Commit bc791412 authored by Achilleas Pipinellis's avatar Achilleas Pipinellis

Merge branch '5778_rename_container_scanning_job_and_artifact' into 'master'

Rename container scanning job and artifact

See merge request gitlab-org/gitlab-ce!19045
parents bbeeb182 5ad7ac34
...@@ -7,10 +7,10 @@ for Vulnerability Static Analysis for containers. ...@@ -7,10 +7,10 @@ for Vulnerability Static Analysis for containers.
All you need is a GitLab Runner with the Docker executor (the shared Runners on All you need is a GitLab Runner with the Docker executor (the shared Runners on
GitLab.com will work fine). You can then add a new job to `.gitlab-ci.yml`, GitLab.com will work fine). You can then add a new job to `.gitlab-ci.yml`,
called `sast:container`: called `container_scanning`:
```yaml ```yaml
sast:container: container_scanning:
image: docker:stable image: docker:stable
variables: variables:
DOCKER_DRIVER: overlay2 DOCKER_DRIVER: overlay2
...@@ -34,12 +34,12 @@ sast:container: ...@@ -34,12 +34,12 @@ sast:container:
- retries=0 - retries=0
- echo "Waiting for clair daemon to start" - echo "Waiting for clair daemon to start"
- while( ! wget -T 10 -q -O /dev/null http://docker:6060/v1/namespaces ) ; do sleep 1 ; echo -n "." ; if [ $retries -eq 10 ] ; then echo " Timeout, aborting." ; exit 1 ; fi ; retries=$(($retries+1)) ; done - while( ! wget -T 10 -q -O /dev/null http://docker:6060/v1/namespaces ) ; do sleep 1 ; echo -n "." ; if [ $retries -eq 10 ] ; then echo " Timeout, aborting." ; exit 1 ; fi ; retries=$(($retries+1)) ; done
- ./clair-scanner -c http://docker:6060 --ip $(hostname -i) -r gl-sast-container-report.json -l clair.log -w clair-whitelist.yml ${CI_APPLICATION_REPOSITORY}:${CI_APPLICATION_TAG} || true - ./clair-scanner -c http://docker:6060 --ip $(hostname -i) -r gl-container-scanning-report.json -l clair.log -w clair-whitelist.yml ${CI_APPLICATION_REPOSITORY}:${CI_APPLICATION_TAG} || true
artifacts: artifacts:
paths: [gl-sast-container-report.json] paths: [gl-container-scanning-report.json]
``` ```
The above example will create a `sast:container` job in your CI/CD pipeline, pull The above example will create a `container_scanning` job in your CI/CD pipeline, pull
the image from the [Container Registry](../../user/project/container_registry.md) the image from the [Container Registry](../../user/project/container_registry.md)
(whose name is defined from the two `CI_APPLICATION_` variables) and scan it (whose name is defined from the two `CI_APPLICATION_` variables) and scan it
for possible vulnerabilities. The report will be saved as an artifact that you for possible vulnerabilities. The report will be saved as an artifact that you
...@@ -52,8 +52,15 @@ in our case its named `clair-whitelist.yml`. ...@@ -52,8 +52,15 @@ in our case its named `clair-whitelist.yml`.
TIP: **Tip:** TIP: **Tip:**
Starting with [GitLab Ultimate][ee] 10.4, this information will Starting with [GitLab Ultimate][ee] 10.4, this information will
be automatically extracted and shown right in the merge request widget. To do be automatically extracted and shown right in the merge request widget. To do
so, the CI/CD job must be named `sast:container` and the artifact path must be so, the CI/CD job must be named `container_scanning` and the artifact path must be
`gl-sast-container-report.json`. `gl-container-scanning-report.json`.
