Loading docker/anchore/grype.yml 0 → 100644 +19 −0 Original line number Diff line number Diff line # a vulnerability scanner for container images and filesystems # https://github.com/anchore/grype docker:anchore:grype: image: registry.gitlab.com/notno/grype variables: GRYPE_IMAGE: "$CI_REGISTRY_IMAGE:$CI_COMMIT_BRANCH" GRYPE_SCOPE: "Squashed" GRYPE_OUTPUT_FORMAT: "table" GRYPE_FAIL_ON: "medium" script: - | skopeo copy --src-creds=${CI_REGISTRY_USER}:${CI_REGISTRY_PASSWORD} docker://${CI_REGISTRY_IMAGE}:${CI_COMMIT_BRANCH} oci://${CI_PROJECT_DIR}/${CI_COMMIT_SHORT_SHA} echo "Running grype with following options:" echo "GRYPE_SCOPE=${GRYPE_SCOPE} selection of layers to analyze, options=[Squashed AllLayers] (default 'Squashed')" echo "GRYPE_OUTPUT_FORMAT=${GRYPE_OUTPUT_FORMAT} report output formatter, options=[json table cyclonedx] (default 'table')" echo "GRYPE_FAIL_ON=${GRYPE_FAIL_ON} set the return code to 1 if a vulnerability is found with a severity >= the given severity, options=[negligible low medium high critical]" - grype version - grype --scope ${GRYPE_SCOPE} --fail-on ${GRYPE_FAIL_ON} --output ${GRYPE_OUTPUT_FORMAT} ${CI_PROJECT_DIR}/${CI_COMMIT_SHORT_SHA} docker/kaniko-template.yml +46 −44 Original line number Diff line number Diff line Loading @@ -8,7 +8,6 @@ USE_CACHE: "true" DOCKERFILE: "Dockerfile" # Can be a path DEV_BUILD: "false" # set true to tag an image for each commit PYTHON_TEST: "false" # set true if you're running python tests in your image LABELS: "--label CI_PROJECT_URL=$CI_PROJECT_URL --label CI_COMMIT_SHORT_SHA=$CI_COMMIT_SHORT_SHA --label CI_COMMIT_REF_NAME=$CI_COMMIT_REF_NAME" Loading Loading @@ -42,3 +41,6 @@ printf "\nRUN python3 -m pip install pytest pytest-cov pylint pylint_junit safety mutmut coverage" >> $CI_PROJECT_DIR/$DOCKERFILE /kaniko/executor --cache=$USE_CACHE --context $CI_PROJECT_DIR --dockerfile $CI_PROJECT_DIR/$DOCKERFILE --destination $CI_REGISTRY_IMAGE:$CI_COMMIT_REF_NAME-testing $EXTRA_ARGS fi artifacts: paths: - "${CI_PROJECT_NAME}.tar" docker/kaniko.yml +1 −1 Original line number Diff line number Diff line include: - local: 'docker/kaniko-template.yml' kaniko: docker:kaniko: extends: .kaniko-template pipelines/python-basic.yml +0 −4 Original line number Diff line number Diff line Loading @@ -4,7 +4,3 @@ variables: include: - local: 'python/black.yml' - local: 'python/pylint.yml' kaniko: variables: PYTHON_TEST: "true" pipelines/python-docker-basic.yml +0 −4 Original line number Diff line number Diff line Loading @@ -11,7 +11,3 @@ include: - local: 'python/bandit.yml' - local: 'python/safety.yml' - local: 'python/semantic-release/private.yml' kaniko: variables: PYTHON_TEST: "true" Loading
docker/anchore/grype.yml 0 → 100644 +19 −0 Original line number Diff line number Diff line # a vulnerability scanner for container images and filesystems # https://github.com/anchore/grype docker:anchore:grype: image: registry.gitlab.com/notno/grype variables: GRYPE_IMAGE: "$CI_REGISTRY_IMAGE:$CI_COMMIT_BRANCH" GRYPE_SCOPE: "Squashed" GRYPE_OUTPUT_FORMAT: "table" GRYPE_FAIL_ON: "medium" script: - | skopeo copy --src-creds=${CI_REGISTRY_USER}:${CI_REGISTRY_PASSWORD} docker://${CI_REGISTRY_IMAGE}:${CI_COMMIT_BRANCH} oci://${CI_PROJECT_DIR}/${CI_COMMIT_SHORT_SHA} echo "Running grype with following options:" echo "GRYPE_SCOPE=${GRYPE_SCOPE} selection of layers to analyze, options=[Squashed AllLayers] (default 'Squashed')" echo "GRYPE_OUTPUT_FORMAT=${GRYPE_OUTPUT_FORMAT} report output formatter, options=[json table cyclonedx] (default 'table')" echo "GRYPE_FAIL_ON=${GRYPE_FAIL_ON} set the return code to 1 if a vulnerability is found with a severity >= the given severity, options=[negligible low medium high critical]" - grype version - grype --scope ${GRYPE_SCOPE} --fail-on ${GRYPE_FAIL_ON} --output ${GRYPE_OUTPUT_FORMAT} ${CI_PROJECT_DIR}/${CI_COMMIT_SHORT_SHA}
docker/kaniko-template.yml +46 −44 Original line number Diff line number Diff line Loading @@ -8,7 +8,6 @@ USE_CACHE: "true" DOCKERFILE: "Dockerfile" # Can be a path DEV_BUILD: "false" # set true to tag an image for each commit PYTHON_TEST: "false" # set true if you're running python tests in your image LABELS: "--label CI_PROJECT_URL=$CI_PROJECT_URL --label CI_COMMIT_SHORT_SHA=$CI_COMMIT_SHORT_SHA --label CI_COMMIT_REF_NAME=$CI_COMMIT_REF_NAME" Loading Loading @@ -42,3 +41,6 @@ printf "\nRUN python3 -m pip install pytest pytest-cov pylint pylint_junit safety mutmut coverage" >> $CI_PROJECT_DIR/$DOCKERFILE /kaniko/executor --cache=$USE_CACHE --context $CI_PROJECT_DIR --dockerfile $CI_PROJECT_DIR/$DOCKERFILE --destination $CI_REGISTRY_IMAGE:$CI_COMMIT_REF_NAME-testing $EXTRA_ARGS fi artifacts: paths: - "${CI_PROJECT_NAME}.tar"
docker/kaniko.yml +1 −1 Original line number Diff line number Diff line include: - local: 'docker/kaniko-template.yml' kaniko: docker:kaniko: extends: .kaniko-template
pipelines/python-basic.yml +0 −4 Original line number Diff line number Diff line Loading @@ -4,7 +4,3 @@ variables: include: - local: 'python/black.yml' - local: 'python/pylint.yml' kaniko: variables: PYTHON_TEST: "true"
pipelines/python-docker-basic.yml +0 −4 Original line number Diff line number Diff line Loading @@ -11,7 +11,3 @@ include: - local: 'python/bandit.yml' - local: 'python/safety.yml' - local: 'python/semantic-release/private.yml' kaniko: variables: PYTHON_TEST: "true"
