Commit 91df595c authored by Federico Falconieri's avatar Federico Falconieri
Browse files

Merge branch '28-feat-anchore-grype' into 'master' 

feat: dockerless anchore/grype

Closes #28

See merge request ci/templates!2
parents 026e4f09 588a530b

docker/anchore/grype.yml

0 → 100644
+19 −0
Original line number Diff line number Diff line 
# a vulnerability scanner for container images and filesystems

# https://github.com/anchore/grype



docker:anchore:grype:

    image: registry.gitlab.com/notno/grype

    variables:

        GRYPE_IMAGE: "$CI_REGISTRY_IMAGE:$CI_COMMIT_BRANCH"

        GRYPE_SCOPE: "Squashed"

        GRYPE_OUTPUT_FORMAT: "table"

        GRYPE_FAIL_ON: "medium"

    script:

        - |

            skopeo copy --src-creds=${CI_REGISTRY_USER}:${CI_REGISTRY_PASSWORD} docker://${CI_REGISTRY_IMAGE}:${CI_COMMIT_BRANCH} oci://${CI_PROJECT_DIR}/${CI_COMMIT_SHORT_SHA}

            echo "Running grype with following options:"

            echo "GRYPE_SCOPE=${GRYPE_SCOPE} selection of layers to analyze, options=[Squashed AllLayers] (default 'Squashed')"

            echo "GRYPE_OUTPUT_FORMAT=${GRYPE_OUTPUT_FORMAT} report output formatter, options=[json table cyclonedx] (default 'table')"

            echo "GRYPE_FAIL_ON=${GRYPE_FAIL_ON} set the return code to 1 if a vulnerability is found with a severity >= the given severity, options=[negligible low medium high critical]"

        - grype version

        - grype --scope ${GRYPE_SCOPE} --fail-on ${GRYPE_FAIL_ON} --output ${GRYPE_OUTPUT_FORMAT} ${CI_PROJECT_DIR}/${CI_COMMIT_SHORT_SHA}

docker/kaniko-template.yml

+46 −44
Original line number Diff line number Diff line
@@ -8,7 +8,6 @@ 
    USE_CACHE: "true"

    DOCKERFILE: "Dockerfile"  # Can be a path

    DEV_BUILD: "false"  # set true to tag an image for each commit

    PYTHON_TEST: "false"  # set true if you're running python tests in your image

    LABELS: "--label CI_PROJECT_URL=$CI_PROJECT_URL

             --label CI_COMMIT_SHORT_SHA=$CI_COMMIT_SHORT_SHA

             --label CI_COMMIT_REF_NAME=$CI_COMMIT_REF_NAME"
@@ -42,3 +41,6 @@ 
        printf "\nRUN python3 -m pip install pytest pytest-cov pylint pylint_junit safety mutmut coverage" >> $CI_PROJECT_DIR/$DOCKERFILE

        /kaniko/executor --cache=$USE_CACHE --context $CI_PROJECT_DIR --dockerfile $CI_PROJECT_DIR/$DOCKERFILE --destination $CI_REGISTRY_IMAGE:$CI_COMMIT_REF_NAME-testing $EXTRA_ARGS

      fi

  artifacts:

    paths:

      - "${CI_PROJECT_NAME}.tar"

docker/kaniko.yml

+1 −1
Original line number Diff line number Diff line 
include:

  - local: 'docker/kaniko-template.yml'



kaniko:

docker:kaniko:

  extends: .kaniko-template

pipelines/python-basic.yml

+0 −4
Original line number Diff line number Diff line
@@ -4,7 +4,3 @@ variables: 
include:

    - local: 'python/black.yml'

    - local: 'python/pylint.yml'
 


kaniko:

  variables:

    PYTHON_TEST: "true"

pipelines/python-docker-basic.yml

+0 −4
Original line number Diff line number Diff line
@@ -11,7 +11,3 @@ include: 
  - local: 'python/bandit.yml'

  - local: 'python/safety.yml'

  - local: 'python/semantic-release/private.yml'
 


kaniko:

  variables:

    PYTHON_TEST: "true"