[Learn more on container scanning results shown in merge requests](https://docs.gitlab.com/ee/user/project/merge_requests/container_scanning.html). [Learn more on container scanning results shown in merge requests](https://docs.gitlab.com/ee/user/project/merge_requests/container_scanning.html).
CAUTION: **Caution:**
Container Scanning was previously using `sast:container` for job name and
`gl-sast-container-report.json` for the artifact name. While these old names
are still maintained they have been deprecated with GitLab 11.0 and may be removed
in next major release, GitLab 12.0. You are advised to update your current `.gitlab-ci.yml`
configuration to reflect that change.
[ee]: https://about.gitlab.com/products/ [ee]: https://about.gitlab.com/products/
...@@ -136,7 +136,7 @@ dependency_scanning: ...@@ -136,7 +136,7 @@ dependency_scanning:
artifacts: artifacts:
paths: [gl-dependency-scanning-report.json] paths: [gl-dependency-scanning-report.json]
sast:container: container_scanning:
image: docker:stable image: docker:stable
variables: variables:
DOCKER_DRIVER: overlay2 DOCKER_DRIVER: overlay2
...@@ -145,9 +145,9 @@ sast:container: ...@@ -145,9 +145,9 @@ sast:container:
- docker:stable-dind - docker:stable-dind
script: script:
- setup_docker - setup_docker
- sast_container - container_scanning
artifacts: artifacts:
paths: [gl-sast-container-report.json] paths: [gl-container-scanning-report.json]
dast: dast:
stage: dast stage: dast
...@@ -388,7 +388,7 @@ rollout 100%: ...@@ -388,7 +388,7 @@ rollout 100%:
# Extract "MAJOR.MINOR" from CI_SERVER_VERSION and generate "MAJOR-MINOR-stable" for Security Products # Extract "MAJOR.MINOR" from CI_SERVER_VERSION and generate "MAJOR-MINOR-stable" for Security Products
export SP_VERSION=$(echo "$CI_SERVER_VERSION" | sed 's/^\([0-9]*\)\.\([0-9]*\).*/\1-\2-stable/') export SP_VERSION=$(echo "$CI_SERVER_VERSION" | sed 's/^\([0-9]*\)\.\([0-9]*\).*/\1-\2-stable/')
function sast_container() { function container_scanning() {
if [[ -n "$CI_REGISTRY_USER" ]]; then if [[ -n "$CI_REGISTRY_USER" ]]; then
echo "Logging to GitLab Container Registry with CI credentials..." echo "Logging to GitLab Container Registry with CI credentials..."
docker login -u "$CI_REGISTRY_USER" -p "$CI_REGISTRY_PASSWORD" "$CI_REGISTRY" docker login -u "$CI_REGISTRY_USER" -p "$CI_REGISTRY_PASSWORD" "$CI_REGISTRY"
...@@ -406,7 +406,7 @@ rollout 100%: ...@@ -406,7 +406,7 @@ rollout 100%:
retries=0 retries=0
echo "Waiting for clair daemon to start" echo "Waiting for clair daemon to start"
while( ! wget -T 10 -q -O /dev/null http://docker:6060/v1/namespaces ) ; do sleep 1 ; echo -n "." ; if [ $retries -eq 10 ] ; then echo " Timeout, aborting." ; exit 1 ; fi ; retries=$(($retries+1)) ; done while( ! wget -T 10 -q -O /dev/null http://docker:6060/v1/namespaces ) ; do sleep 1 ; echo -n "." ; if [ $retries -eq 10 ] ; then echo " Timeout, aborting." ; exit 1 ; fi ; retries=$(($retries+1)) ; done
./clair-scanner -c http://docker:6060 --ip $(hostname -i) -r gl-sast-container-report.json -l clair.log -w clair-whitelist.yml ${CI_APPLICATION_REPOSITORY}:${CI_APPLICATION_TAG} || true ./clair-scanner -c http://docker:6060 --ip $(hostname -i) -r gl-container-scanning-report.json -l clair.log -w clair-whitelist.yml ${CI_APPLICATION_REPOSITORY}:${CI_APPLICATION_TAG} || true
} }
function codeclimate() { function codeclimate() {
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment