-dind-rootless command: ["--tls=false"] variables: DOCKER_DRIVER: overlay2 DOCKER_HOST: tcp://127.0.0.1:2375/ DOCKER_TLS_CERTDIR: "" IMAGE_TAG: "$CI_REGISTRY_IMAGE:$CI_COMMIT_REF_SLUG" FF_GITLAB_REGISTRY_HELPER_IMAGE: 1 before_script: - docker version - docker info - docker login -u "$CI_REGISTRY_USER" -p "$CI_REGISTRY_PASSWORD" $CI_REGISTRY build: extends: - .docker_base stage: build script: - docker pull $CI_REGISTRY_IMAGE:latest || true - > docker build --pull --cache-from $CI_REGISTRY_IMAGE:latest --tag $CI_REGISTRY_IMAGE:$CI_COMMIT_SHA --build-arg BUILD_DATE=$(date -u +'%Y-%m-%dT%H:%M:%SZ') --build-arg VCS_REF=$CI_COMMIT_SHORT_SHA ./Docker/ - docker push $CI_REGISTRY_IMAGE:$CI_COMMIT_SHA push local: extends: - .docker_base stage: push_local variables: GIT_STRATEGY: none only: - master script: - docker pull $CI_REGISTRY_IMAGE:$CI_COMMIT_SHA - docker tag $CI_REGISTRY_IMAGE:$CI_COMMIT_SHA $CI_REGISTRY_IMAGE:latest - docker push $CI_REGISTRY_IMAGE:latest push dockerhub: extends: - .docker_base stage: push_dockerhub variables: GIT_STRATEGY: none CI_DOCKERHUB_IMAGE: index.docker.io/evanrich/py-eagle-mqtt CI_DOCKERHUB_REGISTRY: docker.io only: - tags script: - docker pull $CI_REGISTRY_IMAGE:$CI_COMMIT_SHA - docker tag $CI_REGISTRY_IMAGE:$CI_COMMIT_SHA $CI_DOCKERHUB_IMAGE:$CI_COMMIT_REF_NAME - docker tag $CI_REGISTRY_IMAGE:$CI_COMMIT_SHA $CI_DOCKERHUB_IMAGE:latest - docker login -u "$CI_DOCKERHUB_USER" -p "$CI_DOCKERHUB_PASSWORD" $CI_DOCKERHUB_REGISTRY - docker push $CI_DOCKERHUB_IMAGE --all-tags release: image: node:19-alpine3.15 stage: release only: refs: - master - alpha # This matches maintenance branches - /^(([0-9]+)\.)?([0-9]+)\.x/ # This matches pre-releases - /^([0-9]+)\.([0-9]+)\.([0-9]+)(?:-([0-9A-Za-z-]+(?:\.[0-9A-Za-z-]+)*))?(?:\+[0-9A-Za-z-]+)?$/ except: refs: - tags script: - touch CHANGELOG.md - apk add --no-cache git - npm install @semantic-release/gitlab@7.0.4 @semantic-release/changelog@6.0.1 @semantic-release/git@10.0.1 conventional-changelog-eslint@3.0.9 - npx semantic-release artifacts: paths: - CHANGELOG.md sast: stage: test include: - template: Security/SAST.gitlab-ci.yml sonarqube-check: stage: test image: name: sonarsource/sonar-scanner-cli:4.7 entrypoint: [""] variables: SONAR_USER_HOME: "${CI_PROJECT_DIR}/.sonar" # Defines the location of the analysis task cache GIT_DEPTH: "0" # Tells git to fetch all the branches of the project, required by the analysis task cache: key: "${CI_JOB_NAME}" paths: - .sonar/cache script: - sonar-scanner allow_failure: true only: - master # or the name of your main branch - branches trivy: stage: test extends: - .docker_base before_script: - export TRIVY_VERSION=$(wget -qO - "https://api.github.com/repos/aquasecurity/trivy/releases/latest" | grep '"tag_name":' | sed -E 's/.*"v([^"]+)".*/\1/') - echo $TRIVY_VERSION - wget --no-verbose https://github.com/aquasecurity/trivy/releases/download/v${TRIVY_VERSION}/trivy_${TRIVY_VERSION}_Linux-64bit.tar.gz -O - | tar -zxvf - allow_failure: true script: # Build image - docker build -t $CI_REGISTRY_IMAGE:$CI_COMMIT_SHA ./Docker/ # Build report - ./trivy --cache-dir .trivycache/ image --exit-code 0 --no-progress --format template --template "@contrib/gitlab.tpl" -o gl-container-scanning-report.json $CI_REGISTRY_IMAGE:$CI_COMMIT_SHA # Print report - ./trivy --cache-dir .trivycache/ image --exit-code 0 --no-progress --severity HIGH $CI_REGISTRY_IMAGE:$CI_COMMIT_SHA # Fail on severe vulnerabilities - ./trivy --cache-dir .trivycache/ image --exit-code 1 --severity CRITICAL --no-progress $CI_REGISTRY_IMAGE:$CI_COMMIT_SHA cache: paths: - .trivycache/ # Enables https://docs.gitlab.com/ee/user/application_security/container_scanning/ (Container Scanning report is available on GitLab EE Ultimate or GitLab.com Gold) artifacts: reports: container_scanning: gl-container-scanning-report.json